This tunnel is linking the remote peer and the local peer through an OpenBSD VPN gateway (managed with Isakmp).

The problem is that time allowed for this connection is limited, for security policy reasons. So it is not a 24- hour standard tunnel, but rather an on-demand type connection.

Note that the connection is automatically reset by the remote peer, by invalidating the connection cookie and therefore oblige to renegotiate the VPN tunnel from the beginning (phase 1 of the key exchange).

In other words, the Isakmp service has to be restarted every time we need the tunnel to be up.

Of course, it is not the purpose of Isakmp to have such a mechanism and what we want is to start the tunnel from the local peer, every time it needs to do some transfer.

The graph below summarizes the situation :

That is why I came to develop a script that opens a socket and allows the peer to remotely restart the Isakmp service.

Perl is once again the perfect language for someone like me, who is not a developer. My script uses mainly 2 CPAN modules : NetServer::Generic to manage the socket and Proc::ProcessTable to get the PID of a running process.

You can dowload it here : IsakmpdMon.

And here is the documentation on how to use it : IsakmpdMon Synopsys.

ATTENTION : for security reason, only trusted IPs should be allowed to send the commands.

To have your commands accepted, edit the line :

my ($allowed) = ['10\.80\.1\.2'];

with your IPs. It can be a list of IPs or hostnames separated by commas. You can use some jockers (*) for the names. Please refer to the NetServer::Generic documentation for more info.

Note that this script can be adapted to any usage to manage all kinds of services remotely…