NetXMS Support Forum

Is it possible to monitor IPSec tunnels in phase 2? Can anyone give me a detailed explanation?
My situation would be similar to this ...

Phase 1
  Firewall X <-------- IPSec -----------> Firewall Y

Phase 2
Lan1X 192.168.20.0/24 <---- Phase 2 -----> Lan1Y 192.168.24.0/24
Lan2X 10.100.20.0/24 <- Where is the NetXMS Server

Lan2X is where the Netxms Server is, it sees only Firewall X and Lan1X.

What is the best approach to this?

Thanks in advance

Depending on what exactly you're trying to do, it could be enough to do a ping test across the VPN (Phase 2 established means the ping should pass through).
If you want to know the actual state of the IPSec VPN and your firewalls allow for it, you may be able to pull actual tunnel information via SNMP.
The devices might also send Syslog messages or SNMP traps whenever a tunnel drops or is established.

The first should be pretty straightforward using the Ping subagent: https://www.netxms.org/documentation/adminguide/icmp-ping.html (That and probably some searching on the forum on how to properly configure/use this as it comes up every now and then. We're not using it so I can't provide guidance.)
The other options would depend heavily on the devices you are using and the details would be specific to them. For some firewalls they may not be possible at all.

Thanks for the answer.
I imagine that using ping, it would be through ICMP proxy, because it is not the netxms network that is linked to the tunnels, but another network. I figured the vpn connector could help me with something but I also could not understand the use of this feature (anyone who can give a concrete example would help a lot).

Fortunately, I was able to get the status of the tunnels in the firewall via snmp and save them to a DCI table, but I would like a suggestion on how best to view these values in dashboard, since the table is not as attractive and the status of the tunnels is only integer values.

Thank you!

From what I recall the VPN Connector is a manual "helper" for linking networks connected via VPN on maps.
You can configure a VPN Connector on a firewall/router each link them. Automated maps will then honour that link, so your maps will show both sides. Otherwise the map would stop at each firewall/router.
It is not a tool to monitor or establish VPNs.

Regarding the tunnel status being integer values, the SNMP MIB file will likely contain a "translation" for the integer value. This is a weak point in NetXMS' MIB Browser: it will show the description of an OID, but not the "SYNTAX INTEGER" part which in most cases is required for translation of such integer values (most vendors don't put that information into the description). An example might be more helpful here (this is not for any VPN Tunnel, just an example of how a MIB file looks and what NetXMS shows):
       hpicfSensorStatus OBJECT-TYPE
           SYNTAX     INTEGER {
                          unknown(1),
                          bad(2),
                          warning(3),
                          good(4),
                          notPresent(5)
                      }
           MAX-ACCESS read-only
           STATUS     current
           DESCRIPTION
                   "Actual status indicated by the sensor."
           ::= { hpicfSensorEntry 4 }

In the above, NetXMS will show you hpicfSensorStatus as translated name for the OID. It will also show you the "Actual status indicated by the sensor." in the description. But it will not show you the unknown, bad, warning, good, notPresent information and their numerical representation. In other words, you'll have to go through the MIB for your firewall to locate these details to run a transform into a string (if you want it to show a string.... integers do have the advantage that you can graph them and quickly see when things changed over time).
For transforms on a table DCI, the following post will probably be helpful as well: https://www.netxms.org/forum/configuration/transformations-scripts-for-table-dci/

An alternative to a table would be to use Instance Discovery. There should be a number of forum posts with examples on how to configure this if you want to give it a go.

Thank you for your attention.
I tested the VPN connector, it really only appears on network maps, it should also appear on custom maps.

It's really hard to know what each integer value means, but it's possible to search the internet.