Script to disable IPSec peers

leonset · August 7, 2013, 11:42am

Hello

I’m trying to find a way to disable all or a set of IPSec peers within a script in v6.2. In theory something like this should do the trick:

/ip ipsec peer enable [/ip ipsec peer find port=500]

But it doesn’t… it just enables the first peer (number 0) and then the terminal prompt just hangs. The extrange thig is that the same line but replacing enable with disable does work ok!:

/ip ipsec peer disable [/ip ipsec peer find proposal-check=“obey”

Maybe a bug?
Thanks!

efaden · August 7, 2013, 11:59am

I have never used it that way. I always used loops like below. I wasn’t aware that a single command like that worked if find returned more than one.

/ipsec peer {
    :foreach i in=[find port=500] do={
        enable $i
    }
}

leonset · August 7, 2013, 12:14pm

Yes, I use this to en/disable IPSec Policies since almost ever:

/ip ipsec policy enable [find sa-src-address=1.2.3.4]

Your script block doesn’t work, exactly the same behavior: only the first peer got enabled and then the prompt halts until I press Ctlr+C

Thanks!

efaden · August 7, 2013, 12:22pm

Good to know that works… As for 6.2. I switched back to 6.1 because it was too buggy. My guess would be that you found another bug where find only returns the first or something.

leonset · August 7, 2013, 12:36pm

I have sent an email tu support about this issue, I’ll post the answer here…

I can’t use 6.1 because it has bugs with IPSec, can’t use v6.0 cause has bug with VRRP, can’t use v5.x because it has problems with Mangle rules and performance with RB1000… I hope that I get a “good” version for me soon, I’m having too many headaches whith Mikrotik lately!!

Thanks for your help!

n4p · June 30, 2017, 10:38am

Hi,
i need to push this thread, because i currently searching for the same solution. Is there any way to disable ipsec peers with a script which looks on the firewall address list.
Background for that is, i detect bad-peers on the firewall and blacklist them. To prefent them to do more bad stuff i wanna disable their ipsec peer until it is localy checked.

Thanks for help!

efaden · July 1, 2017, 12:01pm

It shouldn’t be hard. Just iterate over the peers and then search if they are in the address list. But I don’t have anything off hand to do it. I’d have to write it.

n4p · July 1, 2017, 6:44pm

Yeah,
it would be great if you can give me some advice.
My idea was do check the addresslist every second or something like that and look if there is a peer with name blacklist.
There i need to look about the ip range if it is 172.8.10.xxx or 172.8.11.xxx and search with this for the matching ipsec peer/policiy.

Thats the way it should work, but the problem is that i need some help to get there.

efaden · July 1, 2017, 7:13pm

Can’t you just use the address list to block the ipsec through the firewall? It would benefit much much more efficient then running a script that frequently.

Sent from my Pixel XL using Tapatalk

n4p · July 2, 2017, 5:51pm

The idea behind that was to made the system more secure. I have only one engine behind every ipsec Tunnel.

And if there was a Security issue or somebody try to attack the server i wanna Block them completle until a employe that a look at those engine.

msatter · July 2, 2017, 7:47pm

I use IPSEC on location or when I am in a location with WiFi. I use port knocking to request a certain number of hours 1-8. The IP address I am on is entered in the addresslist to grant me access to port 400+4500.

When I need more tome that I estimated before I just knock again but I have first to disconnect the IPSEC because I am still on a private address. The time will be added to or set if the was no time left.

I can also knock to remove the entry in the addresslist by tuning a scheduled script on a set interval which looks in the to remove addresses.

n4p · July 5, 2017, 6:40pm

Thats not really a help for me, because i use side to side tunnel. And if there is a security issue i wanna block this tunnel.
But if there is nothing the tunnel should be up everytime.

msatter · July 5, 2017, 7:11pm

What is the result of this:

:put [/ip ipsec remote-peers find remote-address~"172.8.1[0-1].*];

If you want to remove those addresses then this should do it:

:put [/ip ipsec remote-peers remove [find remote-address~"172.8.1[0-1].*"]];

However I see the client connecting again and only after a few times it gives up.

You want to look at names and compare it to policies so I need more info on that. I use IKe2 so no names.

n4p · July 7, 2017, 8:21am

Thanks for answer,
my idea is not only to disconnect them, i wanna disable his Profile.
For our Setup its not possible that this happens anytime, only if anybody try to attack the server. The outstanding peer’s normaly should connect everytime and stay up.

So what i had done until now is:
I added Firewall rules to identify them and add the ip-address to the blacklist.

My idea was to read with a script this blacklist and identify the third Oktett from the blacklistet ip. With this Oktett i know the peer policy. My System is configured that those Oktett is alwasy the same, also in the wan ip which establishe the tunnel.

Hope you can understand what i mean.

Thanks for help!

Prister · August 24, 2018, 7:03am

I have the same problem! in version 6.40.8
how to solve this problem?