Site-to-site IPSec VPN with dynamic IP on both sides

ealima · April 1, 2009, 1:46pm

Dear Friends,

I need to setup a VPN between two sites that has ADSL with dinamic Ip´s at both sides. It could be possible to do this with mikrotik ? I wish to use a Routerboard with mikrotik at both sides. how can i do ?

Tks

cmacneill · April 4, 2009, 2:12am

You can set this up with dynamic addresses, but you’ll have to manually change the config each time the address changes. One way to automate this is to use a dynamic DNS service to update a published DNS name each time the dynamic address is updated, then create a script which queries the hostname and reconfigures the IPSec tunnel.

I did something similar for NTP where I wanted to use NTP pools, but MicroTik don’t support putting hostnames in the NTP config. Here’s the code for the script which should give you an idea how to do the same for IPSec.

/system ntp client
set primary-ntp=[:resolve 3.nz.pool.ntp.org]
set secondary-ntp=[:resolve 1.oceania.pool.org]

You would need to substitute the location of the config for the IPSec tunnel IPs. You need to schedule the script to run periodically to pickup when the dynamic address changes. However be careful as the DNS server might be caching the results. It might be better to query the Dynamic DNS service directly.

Regards

Chris Macneill

ekka · November 8, 2011, 2:26pm

Hi,

I take this old post to ask if it could be possible to add this new feature to the RouterOS?

It could be very handy to use dns names in IPSec configuration instead of static IPs.

Is there an existing workaround ?

Thanks for any help,

Ekka

fewi · November 8, 2011, 3:05pm

A workaround would be to have a scheduled script that resolves the DNS name periodically, and compares it to the IP address configured on the peer. If they differ it changes the peer IP address and flushes all SAs.

ekka · November 8, 2011, 3:12pm

Thanks fewi, very much appreciated.
Unfortunately I’m no expert in RouterOS script.
Would you be kind to post an example of such a script ?

fewi · November 8, 2011, 3:23pm

I don’t use that, so I don’t have such a script ready.

I guess it would look a little like this, though this is completely and utterly untested and only written in the browser:

# change the two variables below. dnsName should be set to the name to resolve, peerName should be the comment of the peer instance in "/ip ipsec peer"
:local dnsName "myserver.com";
:local peerName "this peer";

:local newIP ([:resolve $dnsName] . "/32");
:local oldIP [/ip ipsec peer { get [find comment="$peerName"] address}];
:if ($newIP = $oldIP) do={
  :log "no IPsec peer changes necessary";
} else={
  :log "Changing IPsec peer $peerName IP address to $newIP, flushing SAs";
  /ip ipsec peer { set [find comment="$peerName"] address="$oldIP" };
  /ip ipsec installed-sa flush;
}

Again, that’s off the top of my head, written in the browser, I don’t even have access to RouterOS right now to check syntax, so it likely contains errors. Hopefully it’ll get you started.

ekka · November 8, 2011, 3:56pm

Thanks, much appreciated