Dyndns tunnel if-then-else edit needed.

ABeepMike · November 26, 2012, 12:16pm

Using bits of script from this thread and Greg Sowell’s tutorial and examples, I have a Tik with a DynDNS WAN and IPsec tunnels with DynDNs entries for both SA-Src and SA-Dst in each tunnel pointed back at the TIK

In the Tik scripts here,there is an IF , Then, Else portion for the Tik’s WAN …if no updated is needed after resolve, no action taken…and I use that for this Tik, even though it probably wont ever get another address…but just in case, its there.

I need close to the same thing for this code…

I am resolving both the local and the remote dyndns for each tunnel via a scheduled script every ten minutes and updating the policy and peer for each tunnel…in order.

Works great…but, every time it resolves, even if it gets the same result, it updates the peer and policy to every tunnel, resulting in new SA’s i.e. tunnel setup. Every ten minutes.

A packet or two drops but the stream continues…however…SAs build up and take an hour to be flushed, with 20 tunnels that is lot of SAs. If the if-then-else arguments can be edited into these scripts…the SA,s would not pile up so badly.

I need to resolve every ten minutes because I am checking for an address change on failover at those tunnel ends.

So, can a fetch..check a variable, change if necessary script , if not leave alone script be written for each tunnel’s local and remote site dyndns?

I think I am close, but a push in the right direction would be appreciated.

I am resolving the local site with a different variable for the same ip address for each tunnel …it may not be needed, but it worked. It populates the peers and policies perfectly for all 20 tunnnels.

I would just like to change the tunnel ip addresses only when needed by a change after resolve.

add name="Tunnel 0" policy=\
    ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api \
    source=":global LocalSite [:resolve x1.dyndns.org]\r\
    \n:global RemoteSite0 [:resolve y1.dyndns.org]\r\
    \n/ip ipsec policy set 0 sa-dst-address=\$RemoteSite0 sa-src-address=\$Loc\
    alSite \r\
    \n/ip ipsec peer set 0 address=\$RemoteSite0"
add name="Tunnel 1" policy=\
    ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api \
    source=":global LocalSite1 [:resolve x1.dyndns.org]\r\
    \n:global RemoteSite1 [:resolve y2.dyndns.org]\r\
    \n/ip ipsec policy set 1 sa-dst-address=\$RemoteSite1 sa-src-address=\$Loc\
    alSite1 \r\
    \n/ip ipsec peer set 1 address=\$RemoteSite1\r\
    \n"
add name="Tunnel 2" policy=\
    ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api \
    source=":global LocalSite2 [:resolve x1.dyndns.org]\r\
    \n:global RemoteSite2 [:resolve y3.dyndns.org]\r\
    \n/ip ipsec policy set 2 sa-dst-address=\$RemoteSite2 sa-src-address=\$Loc\
    alSite2\r\
    \n/ip ipsec peer set 2 address=\$RemoteSite2\r\
    \n"

c0d3rSh3ll · November 27, 2012, 3:19am

like this ?
in this case need two condition for change ip.

{
:local LocalSite [:resolve x1.dyndns.org]
:local RemoteSite0 [:resolve y1.dyndns.org]
:local iplocal [/ip ipsec policy get 0 sa-src-address] 
:local remoteip [ /ip ipsec policy get 0 sa-dst-address]
#set two condition for change ip of ipsec tunnel
if ($iplocal!=$LocalSite) do={
if ($remoteip!=$RemoteSite0) do={
/ip ipsec policy set 0 sa-dst-address=$RemoteSite0 dst-address="$RemoteSite0/32" sa-src-address=$LocalSite src-address="$LocalSite/32" 
/ip ipsec peer set 0 address=$RemoteSite0 }
}

ABeepMike · November 28, 2012, 12:46am

WOW!

THank you …I will try it…looks like Exactly what I want !! And it helps me understand how to do the next set of arguments for other scripts I may need.

Thanks again, I will post the results..

I really appreciate it, my education in all things MT continues.

KARMA added for you!!!

ABeepMike · November 28, 2012, 4:04am

THank You,

I used your example and was able to figure out what I wanted for the possibility of remote IP change and far end of tunnel , without changing policy or peer when NOT needed.

:global RemoteSite0 [:resolve remotesite0.dyndns.org]
:global remoteip0 [ /ip ipsec policy get 0 sa-dst-address]
#set condition for change ip of ipsec tunnel 
if ($remoteip0!=$RemoteSite0) do={/ip ipsec policy set 0 sa-dst-address=$RemoteSite0
/ip ipsec peer set 0 address=$RemoteSite0 }

I wanted to use global variables , for each tunnel, so I could look at the table to see what was currently being used.

thanks again…on to the next …