Community discussions

MikroTik App
 
torrington
just joined
Topic Author
Posts: 22
Joined: Mon Sep 04, 2017 7:05 pm

Dynamic ip site to site ipsec help

Mon Sep 04, 2017 7:21 pm

Hi, I'm new to mikrotik. I'm starting to learn about it and every step I go, I am finding it more and more interesting. At the moment I've managed to create an ipsec vpn between two mikrotik's. Right now my issue is how to make this work with dynamic ip addresses on both sides since I don't find a way to put domains instead of ip addresses on the remote peer fields and on the action tab of the ipsec policy.

Thanks in advance.
 
idlemind
Forum Guru
Forum Guru
Posts: 1146
Joined: Fri Mar 24, 2017 11:15 pm
Location: USA

Re: Dynamic ip site to site ipsec help

Tue Sep 05, 2017 12:55 am

This has traditionally been done with scripts. It's now integrated within RouterOS as of the latest 6.41rc releases. I believe it is still command line only still though (hasn't been implemented in WinBox or WebFig).
 
torrington
just joined
Topic Author
Posts: 22
Joined: Mon Sep 04, 2017 7:05 pm

Re: Dynamic ip site to site ipsec help

Tue Sep 05, 2017 2:25 am

Thank you. Do you have a sample script that you can share with me?

Also I've just installed 6.41rc23 an it allows me to specify dns on Peer on winbox. The issue still persist on specifying SA Src. Address and SA Dst. Address on the policy action. Any ideas?
 
User avatar
evince
Member
Member
Posts: 355
Joined: Thu Jul 05, 2012 12:11 pm
Location: Harzé - Belgique
Contact:

Re: Dynamic ip site to site ipsec help

Tue Sep 05, 2017 1:15 pm

Hello, try a script like this :

/system script
add name=update_dyns_ipsec owner=admin policy=\
ftp,reboot,read,write,policy,test,sniff,sensitive source="/system script\r\
\n:global LocalSite [:yourdomain.com]\r\
\n:global RemoteSite [:resolve remotedomain.com]\r\
\n/ip ipsec policy set 1 sa-dst-address=\$RemoteSite sa-src-address=\$Loca\
lSite\r\
\n/ip ipsec peer set 0 address=\"\$RemoteSite/32\""
 
torrington
just joined
Topic Author
Posts: 22
Joined: Mon Sep 04, 2017 7:05 pm

Re: Dynamic ip site to site ipsec help

Tue Sep 05, 2017 9:08 pm

Can't thank you enough Evince.

I've ended up like this:

:global LocalSite [:resolve mydomain]
:global RemoteSite [:resolve remotedomain]
/ip ipsec policy set 1 sa-dst-address=$RemoteSite sa-src-address=$LocalSite

I just need one more thing. I've created a schedule to run the script, but since it won't compare actual address when updating, it ends up writing every time. This causes the vpn to go down until refresh, and that is not good. So, do you think you can help me make the script compare actual address and only change it when necessary?

Thank you very much.
 
User avatar
evince
Member
Member
Posts: 355
Joined: Thu Jul 05, 2012 12:11 pm
Location: Harzé - Belgique
Contact:

Re: Dynamic ip site to site ipsec help

Wed Sep 06, 2017 12:29 pm

 
torrington
just joined
Topic Author
Posts: 22
Joined: Mon Sep 04, 2017 7:05 pm

Re: Dynamic ip site to site ipsec help

Sun Sep 10, 2017 9:23 pm

Thank's to everyone.

I've ended up learning and writing my own script. I leave it here in case someone needs it.
# Set needed variables and resolve remotedomain and local domain

:global RemoteIp [:resolve remotedomain]
:global LocalIp [:resolve mydomain]

# get actual values of sa-dst-address and sa-src-address
:global actual [/ip ipsec policy get 1 sa-dst-address]
:global actuallocal [/ip ipsec policy get 1 sa-src-address]

#change policy if remote or local ip changed
:if ($RemoteIp !=$actual)  do={
:log info "CheckRemoteIp: Update required $RemoteIp"
/ip ipsec policy set 1 sa-dst-address=$RemoteIp sa-src-address=$LocalIp} else= {:log info "No need to update"}
:log info "Remote update done, next local"
:if ($LocalIp !=$actuallocal) do={
:log info "CheckRemoteIp: Update required $LocalIp"
/ip ipsec policy set 1 sa-dst-address=$RemoteIp sa-src-address=$LocalIp} else= {:log info "No need to update"}
:log info "IPSEC update done"
I've used version 6.41rc23 that allows to specify the peer with dynamic address.
The code is the same for both routers, only thing that changes is to invert remotedomain/mydomain on the other router.

Hope it helps someone.
 
nkaroly
just joined
Posts: 1
Joined: Sat Jan 05, 2019 8:44 am

Re: Dynamic ip site to site ipsec help

Sat Jan 05, 2019 8:46 am

It helped me, but you need to enable "Inline comments" for this script, otherwise it only creates the first two environment variables.
 
atakacs
Member Candidate
Member Candidate
Posts: 121
Joined: Mon Mar 07, 2016 5:39 pm

Re: Dynamic ip site to site ipsec help

Thu Jul 23, 2020 12:39 pm

I'm a bit confused about this. How is the new IP "passed" to the other peer ? I understand that you check the local IP and if it change you modify the IPsec profiles - locally it is pretty trivial but how do you "signal" the remote peer to adapt ?`

Who is online

Users browsing this forum: No registered users and 16 guests