Still we cannot find any freely available usefull IKE State Monitoring for our VPN Tunnels in 2018…thats bad.
That’s why I have grabbed my laptop for a couple of sleepless nights and created from TIG Stack and Maxmind Geolite Free and with Python an IKE State Monitoring Tool. See the building blocks for that service (apart from the cisco ASA is everything is opensource):
In this post I am working with Cisco ASA Firewalls, as VPN Gateways for Site-to-site VPNs with IKEv1 and IKEv2.
I will not describe how to install the TIG Stack (Telegraf, Influxdb, Grafana) the internet is full with information about that.
SNMP for VPN is bad, it can give you a state of the vpn-s that are up, but not about all the configured one.
With SNMP you see only peerips, but we humans cant work with peerips, we need names, like company names. nslookup would be an option but who give dns name to its vpn gateway? Nobody…
There is no description field in the vpn configuration, where we can refer to something that a humand can use easily, like company name or location name or something with that we can identify the von better. Here is an example configuration:
crypto map mycrymap 2 match address tun-3wgroup crypto map mycrymap 2 set pfs group5 crypto map mycrymap 2 set peer 5.5.5.5 crypto map mycrymap 2 set ikev1 transform-set ESP-AES-256-SHA crypto map mycrymap 2 set security-association lifetime seconds 3600 crypto map mycrymap 2 set security-association lifetime kilobytes unlimited |
as you see I use the crypto acl name as an useful name for identifying the tunnel.
To get the state of my vpn tunnel I use the following command, its written in the python code:
cmdgetconfig = 'sh run crypto map | grep set peer|match address' cmdshowikev1 = 'sh cry ikev1 sa | grep Peer|State' cmdshowikev2 = 'sh cry ikev2 sa | grep Status:|' + args.vpnip |
With the first command I collect the peer ips and the acl names directly from the running config. The peer ip can be one or maximum 10 (backup ips)
The last 2 command collects the IKE states for Version 1 and Version 2. In Version 2 there is an arguments for the script that should be the ip address on that the firewall listens for vpn connections. This IP can yo uget with the following commands:
1. Comand
myvpngw/pri/act# sh run crypto | grep enable crypto ikev2 enable outside crypto ikev1 enable outside |
2. Command
myvpngw/pri/act# sh ip address outside System IP Address: Interface Name IP address Subnet mask Method Port-channel1.1000 outside 6.6.6.6 255.255.255.192 CONFIG Current IP Address: Interface Name IP address Subnet mask Method Port-channel1.1000 outside 6.6.6.6 255.255.255.192 CONFIG myvpngw/pri/act# |
The sensor is a python script that logs into the firewall collects the output and processes it and create a json output that corresponds to the telegraf json output format.
C:\Python27>python.exe check_restapi_asavpn.py --help
usage: check_restapi_asavpn.py [-h] [-l] [-V] [-v] [-d DEVICE] [-i VPNIP]
[-u USERNAME] [-p USERPWD]
Cisco ASA VPN Monitoring Telegraf Sensor .
optional arguments:
-h, --help show this help message and exit
-l, --log switch logging on
-V, --version show program's version number and exit
-v, --verbosity increase output verbosity
-d DEVICE, --device DEVICE
IP or hostname of the ASA Firewall
-i VPNIP, --ipaddress VPNIP
IP address on which the vpn service listens
-u USERNAME, --username USERNAME
username to login on the ASA Firewall
-p USERPWD, --userpwd USERPWD
Password for the logon on Cisco ASA Firewall.
And that's how you use custom sensors...
|
Lets test it:
python.exe check_restapi_asavpn.py -d -i -u -p Example: python.exe check_restapi_asavpn.py -d 5.5.5.5 -i 6.6.6.6 -u fwadmin -p Start123 |
The telegraf part was not that simple but that worked for me:
I have to setup my own input.exec format for my python script:
#my exec plugin
#
[[inputs.exec]]
command = "C:/Python27/python.exe C:/Python27/check_restapi_asavpn.py -d 5.5.5.5 -i 6.6.6.6 -u fwadmin -p Start123"
data_format = "json"
name_suffix = "_vpnikestatus"
interval = "300s"
timeout = "30s"
json_query = "metrics"
json_string_fields = [
"ikeversion",
"usedip",
"mygateway",
"countrycode",
"city",
"peerip",
"cmapname",
"longitude",
"latitude",
"aclname"
]
tag_keys = [
"ikeversion",
"usedip",
"mygateway",
"countrycode",
"city",
"peerip",
"cmapname",
"longitude",
"latitude",
"aclname"
]
|
I have downloaded the database for geodata:
http://geolite.maxmind.com/download/geoip/database/GeoLite2-City.tar.gz
in the python script I have hardcoded the path to the geolite2-city database. you have to change it according to your setup!
readergeodata = geoip2.database.Reader('C:/Python27/GeoLite2-City.mmdb')
|
Those Libraries are required for the script to work:
import sys, getopt import argparse import logging from urllib import quote import urllib2 import ssl import json import base64 import re import pdb import geoip2.database |
Installing them is not a hardwork… if you know the python scripting language ;-) if not, even no problem the internet is full with tutorials and help.
If everythin is fine just start your telegraf:
windows:
telegraf.exe -config telegraf.conf
linux:
telegraf -config telegraf.conf
and just import the dashboard I have created and you are ready. you will get at the and this:
Just a short summary what this service does:
Feature Lists:
1. considers the running config each time it checks the IKE state. Source command: sh run crypto map | grep set peer|match address
2. considers the maximum 10 backup peers. Source is the command: crypto map firmen 58 set peer ipaddress1 ipaddress2 ipaddress3 … ipaddress10
3. ikev1 and ikev2 supported. Ikev1 command: sh cry ikev1 sa | grep Peer|State ikev2 command: sh cry ikev2 sa | grep Status:|6.6.6.6
4. geodata is added to each active state vpn peer and for the first peer of the crypto map
5. crypto acl names are used as a tunnel identifier, not the peerips
6. the ike state sensor works via https to cisco asa
7. filter to vpn tunnel from a drop down list with acl name
9. visualisation and dashboard is customizable
If you need the python script and the telegraf.conf and the grafana dashboard just write me here. I will provide you a link for them.
It will be on my github site soon.
itsecworks 
Jonas Žilevičius
April 12, 2019
Hello, can i get a Monitor IKE state on your VPN Gateways python script and the telegraf.conf and the grafana dashboard?
Than you!
itsecworks
April 17, 2019
i will upload it, but its customised to my company. it would be better to deal with it over remote session with me together. do you have webex or logmein or something to meet online?
Brandon Soto Córdoba
April 15, 2019
Good Morning, could you please provide me that script for my Grafana Server?
itsecworks
April 17, 2019
i will upload it, but its customised to my company. it would be better to deal with it over remote session with me together. do you have webex or logmein or something to meet online?
FireKamp
May 18, 2020
Heya, would love to chat more about what you’ve done here. Shoot us an email if you’re interested in chatting further about a contract gig
Albino Gonzalez
June 26, 2020
Hello im insterested in your script could you please provide me that script for my Grafana Server