Second script no updating IPSEC peer

jbabbtech · February 25, 2011, 5:00pm

I have a 750 acting as a hub for 4 VPN connections. Two VPNs are plain vanilla static to static. The other two are static to dynamic. The first dynamic works fine with the use of a script for dynamically changing policy and peer. The second dynamic script, which is exactly the same as the first, will resolve but not update the peer and policy. I have combined the two scripts below:

:local resolvedIP [:resolve "xxx.dyndns.org"];
/log info "$resolvedIP";
/ip ipsec peer set 2 address="$resolvedIP"
/ip ipsec policy set 2 sa-dst-address="$resolvedIP"

:local resolveIP [:resolve "yyy.dyndns.org"];
/log info "$resolveIP";
/ip ipsec peer set 3 address="$resolveIP"
/ip ipsec policy set 3 sa-dst-address="$resolveIP"

psamsig · February 25, 2011, 9:13pm

Here is what I use:

/ip ipsec {
    :foreach i in=[peer find comment~"^\\+.*"] do={
        :local curPeerIP [peer get $i address]
        :set curPeerIP [:pick $curPeerIP 0 [:find $curPeerIP "/" -1]]

        :local dnsName [peer get $i comment]
        :set dnsName [:pick $dnsName 1 [:len $dnsName]]
        :local dnsAddress [:resolve $dnsName]
        
        :if ($curPeerIP != $dnsAddress) do={
            policy set [policy find sa-dst-address=$curPeerIP] sa-dst-address=$dnsAddress;
            peer set $i address=($dnsAddress . "/32:500");
        }
    }
}

I add the DNS name as comment to the ip ipsec peer, prefixed with a + like “+xxx.dyndns.org” (it is part of a larger script complex that enables and disables dynamic update with different prefix characters). It only makes changes when needed, and it can handle multiple policies per peer.
ipsec peer comments was introduced a while back, but hasn’t found its way into WinBox yet, so add by cli.

jbabbtech · March 10, 2011, 1:51am

I like the attached script but I still don’t understand why the set property does not work correctly.

fewi · March 10, 2011, 1:55am

Probably because you cannot just use item numbers in scripts. You should find the peer item, and then set on that found item.

pbalazs123 · January 28, 2012, 3:08pm

psamsig:

Here is what I use:
/ip ipsec {
    :foreach i in=[peer find comment~"^\\+.*"] do={
        :local curPeerIP [peer get $i address]
        :set curPeerIP [:pick $curPeerIP 0 [:find $curPeerIP "/" -1]]

        :local dnsName [peer get $i comment]
        :set dnsName [:pick $dnsName 1 [:len $dnsName]]
        :local dnsAddress [:resolve $dnsName]
        
        :if ($curPeerIP != $dnsAddress) do={
            policy set [policy find sa-dst-address=$curPeerIP] sa-dst-address=$dnsAddress;
            peer set $i address=($dnsAddress . "/32:500");
        }
    }
}
I add the DNS name as comment to the ip ipsec peer, prefixed with a + like “+xxx.dyndns.org” (it is part of a larger script complex that enables and disables dynamic update with different prefix characters). It only makes changes when needed, and it can handle multiple policies per peer.
ipsec peer comments was introduced a while back, but hasn’t found its way into WinBox yet, so add by cli.

Hi folks!

I know this is a bit outdated topic, but i need help with this script. My problem is that my destination and source address is dynamic too. I need a script that can update sa-dst-address and sa-src-address too. Can someone wrote another script? It’s urgently needed.

Example pictures of what i need:

Thank you!

pbalazs123 · February 4, 2012, 3:27pm

No one can help?