Redistributing active IPsec tunnel destinations

pe1chl · June 8, 2024, 6:42pm

I’m trying to have a CHR to handle plain IPsec tunnels to our network (which consists of a large number of interconnected routers).
The tunnels are configured passive, the peer will setup the tunnel, a fixed subnet is configured for the other end of the tunnel.
Due to the nature of the network, the tunnels will not always be up.

We are using BGP internally to distribute routes (using private AS, this has nothing to do with BGP on internet!), and I want to somehow announce the peer subnets only when the tunnel to that subnet is up.
Due to how BGP now works I need to setup an explicit route for each peer subnet, and when I set BGP to redistribute static routes it works as far as the subnet routes being announced to the network.

I am looking for a trick to arrange that each subnet route is only active when the corresponding tunnel is up.
Unfortunately there is no feature to call a script when an IPsec policy goes active/inactive.
And also there is (still) no feature to direct a logging action directly to a script.

Of course I could write a script that walks along the IPsec policies, checks each one to be active or not, and enables/disables the subnet route accordingly, and then call that very often from the scheduler.
But maybe there is some trick that could work? I like something that immediately comes into action on state changes, instead of a scheduling/polling solution.

I tried to set the route gateway to the router address at the other end of the tunnel, but the route becomes invalid and never comes up.
(also not when combined with a ping check)

optio · June 8, 2024, 7:11pm

Did you try with event handler function to monitor IPsec policy changes, like described here http://forum.mikrotik.com/t/mikrotik-events-script-new-abroach/176282/1 ?

:global IpSecPolicyEventHandler do={
# do someting: $1 - active, etc...
}
:execute {
  :global IpSecPolicyEventHandler
  /ip/ipsec/policy print follow-only where [$IpSecPolicyEventHandler $active <other_needed_properties...>]
}

This should create background job which triggers global function on some change.

pe1chl · June 8, 2024, 7:56pm

Ok that looks promising, I did not know that such a thing is possible…

Larsa · June 8, 2024, 8:26pm

I might’ve gotten everything wrong, and this is probably a really dumb suggestion since you already asked about and are using iBGP(?) for the internal network, but why not switch to an automatic full mesh with something like OSPF/PTP + BDF? Off the top of my head, it feels like that solution would be more robust than starting with ROS scripting to poll BGP/IPsec status.

pe1chl · June 8, 2024, 9:25pm

My goal is not to change the network, but to rework some part that allows access by legacy routers that do not do BGP.
This is currently running on a Debian Linux system that I want to upgrade and remove that function from it.
Therefore I have now separated this single function out to a CHR instance. Most of the other links are plain tunnels with BGP sessions running over them, but that requires the connecting user to run BGP as well.

pe1chl · June 8, 2024, 9:58pm

After the usual hair-pulling, it works!
Thank you for the hint, this is exactly what I needed and it can be useful in other cases as well.

Hopefully MikroTik will not “optimize the handling of where” and make this method fail…