I have a FIX connection running over this VPN, using the QuickFix/J API. For some reason that I cannot quite figure out I lose the session and it will not automatically reconnect. This is usually solved be resetting the VPN. I wrote a short script to take down and bring back up the connection, called restartVPN:
#! /bin/bash
sudo ipsec auto --verbose --down Test
sudo ipsec auto --verbose --up Test
This works fine. As you can see I use sudo to give me admin rights to do this. This is fine for a manual operation. However I have had this problem occur and not been notified quickly enough to do this manually without any consequences therefore I wish to detect when my session has been down for too long and automatically reset it.
This should be no problem I make a call from my code that is watching the session status to the bash script above and hey presto. However this will not work, sudo requires password authentication for non root users be default. A call from another system will get stuck waiting for the password and as its supposed to automated there isn't much I can do about that.
WARNING: Messing around with the sudoers file is dangerous and should be done very carefully and allowing only the least possible permissions to make your scripts run automatically.
The solution is allowing sudo to run ipsec without requiring a password to get the admin rights. Once done ipsec must still be run with sudo, so there is a small layer of security but the password layer is gone, so if you do type sudo ipsec make sure you know what you are doing.
Before you do this it is worth checking out the sudo and visudo man pages.
Bear in mind that my user is called ctoisrael and the command I am running is ipsec. You will need to replace this with your own specifics.
First run visudo to edit the visudo file.
~/sudo visudo
It will open in your default editor. Make sure you are familiar with editing in which ever you have chosen.
add a line like this at the bottom:
ctoisrael ALL = NOPASSWD: /usr/sbin/ipsec
the first ALL means for all servers, in this case it doesn't matter because I am only setting this on this server and not copying it to other servers. If I wanted to be specific ie that it can only be done on one server I would replace this first ALL with the name of the server. The rest should be self explanatory. I have specified that no password is needed when running the ipsec command, but only for this user.
Save the file. It will be default save sudoers.tmp. The visudo program will check to make sure it can be saved at the real sudoers file and then save it.
Now when I run restartVPN it does not prompt me for the password which means it can be run from a script that will automatically reset my VPN when it goes down.
I found a pretty good guide to setting up IPSEC VPNs if you are interested, here.
Feel free to write something in the comments if you have any questions about this or anything else I blog about, happy to help.
No comments:
Post a Comment