Feature request - DNS names in IPsec

mikruser · July 13, 2017, 2:57pm

Hello,

Please add ability to use DNS names in:

IP-IPsec-Policies-General\Action-Dst.Address
IP-IPsec-Peers-General-Address

JimmyNyholm · July 16, 2017, 1:47pm

+1.
And by all means make ip-changes and dns updates be reflected into peers and other ipsec related stuff.

lp13 · July 31, 2017, 6:45am

+1

For me it’s very actual function

Cha0s · July 31, 2017, 9:01am

+1

I rely on scripting to make this work at the moment. It would be nice to have this natively supported by ROS as was done in EoIP tunnels etc.

lp13 · July 31, 2017, 11:27am

Can you share your script. I would be very obliged.

Cha0s · July 31, 2017, 5:39pm

Here it is.

:local ddnsname "ddns.example.net";
:local ipseccomment "a unique comment";
:global prevddns;

:if ([ :typeof $prevddns ] = "nothing" ) do={ 
	:global prevddns 0.0.0.0/0
}

:local currentddns [:resolve "$ddnsname"];

:if ($prevddns = $currentddns) do={
	#:log info ("No DDNS change...")
} else={

	:log info ("DDNS IP address changed from " . "$prevddns" . " to " . "$currentddns" )
	
	:local PolicyNumber [/ip ipsec policy find comment=$ipseccomment]
	:local PeerNumber [/ip ipsec peer find comment=$ipseccomment]

	/ip ipsec peer set $PeerNumber address="$currentddns/32"
	/ip ipsec policy set $PolicyNumber dst-address="$currentddns/32" sa-dst-address="$currentddns"
	/ip ipsec peer disable $PeerNumber
	/ip ipsec peer enable $PeerNumber 
	/ip ipsec installed-sa flush
	/ip ipsec remote-peers kill-connections

	:log info ("Updated IPec")
	
	:global prevddns $currentddns;
}

It’s nothing fancy but it works for me.

You need to edit ddnsname to your (dynamic) DNS record.
And you need to set a unique comment on the IPsec Peer and Policy you need to dynamically change when the DNS ip changes. Both Peer and Policy must have the same comment.
You then set the same comment on ipseccomment var in the second line of the script.

You finally configure the script to run via the System > Scheduler every X seconds or minutes.
I run my own DDNS service with 1second TTL so the new IP gets propagated almost immediately so I run the script every 3 seconds.
If your DDNS service has a higher TTL then running it so often doesn’t make much sense, but it’s lightweight anyway so you could even run it every 1 second.

All the script does is it resolves the DDNS name and it compares it to whatever it was during the last run (or if it’s the first time it runs it will set it to 0.0.0.0/0 just to initialize the variable). If the IP resolved has changed, then it updates the IPsec policy and peer and then disables/enables the peer and flushes IPsec connections.

I don’t know if it is the proper/best way to do it, but it has been working for me for many years without any problems

Feel free to use/edit as you please.

lp13 · August 1, 2017, 5:51am

Cha0s:

Here it is.
:local ddnsname "ddns.example.net";
:local ipseccomment "a unique comment";
:global prevddns;

:if ([ :typeof $prevddns ] = "nothing" ) do={ 
	:global prevddns 0.0.0.0/0
}

:local currentddns [:resolve "$ddnsname"];

:if ($prevddns = $currentddns) do={
	#:log info ("No DDNS change...")
} else={

	:log info ("DDNS IP address changed from " . "$prevddns" . " to " . "$currentddns" )
	
	:local PolicyNumber [/ip ipsec policy find comment=$ipseccomment]
	:local PeerNumber [/ip ipsec peer find comment=$ipseccomment]

	/ip ipsec peer set $PeerNumber address="$currentddns/32"
	/ip ipsec policy set $PolicyNumber dst-address="$currentddns/32" sa-dst-address="$currentddns"
	/ip ipsec peer disable $PeerNumber
	/ip ipsec peer enable $PeerNumber 
	/ip ipsec installed-sa flush
	/ip ipsec remote-peers kill-connections

	:log info ("Updated IPec")
	
	:global prevddns $currentddns;
}
It’s nothing fancy but it works for me.

You need to edit ddnsname to your (dynamic) DNS record.
And you need to set a unique comment on the IPsec Peer and Policy you need to dynamically change when the DNS ip changes. Both Peer and Policy must have the same comment.
You then set the same comment on ipseccomment var in the second line of the script.

You finally configure the script to run via the System > Scheduler every X seconds or minutes.
I run my own DDNS service with 1second TTL so the new IP gets propagated almost immediately so I run the script every 3 seconds.
If your DDNS service has a higher TTL then running it so often doesn’t make much sense, but it’s lightweight anyway so you could even run it every 1 second.

All the script does is it resolves the DDNS name and it compares it to whatever it was during the last run (or if it’s the first time it runs it will set it to 0.0.0.0/0 just to initialize the variable). If the IP resolved has changed, then it updates the IPsec policy and peer and then disables/enables the peer and flushes IPsec connections.

I don’t know if it is the proper/best way to do it, but it has been working for me for many years without any problems

Feel free to use/edit as you please.

Thank you very much. Will try to use it in my environment.

albgen · May 11, 2018, 1:43pm

needed for me as well +1