i have a working ipsec vpn but when the modem is reboot my public ip changing.
For ipsec vpn to work again, I need to add the new public ip address to;
/ip address set interface=UpLink address=“New IP Adress”
/ip ipsec peer set myvpn local-address=“New IP Adress”
Is there a way to add new public ip address (IP → Cloud → Public Address ) to “IP → Addresses” and “IP → IPsec → Peers → Local Address”
My ISP dont allow Bridge Mode and also Mikrotik to Palo Alto, ipsec over GRE or GRE over ipsec is not working (or I could not configure the tunnel lol )
Why don’t you accept that you’re behind NAT and live with it? If modem has the public address, it shouldn’t be duplicated on your router. Leave the Local Address empty. IPSec can handle it.
That is right, when you are behind NAT your “local address” in the GRE tunnel is the address you get on the 192.168.x.x network, not your public address.
So enter 192.168.1.15 in your case.
It is still advisable to make it static (not obtained using DHCP) and enter it in that field, I have bad experience with leaving it empty.
E.g. when the whole environment powercycles and the MikroTik comes up before the ISP router and starts setting up the tunnel before it has obtained the address, things go haywire.
(when doing this with IPv6 it fails completely, with IPv4 it will probably recover)
Afer leave the local address empty my palo alto says "the is no config for 192.168.1.15 bıla bıla bıla..." i thing mikrotik use interface ip, not public ip.. so my address list;
Modem needs to be doing srcnat (which I’d assume should be default when it’s in router mode), then anything from 192.168.1.15 to internet will have source changed to 176.41.x.x and config on the remote device will match.
On the other hand, if your original config works and you’re happy with it, your plan with script is possible too. Give your address some unique comment and then you can do something like this:
:local Address [/ip cloud get public-address]
/ip address set [find where comment="pubaddr"] address=$Address
And similar with IPSec peer. It would be good to add some error checking and update address only when it actually changes, it shouldn’t be difficult, but RouterOS scripting doesn’t like me, so I’ll leave that to you (check manual).
But it is. That is just IPsec. Look at your Palo Alto. It is complicated too. And it cannot even communicate with NATted GRE/IPsec peers.
When you do not want all this fuss you either need to find a connection without NAT (what about IPv6?) or not use IPsec.
I’d argue that it’s not that much complicated, or that RouterOS is not the only one to blame. IPSec can work behind NAT. I think that IKEv1 had it as extension, but IKEv2 has it built-in. And neither is too new, so everything should support it by now.
NAT extension for IKEv1 works only for tunnel mode, not for transport mode.
GRE over IPsec usually operates in transport mode because that is most efficient.
RouterOS knows to switch to tunnel mode automatically when NAT is into play, but other routers can not always do that.
There you have your first operational problem when using NAT.
But it will not work when you set your public IP as the local IP in IPsec when in fact you are behind NAT!
In that case you have to set it to the local IP (RFC1918) you got behind NAT.
Also, when you have double NAT (e.g. because you have a local router that does NAT and then you have carrier NAT at the provider as well) it usually will not work at all.
(depending on the exact IPsec profile that you are using)
That is because the port number potentially is translated twice, and the IPsec profile checks the port number and it does not match.
That is something you can work around by using generate-policy=port-override in the ipsec identity. (instead of port-strict)
And in addition to @Pe1chl’s post in case of double NAT (ie ISP CG-NAT and NAT in you own router) or/and for example if both endpoints are behind NAT, there are various technics for NAT traversal like “hole punching” used by SIP/STUN and similar.
Unfortunately there is no standard to solve this in IPsec tho some suppliers have this sorted out by their own custom made solutions like Cisco Meraki.
Yep.. This is working
:local NewIP [/ip cloud get public-address]
/ip address add interface=UpLink address=$NewIP
/ip ipsec peer set onurgroup local-address=$NewIP
and scheduler 1h …
i want to improve this.. i want to do;
find new ip and check it with current ip. if not equal … … …
:global currentIP;
:local newIP [/ip cloud get public-address];
