STOP/ START ipsec tunnels via API

mike_theknife · ‎09-12-2024

Hello community

I am trying to STOP / START ipsec tunnels via API.

I sucessfully connected to the API and sent a "tunnel_reset_stats" command to the API and the tunnl statistics get reset. So far so good. I was choosing "tunnel_reset_stats" since that commad requires additional parameters via http POST and so does the tunnel_down and tunnel_up command which ist my goal to achieve. I am using Powershell and the following code to reset the stats and it works:

==== CODE ====

$ApiToken = "[redacted]"

$body = @{
"p1name" = "[Phase1Name]"
}
$EndPoint = "https://[firewall-ip]/api/v2/monitor/vpn/ipsec/tunnel_reset_stats?access_token=$ApiToken"

$header = @{ "Authorization" = "Bearer $ApiToken" }
$action = Invoke-RestMethod -Method POST -Uri $EndPoint -Headers $Header -Body ($body|ConvertTo-Json) -ContentType "application/json"

==== CODE ====

Now accoring to the API documentation the tunnel_up and tunnel_down command needs 2 parameters (p1name and p2name). so I adapted my script as following:

==== CODE ====

$ApiToken = "[redacted]"

$body = @{

"p1name" = "[Phase1Name]"

"p2name" = "[Phase2Name]"

}
$EndPoint = "https://[firewall-ip]/api/v2/monitor/vpn/ipsec/tunnel_down?access_token=$ApiToken"

$header = @{ "Authorization" = "Bearer $ApiToken" }
$action = Invoke-RestMethod -Method POST -Uri $EndPoint -Headers $Header -Body ($body|ConvertTo-Json) -ContentType "application/json"

==== CODE ====

You can see the only thing i changed was the additional parameter p2name wihch is required.I get the following error:

Invoke-RestMethod : {
"http_method":"POST",
"status":"error",
"http_status":500,
"vdom":"root",
"path":"vpn",
"name":"ipsec",
"action":"tunnel_down",
"serial":"[redacted]",
"version":"v7.4.3",
"build":2573
}

Can someone please shed light behind all this?

Kind regards Mike

If it moves ... hack it!

Debbie_FTNT · ‎09-12-2024

Hey mike_theknife,

the API request might need a p2serial value in addition to p1name and p2name?

Cheers,

Debbie

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++

mike_theknife · ‎09-12-2024

Hello Debbie

Thank you for your fast reply!

How do I get the value for p2serial, i tried with 0 with no success.

If I use "diagnose vpn tunnel list name [my_vpn]" I get:

---

name=[my_vpn] ver=2 serial=12 ...

---

Is that serial number from there? If yes how can I get this serial number via API? I want to automate the restart of a tunnel.

Greetings

Mike

If it moves ... hack it!

mike_theknife · ‎09-12-2024

Hello Debbie

I tried it with curl too

curl --insecure -X 'POST' \
> 'https://[firewall-ip]/api/v2/monitor/vpn/ipsec/tunnel_down?access_token=[API_Token]' \
> -H 'accept: application/json' -H 'Content-Type: application/json' \
> -d '{ "p1name": "Phase1name","p2name": "Phase2name" }'

{
"path":"vpn",
"name":"ipsec",
"action":"tunnel_down",
"serial":"[redacted]",
"version":"v7.4.3",
"build":2573,
"status":"error",
"http_status":424

I will try again when I know how to get the serial parameter.

A different command works (tunnel_reset_stats)

curl --insecure -X 'POST' 'https://[Firewall-IP]/api/v2/monitor/vpn/ipsec/tunnel_reset_stats?access_token=[API-Token]' -H 'accept: application/json' -H 'Content-Type: application/json' -d '{
"p1name": "{MY_VPN]" }'

{
"http_method":"POST",
"status":"success",
"http_status":200,
"vdom":"root",
"path":"vpn",
"name":"ipsec",
"action":"tunnel_reset_stats",
"serial":"[redacted]",
"version":"v7.4.3",
"build":2573

Greetings Mike

If it moves ... hack it!

Debbie_FTNT · ‎09-12-2024

Hey Mike,

my lab is not currently cooperating, so I can't get this live, but from some internal API documentation it looks like a GET request to /api/v2/monitor/vpn/ipsec should return an array of tunels (optionally you can filter on the tunnel), and that should include the p2serial value.
Example screenshot:

So you could do a GET to /vpn/ipsec first to get the p2serial, then POST to /vpn/ipsec/tunnel_down

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++

mike_theknife · ‎09-12-2024

Hello Debbie

you were right it needed the parmeter p2serial altho it was mentioned as not mandatory in the documentation. With /api/v2/monitor/vpn/ipsec is retrieved all the tunnels and found the serial number which I then used in my Script to stop the ipsec tunnel.

==== WORKING POWERSHELL CODE ====

$ApiToken = "[redacted]"

$body = @{

"p1name" = "[Phase1Name]"

"p2name" = "[Phase2Name]"

"p2serial" = [10] (whatever serial your tunnel has from /api/v2/monitor/vpn/ipsec)

}
$EndPoint = "https://[firewall-ip]/api/v2/monitor/vpn/ipsec/tunnel_down?access_token=$ApiToken"

$header = @{ "Authorization" = "Bearer $ApiToken" }
$action = Invoke-RestMethod -Method POST -Uri $EndPoint -Headers $Header -Body ($body|ConvertTo-Json) -ContentType "application/json"

==== CODE ====

My question is does the serial number change, when I include it in a script and it changes the script will obviously fail. Is the serial set when the tunnel gets initially set up and stays for the duration of its lifetime?

Greetings Mike

If it moves ... hack it!

Debbie_FTNT · ‎09-13-2024

Hey Mike,

as far as I know, the serial can change, so a script to read the serial from GET request and store it in a variable is probably the way to go,

Cheers,

Debbie

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++

mike_theknife · ‎09-13-2024

Hello Debbie

Thanks again for your effort!

When i have a ipsec tunnel with several phase2 definitions will i have to get all the p2serial Parameters or is there a way to take down the entire tunnel like the feature in the gui? If there was a way to send cli commands through the API I would be set.

Greetings Mike

If it moves ... hack it!

STOP/ START ipsec tunnels via API

Nominate a Forum Post for Knowledge Article Creation