IPSec client without public IP

josu · September 7, 2015, 3:31pm

Hello,

I want to conect 2 Mikrotik routers with IPSec, one of them have a static public IP. But the other one have dynamic private IP.

Is it possible to create a IPSec tunnel between thoose devices?

I want to connect a laptop and voip phone in the client side.

Kind regards.

kot1grun · September 7, 2015, 3:59pm

Sure, it is possible.
http://wiki.mikrotik.com/wiki/Manual:IP/IPsec#Road_Warrior_setup_with_Mode_Conf

efaden · September 7, 2015, 8:22pm

Yes. I do it. You can use a script to update the address. I’ll post later from my laptop

Sent from my SCH-I545 using Tapatalk

josu · September 7, 2015, 8:54pm

Thanks!

I will really appreciate your script.

The client is inside LAN (no public address) and there is no NAT in the client side. Is it possible?

Regards.

marrold · September 7, 2015, 11:16pm

I use something similar to the below, scheduled to run at a regular interval. The script assumes your “WAN” interface is called “01 - WAN”. It also sets the policy src-address and dst-address to /32’s assuming an L2TP connection is encrypted between the two. You could edit this if you require

I’ve had to edit it and didn’t have time to test it I’m afraid. Let me know if you have any issues.

:local srcadd
:local sasrcadd
:global prevsasrcadd

# Get the IP from the "WAN" interface
:do {

# Change the IP from X.X.X.X/X format to X.X.X.X
    :set sasrcadd [/ip address get [/ ip address find interface="01 - WAN"] address]
    :for i from=( [:len $sasrcadd] - 1) to=0 do={
        :if ( [:pick $sasrcadd $i] = "/") do={
            :set sasrcadd [:pick $sasrcadd 0 $i]
        }
    }
    :set srcadd ("$sasrcadd"."/32")
    :set sasrcadd [:toip $sasrcadd]

    :if ($sasrcadd != $prevsasrcadd) do= {
        :put "IPSEC Policy Updater: Updating IPSEC Policy to use src-address=$srcadd and sa-src-address=$sasrcadd"
        :log info "IPSEC Policy Updater: Updating IPSEC Policy to use src-address=$srcadd and sa-src-address=$sasrcadd"
        :ip ipsec policy set [/ip ipsec policy find comment="IPSEC Policy"]
        src-address=$srcadd sa-src-address=$sasrcadd
        :set prevsasrcadd $sasrcadd
    } else={
        :put "IPSEC Policy Updater: No policy changes required"
    }
        
# If the above fails, log it.
    } on-error={
        :put "IPSEC Policy Updater: '01 - WAN' Unable to update IPSEC address'"
        :log info "IPSEC Policy Updater: '01 - WAN' Unable to update IPSEC address'"
    }

efaden · September 8, 2015, 4:27pm

Didn’t get a chance to post it last night… but I’ll do it tonight when I get home.

But the idea is similar to what the guy above posted… basically you have a DynDNS style service for your remote site… run a script on your main site to grab the new IP and then update the IPSec policy, proposal, etc…

Actually if you look around on the forum I may have posted it previously..

-Eric

marrold · September 8, 2015, 5:53pm

The IPSEC server could generate a dynamic policy.

We could do with more information, or a network diagram ideally.

efaden · September 8, 2015, 5:55pm

Valid point… I’m used to dual dynamic IPs… if you just need a single one you can do it with IPSec alone.