ipsec dynamic ip script

piwi3910 · July 27, 2005, 11:07am

eugene one sended me this

Posted: Thu Aug 12, 2004 2:47 pm Post subject:

I would configure something like the following:

/ip ipsec peer add address=1.1.1.2 secret=qazwsxedc generate-policy=no

/ip ipsec policy add sa-src-address=0.0.0.0 sa-dst-address=1.1.1.2 action=encrypt tunnel=yes

/system script add name=addr-refresh source={:foreach i in=[find] do {:if ([/ip address find address=[/ip route get $i preferred-source]]!=“”) do {:if([/ip address get [/ip address find address=[/ip route get $i preferred-source]] address]=[/ip dhcp-client lease get address]) do {:if ( [/ip ipsec policy get [/ip ipsec policy find sa-dst-address=1.1.1.2] sa-src-address] != [/ip route get $i preferred-source]) do {/ip ipsec policy set [/ip ipsec policy find sa-dst-address=1.1.1.2] sa-src-address=[/ip route get $i preferred-source] }}} }}

/system scheduler add name=run-15s interval=15s on-event=addr-refresh

it was to make ipsec connections from a dynamic ip adress to a static one…
but the script just doesn’t work, i really tried everything… but i just don’t see the fault…

i get this…

no sutch command or directory (find)

can someone check this

thxs

pascal

Eugene · July 28, 2005, 8:42am

/system script add name=addr-refresh source={:foreach i in=[/ip route find] do {:if ([/ip address find address=[/ip route get $i preferred-source]]!="") do {:if([/ip address get [/ip address find address=[/ip route get $i preferred-source]] address]=[/ip dhcp-client lease get address]) do {:if ( [/ip ipsec policy get [/ip ipsec policy find sa-dst-address=1.1.1.2] sa-src-address] != [/ip route get $i preferred-source]) do {/ip ipsec policy set [/ip ipsec policy find sa-dst-address=1.1.1.2] sa-src-address=[/ip route get $i preferred-source] }}} }}

However if you use 2.9 version there is a much shorter and simplier way to accomplish this.

piwi3910 · July 28, 2005, 11:19am

i understand what you are trying to do with this script, but it’s still not working.
i made the policie with the correct sa-dst-address
i changed the sa-dst-address in the script to the correct ip adress.
it doesn’t give me any errors in the log file, but still my policie is’t changed to put the sa-src-address to the correct ip address.

how do you start debugging someting like this?
you can’t get any output.

Eugene · July 28, 2005, 12:02pm

Remove everything and start from the outer loop. Place print commands to see the output and change them later with the actual constructs if they give expected output.

BTW, I suggest to upgrade to 2.9 - there are new scripting commands which made this task a piece of cake.

tneumann · July 29, 2005, 1:57pm

Which, I assume, would be generate-policy=yes ?

–Tom

Eugene · July 29, 2005, 2:17pm

Nope, it works only if one endpoint has dynamic IP.

FOV · December 28, 2005, 6:24pm

Eugine, hi. I´m trying to do the same.

On one point I´ve a MTK with Dynamic IP, and on the other side, a Hotbrick with Dynamic IP to.

I´m looking for a script in order to actualize the policy.

Can you help me pls?

I´m using a Router board 500 with OS. 2.9.8

Rgs,

Fernando

Eugene · December 29, 2005, 4:46pm

Read my previous posts.

viceft · March 4, 2006, 4:03am

how know in the central site (ip static) what is the ip from remote site?

Eugene · March 4, 2006, 11:08am

If one of the endpoints has a static IP address, just do not create the policy on this endpoint. Instead, set generate-policy=yes in its peer record.

blaze888 · June 9, 2009, 6:15am

Hello,

im having same troubles here.. any inputs would be great!

Thanks!
[u]assurance vie[/u]

hacki · December 3, 2009, 5:07pm

hi there,

standing in front of the same issue with dynamic ip adresses and ipsec.
has already someone running such a scenario?

greets