Page 1 of 1
Dynamic ip site to site ipsec help
Posted: Mon Sep 04, 2017 7:21 pm
by torrington
Hi, I'm new to mikrotik. I'm starting to learn about it and every step I go, I am finding it more and more interesting. At the moment I've managed to create an ipsec vpn between two mikrotik's. Right now my issue is how to make this work with dynamic ip addresses on both sides since I don't find a way to put domains instead of ip addresses on the remote peer fields and on the action tab of the ipsec policy.
Thanks in advance.
Re: Dynamic ip site to site ipsec help
Posted: Tue Sep 05, 2017 12:55 am
by idlemind
This has traditionally been done with scripts. It's now integrated within RouterOS as of the latest 6.41rc releases. I believe it is still command line only still though (hasn't been implemented in WinBox or WebFig).
Re: Dynamic ip site to site ipsec help
Posted: Tue Sep 05, 2017 2:25 am
by torrington
Thank you. Do you have a sample script that you can share with me?
Also I've just installed 6.41rc23 an it allows me to specify dns on Peer on winbox. The issue still persist on specifying SA Src. Address and SA Dst. Address on the policy action. Any ideas?
Re: Dynamic ip site to site ipsec help
Posted: Tue Sep 05, 2017 1:15 pm
by evince
Hello, try a script like this :
/system script
add name=update_dyns_ipsec owner=admin policy=\
ftp,reboot,read,write,policy,test,sniff,sensitive source="/system script\r\
\n:global LocalSite [:yourdomain.com]\r\
\n:global RemoteSite [:resolve remotedomain.com]\r\
\n/ip ipsec policy set 1 sa-dst-address=\$RemoteSite sa-src-address=\$Loca\
lSite\r\
\n/ip ipsec peer set 0 address=\"\$RemoteSite/32\""
Re: Dynamic ip site to site ipsec help
Posted: Tue Sep 05, 2017 9:08 pm
by torrington
Can't thank you enough Evince.
I've ended up like this:
:global LocalSite [:resolve mydomain]
:global RemoteSite [:resolve remotedomain]
/ip ipsec policy set 1 sa-dst-address=$RemoteSite sa-src-address=$LocalSite
I just need one more thing. I've created a schedule to run the script, but since it won't compare actual address when updating, it ends up writing every time. This causes the vpn to go down until refresh, and that is not good. So, do you think you can help me make the script compare actual address and only change it when necessary?
Thank you very much.
Re: Dynamic ip site to site ipsec help
Posted: Wed Sep 06, 2017 12:29 pm
by evince
Re: Dynamic ip site to site ipsec help
Posted: Sun Sep 10, 2017 9:23 pm
by torrington
Thank's to everyone.
I've ended up learning and writing my own script. I leave it here in case someone needs it.
# Set needed variables and resolve remotedomain and local domain
:global RemoteIp [:resolve remotedomain]
:global LocalIp [:resolve mydomain]
# get actual values of sa-dst-address and sa-src-address
:global actual [/ip ipsec policy get 1 sa-dst-address]
:global actuallocal [/ip ipsec policy get 1 sa-src-address]
#change policy if remote or local ip changed
:if ($RemoteIp !=$actual) do={
:log info "CheckRemoteIp: Update required $RemoteIp"
/ip ipsec policy set 1 sa-dst-address=$RemoteIp sa-src-address=$LocalIp} else= {:log info "No need to update"}
:log info "Remote update done, next local"
:if ($LocalIp !=$actuallocal) do={
:log info "CheckRemoteIp: Update required $LocalIp"
/ip ipsec policy set 1 sa-dst-address=$RemoteIp sa-src-address=$LocalIp} else= {:log info "No need to update"}
:log info "IPSEC update done"
I've used version 6.41rc23 that allows to specify the peer with dynamic address.
The code is the same for both routers, only thing that changes is to invert remotedomain/mydomain on the other router.
Hope it helps someone.
Re: Dynamic ip site to site ipsec help
Posted: Sat Jan 05, 2019 8:46 am
by nkaroly
It helped me, but you need to enable "Inline comments" for this script, otherwise it only creates the first two environment variables.
Re: Dynamic ip site to site ipsec help
Posted: Thu Jul 23, 2020 12:39 pm
by atakacs
I'm a bit confused about this. How is the new IP "passed" to the other peer ? I understand that you check the local IP and if it change you modify the IPsec profiles - locally it is pretty trivial but how do you "signal" the remote peer to adapt ?`
