Community discussions

MUM Europe 2020
 
mikruser
Member
Member
Topic Author
Posts: 407
Joined: Wed Jan 16, 2013 6:28 pm

Feature request - DNS names in IPsec

Thu Jul 13, 2017 5:57 pm

Hello,

Please add ability to use DNS names in:

IP-IPsec-Policies-General\Action-Dst.Address
IP-IPsec-Peers-General-Address
do not ask me why it is necessary.
 
JimmyNyholm
Member Candidate
Member Candidate
Posts: 249
Joined: Mon Apr 25, 2016 2:16 am
Location: Sweden

Re: Feature request - DNS names in IPsec

Sun Jul 16, 2017 4:47 pm

+1.
And by all means make ip-changes and dns updates be reflected into peers and other ipsec related stuff.
 
lp13
just joined
Posts: 21
Joined: Thu Jul 27, 2017 10:31 am

Re: Feature request - DNS names in IPsec

Mon Jul 31, 2017 9:45 am

+1

For me it's very actual function
 
User avatar
Cha0s
Forum Veteran
Forum Veteran
Posts: 922
Joined: Tue Oct 11, 2005 4:53 pm

Re: Feature request - DNS names in IPsec

Mon Jul 31, 2017 12:01 pm

+1

I rely on scripting to make this work at the moment. It would be nice to have this natively supported by ROS as was done in EoIP tunnels etc.
 
lp13
just joined
Posts: 21
Joined: Thu Jul 27, 2017 10:31 am

Re: Feature request - DNS names in IPsec

Mon Jul 31, 2017 2:27 pm

+1

I rely on scripting to make this work at the moment. It would be nice to have this natively supported by ROS as was done in EoIP tunnels etc.
Can you share your script. I would be very obliged.
 
User avatar
Cha0s
Forum Veteran
Forum Veteran
Posts: 922
Joined: Tue Oct 11, 2005 4:53 pm

Re: Feature request - DNS names in IPsec

Mon Jul 31, 2017 8:39 pm

Here it is.
:local ddnsname "ddns.example.net";
:local ipseccomment "a unique comment";
:global prevddns;

:if ([ :typeof $prevddns ] = "nothing" ) do={ 
	:global prevddns 0.0.0.0/0
}

:local currentddns [:resolve "$ddnsname"];

:if ($prevddns = $currentddns) do={
	#:log info ("No DDNS change...")
} else={

	:log info ("DDNS IP address changed from " . "$prevddns" . " to " . "$currentddns" )
	
	:local PolicyNumber [/ip ipsec policy find comment=$ipseccomment]
	:local PeerNumber [/ip ipsec peer find comment=$ipseccomment]

	/ip ipsec peer set $PeerNumber address="$currentddns/32"
	/ip ipsec policy set $PolicyNumber dst-address="$currentddns/32" sa-dst-address="$currentddns"
	/ip ipsec peer disable $PeerNumber
	/ip ipsec peer enable $PeerNumber 
	/ip ipsec installed-sa flush
	/ip ipsec remote-peers kill-connections

	:log info ("Updated IPec")
	
	:global prevddns $currentddns;
}
It's nothing fancy but it works for me.

You need to edit ddnsname to your (dynamic) DNS record.
And you need to set a unique comment on the IPsec Peer and Policy you need to dynamically change when the DNS ip changes. Both Peer and Policy must have the same comment.
You then set the same comment on ipseccomment var in the second line of the script.

You finally configure the script to run via the System > Scheduler every X seconds or minutes.
I run my own DDNS service with 1second TTL so the new IP gets propagated almost immediately so I run the script every 3 seconds.
If your DDNS service has a higher TTL then running it so often doesn't make much sense, but it's lightweight anyway so you could even run it every 1 second.

All the script does is it resolves the DDNS name and it compares it to whatever it was during the last run (or if it's the first time it runs it will set it to 0.0.0.0/0 just to initialize the variable). If the IP resolved has changed, then it updates the IPsec policy and peer and then disables/enables the peer and flushes IPsec connections.

I don't know if it is the proper/best way to do it, but it has been working for me for many years without any problems :)

Feel free to use/edit as you please.
 
lp13
just joined
Posts: 21
Joined: Thu Jul 27, 2017 10:31 am

Re: Feature request - DNS names in IPsec

Tue Aug 01, 2017 8:51 am

Here it is.
:local ddnsname "ddns.example.net";
:local ipseccomment "a unique comment";
:global prevddns;

:if ([ :typeof $prevddns ] = "nothing" ) do={ 
	:global prevddns 0.0.0.0/0
}

:local currentddns [:resolve "$ddnsname"];

:if ($prevddns = $currentddns) do={
	#:log info ("No DDNS change...")
} else={

	:log info ("DDNS IP address changed from " . "$prevddns" . " to " . "$currentddns" )
	
	:local PolicyNumber [/ip ipsec policy find comment=$ipseccomment]
	:local PeerNumber [/ip ipsec peer find comment=$ipseccomment]

	/ip ipsec peer set $PeerNumber address="$currentddns/32"
	/ip ipsec policy set $PolicyNumber dst-address="$currentddns/32" sa-dst-address="$currentddns"
	/ip ipsec peer disable $PeerNumber
	/ip ipsec peer enable $PeerNumber 
	/ip ipsec installed-sa flush
	/ip ipsec remote-peers kill-connections

	:log info ("Updated IPec")
	
	:global prevddns $currentddns;
}
It's nothing fancy but it works for me.

You need to edit ddnsname to your (dynamic) DNS record.
And you need to set a unique comment on the IPsec Peer and Policy you need to dynamically change when the DNS ip changes. Both Peer and Policy must have the same comment.
You then set the same comment on ipseccomment var in the second line of the script.

You finally configure the script to run via the System > Scheduler every X seconds or minutes.
I run my own DDNS service with 1second TTL so the new IP gets propagated almost immediately so I run the script every 3 seconds.
If your DDNS service has a higher TTL then running it so often doesn't make much sense, but it's lightweight anyway so you could even run it every 1 second.

All the script does is it resolves the DDNS name and it compares it to whatever it was during the last run (or if it's the first time it runs it will set it to 0.0.0.0/0 just to initialize the variable). If the IP resolved has changed, then it updates the IPsec policy and peer and then disables/enables the peer and flushes IPsec connections.

I don't know if it is the proper/best way to do it, but it has been working for me for many years without any problems :)

Feel free to use/edit as you please.
Thank you very much. Will try to use it in my environment.
 
albgen
just joined
Posts: 9
Joined: Thu Sep 22, 2016 8:32 pm

Re: Feature request - DNS names in IPsec

Fri May 11, 2018 4:43 pm

needed for me as well +1

Who is online

Users browsing this forum: Bing [Bot], rbuserdl, slv, zuku and 118 guests