Page 1 of 1
Second script no updating IPSEC peer
Posted: Fri Feb 25, 2011 7:00 pm
by jbabbtech
I have a 750 acting as a hub for 4 VPN connections. Two VPNs are plain vanilla static to static. The other two are static to dynamic. The first dynamic works fine with the use of a script for dynamically changing policy and peer. The second dynamic script, which is exactly the same as the first, will resolve but not update the peer and policy. I have combined the two scripts below:
:local resolvedIP [:resolve "xxx.dyndns.org"];
/log info "$resolvedIP";
/ip ipsec peer set 2 address="$resolvedIP"
/ip ipsec policy set 2 sa-dst-address="$resolvedIP"
#
:local resolveIP [:resolve "yyy.dyndns.org"];
/log info "$resolveIP";
/ip ipsec peer set 3 address="$resolveIP"
/ip ipsec policy set 3 sa-dst-address="$resolveIP"
Re: Second script no updating IPSEC peer
Posted: Fri Feb 25, 2011 11:13 pm
by psamsig
Here is what I use:
/ip ipsec {
:foreach i in=[peer find comment~"^\\+.*"] do={
:local curPeerIP [peer get $i address]
:set curPeerIP [:pick $curPeerIP 0 [:find $curPeerIP "/" -1]]
:local dnsName [peer get $i comment]
:set dnsName [:pick $dnsName 1 [:len $dnsName]]
:local dnsAddress [:resolve $dnsName]
:if ($curPeerIP != $dnsAddress) do={
policy set [policy find sa-dst-address=$curPeerIP] sa-dst-address=$dnsAddress;
peer set $i address=($dnsAddress . "/32:500");
}
}
}
I add the DNS name as comment to the ip ipsec peer, prefixed with a + like "+xxx.dyndns.org" (it is part of a larger script complex that enables and disables dynamic update with different prefix characters). It only makes changes when needed, and it can handle multiple policies per peer.
ipsec peer comments was introduced a while back, but hasn't found its way into WinBox yet, so add by cli.
Re: Second script no updating IPSEC peer
Posted: Thu Mar 10, 2011 3:51 am
by jbabbtech
I like the attached script but I still don't understand why the set property does not work correctly.
Re: Second script no updating IPSEC peer
Posted: Thu Mar 10, 2011 3:55 am
by fewi
Probably because you cannot just use item numbers in scripts. You should find the peer item, and then set on that found item.
Re: Second script no updating IPSEC peer
Posted: Sat Jan 28, 2012 5:08 pm
by pbalazs123
Here is what I use:
/ip ipsec {
:foreach i in=[peer find comment~"^\\+.*"] do={
:local curPeerIP [peer get $i address]
:set curPeerIP [:pick $curPeerIP 0 [:find $curPeerIP "/" -1]]
:local dnsName [peer get $i comment]
:set dnsName [:pick $dnsName 1 [:len $dnsName]]
:local dnsAddress [:resolve $dnsName]
:if ($curPeerIP != $dnsAddress) do={
policy set [policy find sa-dst-address=$curPeerIP] sa-dst-address=$dnsAddress;
peer set $i address=($dnsAddress . "/32:500");
}
}
}
I add the DNS name as comment to the ip ipsec peer, prefixed with a + like "+xxx.dyndns.org" (it is part of a larger script complex that enables and disables dynamic update with different prefix characters). It only makes changes when needed, and it can handle multiple policies per peer.
ipsec peer comments was introduced a while back, but hasn't found its way into WinBox yet, so add by cli.
Hi folks!
I know this is a bit outdated topic, but i need help with this script. My problem is that my destination and source address is dynamic too. I need a script that can update sa-dst-address and sa-src-address too. Can someone wrote another script? It's urgently needed.
Example pictures of what i need:
Thank you!
Re: Second script no updating IPSEC peer
Posted: Sat Feb 04, 2012 5:27 pm
by pbalazs123
No one can help?
