Hi,
we currently have several sites which connect back to our main site using IPIP tunnel w/ IPSEC. All are on statics and work fine.
What’s the best method for 4 other sites that have dynamically assigned public IPs to connect back into the main office?
Thanks
It is possible without IPIP tunnels.
On your main router set ipsec peer as 0.0.0.0/0 and generate-policy=yes.
Now other peers with dynamic addresses will be able to connect.
Thanks for the response, what about the remote site side?
both sides can’t be dynamic at the same time. Then you need to set up dynamicdns and run a script which checks dns for address changes and updates configuration accordingly.
Sorry I didnt explain very well..
The main site is a static IP, So all I do is set the peer address like below:
address=0.0.0.0/0:500 auth-method=pre-shared-key secret="test"
generate-policy=yes exchange-mode=main send-initial-contact=no
nat-traversal=no proposal-check=obey hash-algorithm=md5
enc-algorithm=3des dh-group=modp1024 lifetime=1d8h lifebytes=0
This automatically generates the IPSEC policy yes?
On the remote side do I set the peer address as our public and also generae policy? If not how do i set the policy on the remote side?
Thanks
On remote site you set the peer address and add policy manually. Because it is not possible to generate policy from nothing (if one peer has generate-policy enabled then other peer must have manually added policy).
This is my config at the moment which I believe should work? But Doesnt.
Remote Site:
Flags: X - disabled, D - dynamic, I - inactive
0 src-address=192.168.20.0/24:any dst-address=192.168.5.0/24:any
protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes
sa-src-address=0.0.0.0 sa-dst-address=MAINSITEPUBLICIP proposal=default
priority=0
Flags: X - disabled
0 address=MAIMSITEPUBLICIP/32:500 auth-method=pre-shared-key secret="test"
generate-policy=yes exchange-mode=main send-initial-contact=yes
nat-traversal=no proposal-check=obey hash-algorithm=md5
enc-algorithm=3des dh-group=modp1024 lifetime=1d lifebytes=0
dpd-interval=disable-dpd dpd-maximum-failures=1
Main Site:
address=0.0.0.0/0:500 auth-method=pre-shared-key secret="test"
generate-policy=yes exchange-mode=main send-initial-contact=no
nat-traversal=no proposal-check=obey hash-algorithm=md5
enc-algorithm=3des dh-group=modp1024 lifetime=1d8h lifebytes=0
What’s worng?
you need to specify sa-src-address. As address is dynamic you can use script to detect address changes and update sa-src-address parameter.
Sorry to ask! Do you have one? 
script is quite simple. Add comment to policy for example “myPolicy” to find it in script and lets say public interface is ether1
:local publicIP [/ip address get [find interface=ether1] address];
#strip off netmask
:for i from=( [:len $publicIP] - 1) to=0 do={
:if ( [:pick $publicIP $i] = "/") do={
:set publicIP [:pick $publicIP 0 $i];
}
}
#get sa-src
:local saSrc [/ip ipsec policy get [find comment="myPolicy"] sa-src-address];
:if ($saSrc != $publicIP) do={
/ip ipsec policy set [find comment="myPolicy"] sa-src-address=$publicIP
}
Add it to scheduler and run say once in a minute.
I think your post needs a little correction. Your script is ok when the dynamic IP is on the local router.
The problem exist on the remote router too, when you have to set:
/ip ipsec policy
… sa-dst-address=“dynamic_IP”…
Also, there is a mistake in the script. I can not find “Comment” for the /ip ipsec policy. I mean there is no
way you can assign Comment. I am testing it on RB411 ROS 3.30
So I writed down another script:
:global “Remote_1” [:resolve “Remote.changeip.org”]
:global saDst [/ip ipsec policy get 0 sa-dst-address]
:if ($saDst != $“Remote_1”) do={
/ip ipsec policy set [find sa-dst-address=$saDst] sa-dst-address=$“Remote_1”}
Where Remote.changeip.org is the dns name of the remote router on the internet
Do you think this is okay?
Possible you find a working configuration here: http://gregsowell.com/?p=1523
This works flawless for me.