this is my first post after being around the forums quite a lot since I bought my first Mikrotik for home use.
I then installed a 750 at my main office which has static WAN IP and need to setup ipsec tunnels with my other office (also static WAN IP) and my home (dynamic WAN IP).
Main office <–ipsec–> Other office (both static IPs - no problem)
Main office <–ipsec–> Home (one static - one dynamic IP - problem!)
I can’t figure out how to script the Main office router to resolve Home router dyndns IP and put it in the respective fields since there are TWO policies there, one that needs changing and one that is always static.
What are the variables for the IP fields in each policy/peer? I found some scripts that change the IPs similar to the one below:
:global RemoteSite [:resolve gregsowell-siteb.dyndns.org]
/ip ipsec policy set 0 sa-dst-address=$RemoteSite
/ip ipsec peer set 0 address=“$RemoteSite/32:500”
but which of the two is changed? I tried to run this and discovered it changes the policy IP but not the peer IP to one of the entries (luckily the correct one but how do I know this for sure if I add a 3rd tunnel in the future?)…
I do not really need a script to -=check=- if the IP has changed since I can set a schedule to renew the IPs every 5-10 minutes… If they change in the meantime it is no big deal to drop the tunnel for a few minutes until renewal..
thanks thomas it is really interesting but does not focus on scripting and/or dealing with dynamic ip changing of a remote location.. also it is focusing a lot on l2tp which causes problems when I connect panasonic ip phones from remote office and home to main office…
I need to setup pure ipsec tunnels that are A-B and A-C with C having dynamic WAN IP that changes every few hours.
Point A needs to have two policies and two peers for these tunnels but the VARIABLES on one of these policies change with time (dynamic WAN IP) and the router must be aware of these changes to re-establish the tunnel. This can be done with scripting but I am not sure exactly how..
EDIT: and it could get really funny to setup a tunnel between B-C…
The point was that you should use generate-policy on the AC, which means no scripting is needed on the AC side.
As you can see by the end of the video, the only script you need to use dynamic IP on remote peers is that one.
Using a PtP protocol (like L2TP), its always easier and in the end better with a separate tunneling protocol and IPSec in transport.
Try PPP or some some other PtP protocol if L2TP doesnt work for you.
I finally did it your way L2TP+IPSec and points A-B and A-C work just fine.. The problem is how to route traffic from B to C when for both tunnels the server is point A.
