Connecting 2 MK's using IPsec, 1 side with dynamic IP

RouterOS Beginner Basics
1

Hi,

I’m trying to connect 2 distant LAN’s using one MK in each point. The 2 MK’s reach the Internet through ADSL modems but one of them (let’s call it Remote Router) has dynamic IP using PPPoe and the other has fixed IP (Local Router). I’m trying to set up the Local Router to generate automatically the ipsec policy because there is no known address in the remote side. I followed the Ref manual v2.9 example IPsec Between two Masquerading MikroTik Routers. Here is the scenario and configuration:

Local Router:
Public IP: 189.xxx.xxx.19
Local Net: 192.168.0.0/24

ip firewall nat add chain=srcnat src-address=192.168.0.0/24
... dst-address=192.168.10.0/24

/ip ipsec proposal
set default auth-algorithms=sha1 disabled=no enc-algorithms=3des lifetime=30m
name=default pfs-group=modp1024

/ip ipsec peer
add address=0.0.0.0/0:500 auth-method=pre-shared-key dh-group=modp1024
disabled=no dpd-interval=disable-dpd dpd-maximum-failures=1
enc-algorithm=3des exchange-mode=main generate-policy=yes hash-algorithm=
sha1 lifebytes=0 lifetime=1d nat-traversal=no proposal-check=obey secret=
“12345” send-initial-contact=no



Remote Router:
Public IP: dynamic using PPPoe client
Local Net: 192.168.10.0/24

ip firewall nat add chain=srcnat src-address=192.168.10.0/24
... dst-address=192.168.0.0/24

/ip ipsec proposal
set default auth-algorithms=sha1 disabled=no enc-algorithms=3des lifetime=30m
name=default pfs-group=modp1024

/ip ipsec peer
add address=189.xxx.xxx.19/32:500 auth-method=pre-shared-key dh-group=modp1024
disabled=no dpd-interval=disable-dpd dpd-maximum-failures=1
enc-algorithm=3des exchange-mode=main generate-policy=no hash-algorithm=
sha1 lifebytes=0 lifetime=1d nat-traversal=no proposal-check=obey secret=
“12345” send-initial-contact=yes

/ip ipsec policy
add action=encrypt disabled=no dst-address=192.168.0.0/24:any
ipsec-protocols=esp level=require priority=0 proposal=default protocol=
all sa-dst-address=189.xxx.xxx.19 sa-src-address=0.0.0.0 src-address=
192.168.10.0/24:any tunnel=yes

Please could one to help me why this is not working? I could only to make the tunnel if specifying in the policy either the src-address, sa-src-address with the real dynamic public IP and the dst-address/sa-dst-address with the public IP from Local Router. But this not desired obviously because I need the tunnel with the LAN addresses so I’ve configured them in the sa policy adresses

Any ideas?

2

Did you figure this out?

It seems it is not possible to do IPSec on mikrotik routeros with dynamic IP without using hacky scripts like here http://forum.mikrotik.com/t/ipsec-dynamic-ip-script/2734/1 from 2005.

The ipsec tunnel works if I specify the dynamic IP address of the remote peer in the local peer address field, but if I leave it 0.0.0.0 then it gives a message “couldn’t find configuration”. My routeros is 3.28/3.30.

In this thread http://forum.mikrotik.com/t/ipsec-from-dynamic-ip/28425/1 the fellow runs into the same “couldn’t find configuration” error message and says he got it to work eventually, but does not report how.

3

Hey guys, this is easily done when one side has a static IP.

Check my refernce slides and video.

http://gregsowell.com/?p=1290

4

Hi gregsowell,

I’ve just checked your slides. Great job!

I’ve considering the slides showing two Mikrotiks with one private IP even in my case I have both public IP’s with one side being dynamic (PPPoE). You suggest to put the private WAN IP in SA Src Address from IPSEC policy but in my setup this site gets public IP from PPPoE so it has no IP until the connection establish. I’ve tested to put 0.0.0.0 and it seems to work but I’m not sure because I’m using L2TP with IPsec and in this virtual interface no traffic is shown. But I’m sure there is traffic because I can communicate from both sides (the dynamic side needs to start the communication).

You did not mention anything about to using L2TP but only IPSec so I’m not sure it your setup is similar.

Regards,

William.

5

William,

L2TP creates virtual interfaces, so anything you want to traverse that l2tp connection should be route to the IP address bound to the l2tp interface at the far site. I assume you already did this since you are routing, I just figured I would note it for others. :slight_smile: