Monitor IKE state on your VPN Gateways

Posted on November 13, 2018

0



Still we cannot find any freely available usefull IKE State Monitoring for our VPN Tunnels in 2018…thats bad.

That’s why I have grabbed my laptop for a couple of sleepless nights and created from TIG Stack and Maxmind Geolite Free and with Python an IKE State Monitoring Tool. See the building blocks for that service (apart from the cisco ASA is everything is opensource):

In this post I am working with Cisco ASA Firewalls, as VPN Gateways for Site-to-site VPNs with IKEv1 and IKEv2.
I will not describe how to install the TIG Stack (Telegraf, Influxdb, Grafana) the internet is full with information about that.

SNMP for VPN is bad, it can give you a state of the vpn-s that are up, but not about all the configured one.

With SNMP you see only peerips, but we humans cant work with peerips, we need names, like company names.  nslookup would be an option but who give dns name to its vpn gateway? Nobody…

There is no description field in the vpn configuration, where we can refer to something that a humand can use easily, like company name or location name or something with that we can identify the von better. Here is an example configuration:

crypto map mycrymap 2 match address tun-3wgroup
crypto map mycrymap 2 set pfs group5
crypto map mycrymap 2 set peer 5.5.5.5
crypto map mycrymap 2 set ikev1 transform-set ESP-AES-256-SHA
crypto map mycrymap 2 set security-association lifetime seconds 3600
crypto map mycrymap 2 set security-association lifetime kilobytes unlimited

as you see I use the crypto acl name as an useful name for identifying the tunnel.

To get the state of my vpn tunnel I use the following command, its written in the python code:

cmdgetconfig = 'sh run crypto map | grep set peer|match address'
cmdshowikev1 = 'sh cry ikev1 sa | grep Peer|State'
cmdshowikev2 = 'sh cry ikev2 sa | grep Status:|' + args.vpnip

With the first command I collect the peer ips and the acl names directly from the running config. The peer ip can be one or maximum 10 (backup ips)

The last 2 command collects the IKE states for Version 1 and Version 2. In Version 2 there is an arguments for the script that should be the ip address on that the firewall listens for vpn connections. This IP can yo uget with the following commands:
1. Comand

myvpngw/pri/act# sh run crypto | grep enable
crypto ikev2 enable outside
crypto ikev1 enable outside

2. Command

myvpngw/pri/act# sh ip address outside
System IP Address:
Interface                Name                   IP address      Subnet mask     Method 
Port-channel1.1000       outside                    6.6.6.6  255.255.255.192 CONFIG
Current IP Address:
Interface                Name                   IP address      Subnet mask     Method 
Port-channel1.1000       outside                    6.6.6.6  255.255.255.192 CONFIG
myvpngw/pri/act# 

The sensor is a python script that logs into the firewall collects the output and processes it and create a json output that corresponds to the telegraf json output format.

C:\Python27>python.exe check_restapi_asavpn.py --help
usage: check_restapi_asavpn.py [-h] [-l] [-V] [-v] [-d DEVICE] [-i VPNIP]
                               [-u USERNAME] [-p USERPWD]

Cisco ASA VPN Monitoring Telegraf Sensor .

optional arguments:
  -h, --help            show this help message and exit
  -l, --log             switch logging on
  -V, --version         show program's version number and exit
  -v, --verbosity       increase output verbosity
  -d DEVICE, --device DEVICE
                        IP or hostname of the ASA Firewall
  -i VPNIP, --ipaddress VPNIP
                        IP address on which the vpn service listens
  -u USERNAME, --username USERNAME
                        username to login on the ASA Firewall
  -p USERPWD, --userpwd USERPWD
                        Password for the logon on Cisco ASA Firewall.

And that's how you use custom sensors...

Lets test it:

python.exe check_restapi_asavpn.py -d  -i  -u  -p 
Example:
python.exe check_restapi_asavpn.py -d 5.5.5.5 -i 6.6.6.6 -u fwadmin -p Start123

The telegraf part was not that simple but that worked for me:

I have to setup my own input.exec format for my python script:

#my exec plugin
#

[[inputs.exec]]
  command = "C:/Python27/python.exe C:/Python27/check_restapi_asavpn.py -d 5.5.5.5 -i 6.6.6.6 -u fwadmin -p Start123"
  data_format = "json"
  name_suffix = "_vpnikestatus"
  interval = "300s"
  timeout = "30s"
  json_query = "metrics"
  json_string_fields = [
      "ikeversion",
      "usedip",
      "mygateway",
      "countrycode",
      "city",
      "peerip",
      "cmapname",
      "longitude",
      "latitude",
	  "aclname"
  ]
  tag_keys = [
      "ikeversion",
      "usedip",
      "mygateway",
      "countrycode",
      "city",
      "peerip",
      "cmapname",
      "longitude",
      "latitude",
	  "aclname"
  ]

I have downloaded the database for geodata:
http://geolite.maxmind.com/download/geoip/database/GeoLite2-City.tar.gz
in the python script I have hardcoded the path to the geolite2-city database. you have to change it according to your setup!

readergeodata = geoip2.database.Reader('C:/Python27/GeoLite2-City.mmdb')

Those Libraries are required for the script to work:

import sys, getopt
import argparse
import logging
from urllib import quote
import urllib2
import ssl
import json
import base64
import re
import pdb
import geoip2.database

Installing them is not a hardwork… if you know the python scripting language ;-) if not, even no problem the internet is full with tutorials and help.

If everythin is fine just start your telegraf:
windows:
telegraf.exe -config telegraf.conf

linux:
telegraf -config telegraf.conf

and just import the dashboard I have created and you are ready. you will get at the and this:

Just a short summary what this service does:

Feature Lists:

1. considers the running config each time it checks the IKE state. Source command: sh run crypto map | grep set peer|match address
2. considers the maximum 10 backup peers. Source is the command: crypto map firmen 58 set peer ipaddress1 ipaddress2 ipaddress3 … ipaddress10
3. ikev1 and ikev2 supported. Ikev1 command: sh cry ikev1 sa | grep Peer|State ikev2 command: sh cry ikev2 sa | grep Status:|6.6.6.6
4. geodata is added to each active state vpn peer and for the first peer of the crypto map
5. crypto acl names are used as a tunnel identifier, not the peerips
6. the ike state sensor works via https to cisco asa
7. filter to vpn tunnel from a drop down list with acl name
9. visualisation and dashboard is customizable

If you need the python script and the telegraf.conf and the grafana dashboard just write me here. I will provide you a link for them.
It will be on my github site soon.

Advertisements