Hello,
I have 2 Mikrotik routers in different sites and I want to join both with IPSec.
I have dynamic public IP in both site, but I use dyndns and it works great to access from outside.
I try to configure IPSec but I can not add dns name in the “SA Src. Address” field.
Is is possible to configure IPSec without static public IP?
Kind regards.
You would need to set some regular script to change the ip addresses when they change.
Thanks!
I have a script in a server inside the LAN to change the IP of the dns name.
But the problem is that I can not add a dns name in the filed, just a IP address.
Regards.
I can post my script later
Sent from my XT1575 using Tapatalk
Thanks!
This is basically it… I use it for dynamic to dynamic EoIP over IPSec …
I can give you one for pure IPSec too… basically the same thing…
The way I chose to do it is to place a comment on each of the parts that looks like +eoip+ … (e.g. +eoip+blah.dyndns.com)…
It runs through … resolves the url and then updates all of the parts… I run it on both ends… works perfectly.
#.* by RouterOS
#
# Dynamic Site To Site VPN Script - EoIP over IPSec Only
#
# Set Comments (Tunnel, Peer, Policy) = "+eoip+<HOSTNAME>"
#
# Variables
#
:local currentLocalSiteInterface "ether01-gateway"
:local currentLocalSite ""
:local forceUpdate false
:local IPSecCyclePeers false
:local IPSecFlushSAs false
:local IPSecKillConnections false
#
# Script
#
:global localSite
:set currentLocalSite [/ip dhcp-client get [/ip dhcp-client find interface=$currentLocalSiteInterface] address]
:set currentLocalSite [:pick $currentLocalSite 0 [:find $currentLocalSite "/" -1]]
:if ([:typeof $localSite] = "nothing") do={
:set localSite ""
}
:if ($currentLocalSite != $localSite) do={
:set forceUpdate true
:set localSite $currentLocalSite
}
/ip ipsec {
:local hadUpdate false
:foreach i in=[peer find comment~"^([^+]*\\+eoip\\+([^+]*)\$"] do={
:local remoteSite [peer get $i address]
:set remoteSite [:pick $remoteSite 0 [:find $remoteSite "/" -1]]
:local peerComment [peer get $i comment]
:local policyNumber [policy find comment=$peerComment]
:local peerNumber $i
:local tcomment [:pick $peerComment ([:find $peerComment "+"]+1) [:len $peerComment]]
:local mode [:pick $tcomment 0 ([:find $tcomment "+"])]
:local dnsName [:pick $tcomment ([:find $tcomment "+"]+1) [:len $tcomment]]
:do {
:local currentRemoteSite [:resolve $dnsName]
:if ($forceUpdate || $remoteSite != $currentRemoteSite) do={
peer set $peerNumber address="$currentRemoteSite/32"
policy set $policyNumber dst-address="$currentRemoteSite/32" src-address="$currentLocalSite/32" sa-dst-address=$currentRemoteSite sa-src-address=$currentLocalSite
:local tunnelNumber [/interface eoip find comment=$peerComment]
/interface eoip set $tunnelNumber remote-address=$currentRemoteSite
:if ($IPSecCyclePeers) do={
peer disable $peerNumber
peer enable $peerNumber
}
:set hadUpdate true
}
} on-error={
:log error ("DynamicSiteToSiteVPNMini: Failed Updating - \"" . $peerComment . "\"")
}
}
:if ($hadUpdate) do={
:if ($IPSecFlushSAs) do={
installed-sa flush
}
:if ($IPSecKillConnections) do={
remote-peers kill-connections
}
}
}
Thank you very much.
Could you send my the pure IPSec?
I am new with script, where could I define the remote dns name?
Do you run it with a schedule?
Thank you very much.
Best regards.
#.* by RouterOS
#
# Dynamic Site To Site VPN Script - EoIP over IPSec Only
#
# Set Comments (Tunnel, Peer, Policy) = "+<HOSTNAME>"
#
# Variables
#
:local currentLocalSiteInterface "ether01-gateway"
:local currentLocalSite ""
:local forceUpdate false
:local IPSecCyclePeers false
:local IPSecFlushSAs false
:local IPSecKillConnections false
#
# Script
#
:global localSite
:set currentLocalSite [/ip dhcp-client get [/ip dhcp-client find interface=$currentLocalSiteInterface] address]
:set currentLocalSite [:pick $currentLocalSite 0 [:find $currentLocalSite "/" -1]]
:if ([:typeof $localSite] = "nothing") do={
:set localSite ""
}
:if ($currentLocalSite != $localSite) do={
:set forceUpdate true
:set localSite $currentLocalSite
}
/ip ipsec {
:local hadUpdate false
:foreach i in=[peer find comment~"^([^+]*\\+([^+]*)\$"] do={
:local remoteSite [peer get $i address]
:set remoteSite [:pick $remoteSite 0 [:find $remoteSite "/" -1]]
:local peerComment [peer get $i comment]
:local policyNumber [policy find comment=$peerComment]
:local peerNumber $i
:local tcomment [:pick $peerComment ([:find $peerComment "+"]+1) [:len $peerComment]]
:local mode [:pick $tcomment 0 ([:find $tcomment "+"])]
:local dnsName [:pick $tcomment ([:find $tcomment "+"]+1) [:len $tcomment]]
:do {
:local currentRemoteSite [:resolve $dnsName]
:if ($forceUpdate || $remoteSite != $currentRemoteSite) do={
peer set $peerNumber address="$currentRemoteSite/32"
policy set $policyNumber sa-dst-address=$currentRemoteSite sa-src-address=$currentLocalSite
:if ($IPSecCyclePeers) do={
peer disable $peerNumber
peer enable $peerNumber
}
:set hadUpdate true
}
} on-error={
:log error ("DynamicSiteToSiteVPNMini: Failed Updating - \"" . $peerComment . "\"")
}
}
:if ($hadUpdate) do={
:if ($IPSecFlushSAs) do={
installed-sa flush
}
:if ($IPSecKillConnections) do={
remote-peers kill-connections
}
}
}
Modified it a little… I think it will work… you don’t modify the script. You just put +hostname comments on the peer and policy and the script looks for them. E.g.
Peer and Policy should have comments “+blah.dyndns.org” …
Does that make sense? Then just run the script every x minutes…
Basically I designed it so you don’t have to modify the script really at all… The variables at the top control how the script determines the local ip address… and whether to forcefully recycle the connections. Other than that the script will just look for the peer and policy that have the specific comment on them. It will actually handle as many tunnels as you want…
Thanks!
I will try it.
Regards.