Ipsec static 2 dynamic ip vpn

i’m really lost here.

i have te following setup
2 MT routers

1 with a public static ip
1 with a public dynamic ip

the config that doesn’t work but should

MT1 static ip
i define peer 0.0.0.0/0
all the other stuff and add generate policy en turn of init connection
i make no policy

MT2 Dynamic ip
i define peer to MT1 static ip
all other stuff and tun on init connection
i make a policy
MT2 subnet —> MT1 subnet
sa src 0.0.0.0 (donno changes dynamic ip)
sa dst ip of MT1


this makes a isakmp connection
but then on MT2 the policy says ready to send and the packets are droped
and on MT1 no policy is made.

the setup that does work (not good)
all the same config but on MT2 i also define sa src with the dynamic ip that the router has for now.
then everything works and the policy is made on MT1 and traffic is fine

But one problem here. because i define a sa src that changes this is not the way to go…

any ideas???

pascal

I would configure something like the following:

• /ip ipsec peer add address=1.1.1.2 secret=qazwsxedc generate-policy=no
  
  
  
• /ip ipsec policy add sa-src-address=0.0.0.0 sa-dst-address=1.1.1.2 action=encrypt tunnel=yes
  
  
  
• /system script add name=addr-refresh source={:foreach i in=[find] do {:if ([/ip address find address=[/ip route get $i preferred-source]]!=“”) do {:if([/ip address get [/ip address find address=[/ip route get $i preferred-source]] address]=[/ip dhcp-client lease get address]) do {:if ( [/ip ipsec policy get [/ip ipsec policy find sa-dst-address=1.1.1.2] sa-src-address] != [/ip route get $i preferred-source]) do {/ip ipsec policy set [/ip ipsec policy find sa-dst-address=1.1.1.2] sa-src-address=[/ip route get $i preferred-source] }}} }}

/system scheduler add name=run-15s interval=15s on-event=addr-refresh

Maybe it will help you:)

Eugene