Page 1 of 1
Script to disable IPSec peers
Posted: Wed Aug 07, 2013 2:42 pm
by leonset
Hello
I'm trying to find a way to disable all or a set of IPSec peers within a script in v6.2. In theory something like this should do the trick:
/ip ipsec peer enable [/ip ipsec peer find port=500]
But it doesn't... it just enables the first peer (number 0) and then the terminal prompt just hangs. The extrange thig is that the same line but replacing enable with disable does work ok!:
/ip ipsec peer disable [/ip ipsec peer find proposal-check="obey"
Maybe a bug?
Thanks!
Re: Script to disable IPSec peers
Posted: Wed Aug 07, 2013 2:59 pm
by efaden
Hello
I'm trying to find a way to disable all or a set of IPSec peers within a script in v6.2. In theory something like this should do the trick:
/ip ipsec peer enable [/ip ipsec peer find port=500]
But it doesn't... it just enables the first peer (number 0) and then the terminal prompt just hangs. The extrange thig is that the same line but replacing enable with disable does work ok!:
/ip ipsec peer disable [/ip ipsec peer find proposal-check="obey"
Maybe a bug?
Thanks!
I have never used it that way. I always used loops like below. I wasn't aware that a single command like that worked if find returned more than one.
/ipsec peer {
:foreach i in=[find port=500] do={
enable $i
}
}
Re: Script to disable IPSec peers
Posted: Wed Aug 07, 2013 3:14 pm
by leonset
Yes, I use this to en/disable IPSec Policies since almost ever:
/ip ipsec policy enable [find sa-src-address=1.2.3.4]
Your script block doesn't work, exactly the same behavior: only the first peer got enabled and then the prompt halts until I press Ctlr+C
Thanks!
Re: Script to disable IPSec peers
Posted: Wed Aug 07, 2013 3:22 pm
by efaden
Yes, I use this to en/disable IPSec Policies since almost ever:
/ip ipsec policy enable [find sa-src-address=1.2.3.4]
Your script block doesn't work, exactly the same behavior: only the first peer got enabled and then the prompt halts until I press Ctlr+C
Thanks!
Good to know that works... As for 6.2. I switched back to 6.1 because it was too buggy. My guess would be that you found another bug where find only returns the first or something.
Re: Script to disable IPSec peers
Posted: Wed Aug 07, 2013 3:36 pm
by leonset
I have sent an email tu support about this issue, I'll post the answer here...
I can't use 6.1 because it has bugs with IPSec, can't use v6.0 cause has bug with VRRP, can't use v5.x because it has problems with Mangle rules and performance with RB1000... I hope that I get a "good" version for me soon, I'm having too many headaches whith Mikrotik lately!!
Thanks for your help!
Re: Script to disable IPSec peers
Posted: Fri Jun 30, 2017 1:38 pm
by n4p
Hi,
i need to push this thread, because i currently searching for the same solution. Is there any way to disable ipsec peers with a script which looks on the firewall address list.
Background for that is, i detect bad-peers on the firewall and blacklist them. To prefent them to do more bad stuff i wanna disable their ipsec peer until it is localy checked.
Thanks for help!
Re: Script to disable IPSec peers
Posted: Sat Jul 01, 2017 3:01 pm
by efaden
Hi,
i need to push this thread, because i currently searching for the same solution. Is there any way to disable ipsec peers with a script which looks on the firewall address list.
Background for that is, i detect bad-peers on the firewall and blacklist them. To prefent them to do more bad stuff i wanna disable their ipsec peer until it is localy checked.
Thanks for help!
It shouldn't be hard. Just iterate over the peers and then search if they are in the address list. But I don't have anything off hand to do it. I'd have to write it.
Re: Script to disable IPSec peers
Posted: Sat Jul 01, 2017 9:44 pm
by n4p
Yeah,
it would be great if you can give me some advice.
My idea was do check the addresslist every second or something like that and look if there is a peer with name blacklist.
There i need to look about the ip range if it is 172.8.10.xxx or 172.8.11.xxx and search with this for the matching ipsec peer/policiy.
Thats the way it should work, but the problem is that i need some help to get there.
Re: Script to disable IPSec peers
Posted: Sat Jul 01, 2017 10:13 pm
by efaden
Can't you just use the address list to block the ipsec through the firewall? It would benefit much much more efficient then running a script that frequently.
Sent from my Pixel XL using Tapatalk
Re: Script to disable IPSec peers
Posted: Sun Jul 02, 2017 8:51 pm
by n4p
The idea behind that was to made the system more secure. I have only one engine behind every ipsec Tunnel.
And if there was a Security issue or somebody try to attack the server i wanna Block them completle until a employe that a look at those engine.
Re: Script to disable IPSec peers
Posted: Sun Jul 02, 2017 10:47 pm
by msatter
I use IPSEC on location or when I am in a location with WiFi. I use port knocking to request a certain number of hours 1-8. The IP address I am on is entered in the addresslist to grant me access to port 400+4500.
When I need more tome that I estimated before I just knock again but I have first to disconnect the IPSEC because I am still on a private address. The time will be added to or set if the was no time left.
I can also knock to remove the entry in the addresslist by tuning a scheduled script on a set interval which looks in the to remove addresses.
Re: Script to disable IPSec peers
Posted: Wed Jul 05, 2017 9:40 pm
by n4p
Thats not really a help for me, because i use side to side tunnel. And if there is a security issue i wanna block this tunnel.
But if there is nothing the tunnel should be up everytime.
Re: Script to disable IPSec peers
Posted: Wed Jul 05, 2017 10:11 pm
by msatter
What is the result of this:
:put [/ip ipsec remote-peers find remote-address~"172.8.1[0-1].*];
If you want to remove those addresses then this should do it:
:put [/ip ipsec remote-peers remove [find remote-address~"172.8.1[0-1].*"]];
However I see the client connecting again and only after a few times it gives up.
You want to look at names and compare it to policies so I need more info on that. I use IKe2 so no names.
Re: Script to disable IPSec peers
Posted: Fri Jul 07, 2017 11:21 am
by n4p
Thanks for answer,
my idea is not only to disconnect them, i wanna disable his Profile.
For our Setup its not possible that this happens anytime, only if anybody try to attack the server. The outstanding peer's normaly should connect everytime and stay up.
So what i had done until now is:
I added Firewall rules to identify them and add the ip-address to the blacklist.
My idea was to read with a script this blacklist and identify the third Oktett from the blacklistet ip. With this Oktett i know the peer policy. My System is configured that those Oktett is alwasy the same, also in the wan ip which establishe the tunnel.
Hope you can understand what i mean.
Thanks for help!
Re: Script to disable IPSec peers
Posted: Fri Aug 24, 2018 10:03 am
by Prister
I have the same problem! in version 6.40.8
how to solve this problem? 