I’m trying to write a script that updates ipsec if an ip / gateway changes.
I have a solution so far for cases where the router has the public IP on it’s interface.
But it’s not working in cases where double-nat is in place.
Not I’m looking for a solution to find out over what interface the traffic is currently flowing (I have backup connections).
I found sort of a hack, but that’s not working in every case:
:local WANip [/ip ipsec remote-peers get [find where remote-address=$destip] local-address]
usually ‘local-address’ in ipsec remote-peers is the address I’m looking for.
but that lookup doesn’t always work.
Any idea?
I can’t look for a specific interface because I don’t know which interface is my default route right now…
I have to read up what that even is.
Another solution would be if I could use an ip that never changes as src-sa-address.
Tried that (again, did it already a long time ago) and to my surprise, on many routers it did work (took the IP of the LAN). But on one system it doesn’t.
No, VRRP is not what I need. maybe I have to explain more closely what I’m talking about.
Let’s say I have 2 internet connections
one on ether1, ip 192.168.0.2 (as assigned by the cable modem) and
one on ether2, ip 192.168.2.2 (as assigned by the adsl modem)
Of course the public IPs are different, the modems are doing NAT, too.
Now I’ve set up an IPSEC connection to another router and to get it working I have 192.168.0.2 as an sa-src-address.
If ether1 goes down, traffic get’s routed over 192.168.2.1 and I’d need to put 192.168.2.2 as sa-src-address (or how do I avoid this, in some cases the LAN address seems to do as well, but why?). Where can I get the 192.168.2.2 address from?