Dynamic IPSec Updater (EoIP, GRE, IPIP)...

RouterOS Scripting
1

Hey all,

I am working on a updater script to update my GRE/IPIP/EoIP over IPSec tunnels. Figured it may be useful to others so here it is…

Basically what it does is looks through the IPSec peers that have the comment with the format

+(eoip|gre|ipip|none)+hostname

.. it resolves the hostname, and then looks for the tunnel and policy with the same comment. It updates the appropriate settings… I just finished my initial test, but this is definitely not 100% yet. Let me know if you found it useful.

(Also… this script was based off a script I found on the forum, that I upgraded.)

-Eric

#
# Variables
#
:local CurrentLocalSite [:resolve LOCALHOSTNAME]


:local DisablePeer false
:local FlushSAs false
:local KillConnections false
:local forceUpdate false


#
# Script <Don't Edit Below This>
#
:global LocalSite 
:local hadUpdate (false || $forceUpdate) 

:if ($CurrentLocalSite != $LocalSite) do={
  :set forceUpdate true
  :set hadUpdate true

  :set LocalSite $CurrentLocalSite
}

/ip ipsec {
    :foreach i in=[peer find comment~"^\\+.*"] do={
        :local RemoteSite [peer get $i address]
        :set RemoteSite [:pick $RemoteSite 0 [:find $RemoteSite "/" -1]]

        :local comment [peer get $i comment]
        
        :local PolicyNumber [/ip ipsec policy find comment=$comment]
        :local PeerNumber $i

        :local tcomment [:pick $comment 1 [:len $comment]]
        :local mode [:pick $tcomment 0 ([:find $tcomment "+"])]
        :local dnsName [:pick $tcomment ([:find $tcomment "+"]+1) [:len $tcomment]]
        :local CurrentRemoteSite [:resolve $dnsName]

        :if ($RemoteSite != $CurrentRemoteSite || $forceUpdate) do={
            peer set $PeerNumber address="$CurrentRemoteSite/32"

            :if ($DisablePeer) do={
                peer disable $PeerNumber
                peer enable $PeerNumber  
            }      

            :if ($mode = "eoip") do={
                policy set $PolicyNumber dst-address="$CurrentRemoteSite/32" src-address="$CurrentLocalSite/32" sa-dst-address=$CurrentRemoteSite sa-src-address=$CurrentLocalSite

                :local TunnelNumber [/interface eoip find comment=$comment]
                /interface eoip set $TunnelNumber remote-address=$CurrentRemoteSite
            } else={
                :if ($mode = "ipip") do={
                    policy set $PolicyNumber dst-address="$CurrentRemoteSite/32" src-address="$CurrentLocalSite/32" sa-dst-address=$CurrentRemoteSite sa-src-address=$CurrentLocalSite

                    :local TunnelNumber [/interface ipip find comment=$comment]
                    /interface ipip set $TunnelNumber remote-address=$CurrentRemoteSite local-address=$CurrentLocalSite
                  } else={
                      :if ($mode = "gre") do={
                          policy set $PolicyNumber dst-address="$CurrentRemoteSite/32" src-address="$CurrentLocalSite/32" sa-dst-address=$CurrentRemoteSite sa-src-address=$CurrentLocalSite

                          :local TunnelNumber [/interface gre find comment=$comment]
                          /interface gre set $TunnelNumber remote-address=$CurrentRemoteSite
                      } else={
                          policy set $PolicyNumber sa-dst-address=$CurrentRemoteSite sa-src-address=$CurrentLocalSite
                      }
                  }
            }
            
            :set hadUpdate true  
        }
    }

    :if ($hadUpdate) do={
        :if ($FlushSAs) do={
            /ip ipsec installed-sa flush
        }

        :if ($KillConnections) do={
            /ip ipsec remote-peers kill-connections 
        }
    }
}
2

Hello you tested this against which version, it seem’s to be not working with version 6.12

3

I debugged further

:local PolicyNumber [/ip ipsec policy find comment=$comment]

Isn’t working anymore in 6.12 but I don’t find direct the needed change.

4

Yeah… they started enforcing that you can’t use the variable name that matches a key.

So change the $comment variable to $peerComment and it should work.

5

Ok thank you will try that, It would be useful that the note things like that also in release notes / change logs.