I have little problem …
I have test enviroment and for VPN L2TP IPSEC server use RB750. On RB750 I have static IP. Then I have remote side which use 953GS-5HnT and 2x Huawei LTE modems. I want inplement VPN failover but have problem that on server side I must update in ipsec policy sa-dst-address with remote office ip(1xwan + 2xmobile IP).
Im make script which update this setting and put in in scheduler and run every second. Problem is that script usualy work and then usualy do not work…
{
:local NewWANIP [/ip address get [find interface="ether1-wan"] address]
:local NewWANIP [:pick "$NewWANIP" 0 ([:len $NewWANIP] - 3)]
:global OldWANIP
:local NewRemotePeerIP [/ip ipsec remote-peers get 0 remote-address]
:local OldRemotePeerIP [/ip ipsec policy get [find comment="Test Peer"] sa-dst-address]
if ($NewWANIP != $OldWANIP) do={
:log info "New WAN IP is $NewWANIP"
/ip ipsec policy set [/ip ipsec policy find comment="Test Peer"] sa-src-address=$NewWANIP
:set OldWANIP $NewWANIP
}
if ($NewRemotePeerIP != $OldRemotePeerIP) do={
:log info "New remote IPSEC Peer IP is $NewRemotePeerIP"
/ip ipsec policy set [/ip ipsec policy find comment="Test Peer"] sa-dst-address=$NewRemotePeerIP
}
}
Main problem make me line “:local NewRemotePeerIP [/ip ipsec remote-peers get 0 remote-address]” I can manualy start script 10x and all time return blank string but if I run same command in terminal:
:put [/ip ipsec remote-peers get 0 remote-address]
It return right IP and then script also work. It imediately work also if I in terminal run command:
/ip ipsec remote-peers print
Im usin version 6.33.1 in both mikrotiks… Is this bug in FW or some mistake in my script? Im new to scripting…
Thanks for any help.
Can you explain more detailed?
There has been some changes in network configuration from post one… Now we have on main site Zyxel ZyWall 110 with configured IPSec VPN “server” and this can’t be changed. On other remote site we have Mikrotik 953GS-5HnT with one ethernet WAN connection(Static IP Ethernet) and one LTE WAN connection(Dynamic IP)… We would like that all traffic go trough Ethernet but when Ethernet Fail it must go over LTE modem. What is best way to archeive this? Im make IPSec policy & peer and it connect to VPN server but there are few problems:
1.) If computer is not connected to local ethernet port(bridge/normal ethernet port) IP Address of this bridge/normal ethernet port is not pingable, VPN tunnel is also not estabilished. When I plug computer to ethernet port VPN is estabilished and ping start working. It do not install SAs if ethernet port is not up(link ok)…
2.) When I try failover usualy I have in remote peers two entrys and ping to remote network sometime doesn’t work and to get it work I must kill connections and/or flush Installed SA’s…
This is an issue with your script. Referencing something with id (“0”) only works after you printed actual configuration. If you want the address of the first entry use something like this:
:put [ / ip ipsec remote-peers get [ :pick [ find ] 0 ] remote-address ]