How to monitor Cisco IPsec VPN with Nagios?

Use the check_snmp command to get back the connection info, which will be specific to your device/setup but in general follows the traditional Nagios methodology. Find the OID you need then set a warning/critical threshold -- so in my instance it looks like:

check-snmp!.1.3.6.1.4.1.3076.2.1.2.17.1.1.0!COMMUNITY!22!24

My warning/critical thresholds on the end (22, 24) are based on the number of DHCP addresses I've allowed this VPN server to allot to remote clients. The OID I'm querying tells me how many are currently in use and tracked (this pool is thereby specific to this VPN device and not given out by another daemon/etc.)

Try to do the following if you can:

• Test the authentication backend - does your vpn authenticate against radius? if so, setup nagios with the radius plugin.
• Check for gaps in VPN login times. If you are running a busy vpn server, most likely you see a login at least once every 10 minutes during business hours. I have a custom nagios plugin that queries the radius accounting database, and checks to see if anyone has successfully logged in in the past 10 minutes.

The above 2 'extra' checks have been invaluable.

While answers so far are useful, I'd start simple and check whether the cisco device is accessible externally. Have an external monitoring node outside of your network check the device and see if it's accessible.

Then if you want more detail throw in the RADIUS checks internally.

I've often got carried away with monitoring 5+ items internally when one simple external check would have caught 99% of the errors picked up by a combination of the items internally.