Community discussions

MikroTik App
  4. RouterOS
  5. General

IPSec with dyndns

Post Reply
 
josu
Member Candidate
Member Candidate
Topic Author
Posts: 152
Joined: Wed May 27, 2015 6:20 pm

IPSec with dyndns

Wed Jun 08, 2016 6:21 pm

Hello,

I have 2 Mikrotik routers in different sites and I want to join both with IPSec.

I have dynamic public IP in both site, but I use dyndns and it works great to access from outside.

I try to configure IPSec but I can not add dns name in the "SA Src. Address" field.

Is is possible to configure IPSec without static public IP?

Kind regards.
Top
 
jarda
Forum Guru
Forum Guru
Posts: 7756
Joined: Mon Oct 22, 2012 4:46 pm

Re: IPSec with dyndns

Wed Jun 08, 2016 6:29 pm

You would need to set some regular script to change the ip addresses when they change.
Top
 
josu
Member Candidate
Member Candidate
Topic Author
Posts: 152
Joined: Wed May 27, 2015 6:20 pm

Re: IPSec with dyndns

Wed Jun 08, 2016 6:56 pm

You would need to set some regular script to change the ip addresses when they change.
Thanks!

I have a script in a server inside the LAN to change the IP of the dns name.

But the problem is that I can not add a dns name in the filed, just a IP address.

Regards.
Top
 
efaden
Forum Guru
Forum Guru
Posts: 1708
Joined: Sat Mar 30, 2013 1:55 am
Location: New York, USA

Wed Jun 08, 2016 7:39 pm

I can post my script later

Sent from my XT1575 using Tapatalk
Top
 
josu
Member Candidate
Member Candidate
Topic Author
Posts: 152
Joined: Wed May 27, 2015 6:20 pm

Re:

Wed Jun 08, 2016 11:59 pm

I can post my script later

Sent from my XT1575 using Tapatalk
Thanks!
Top
 
efaden
Forum Guru
Forum Guru
Posts: 1708
Joined: Sat Mar 30, 2013 1:55 am
Location: New York, USA

Re: IPSec with dyndns

Thu Jun 09, 2016 3:44 am

This is basically it... I use it for dynamic to dynamic EoIP over IPSec ....

I can give you one for pure IPSec too... basically the same thing....

The way I chose to do it is to place a comment on each of the parts that looks like +eoip+<HOSTNAME> ... (e.g. +eoip+blah.dyndns.com)....

It runs through ... resolves the url and then updates all of the parts... I run it on both ends... works perfectly.
Code: Select all
#.* by RouterOS
#
# Dynamic Site To Site VPN Script - EoIP over IPSec Only
#

# Set Comments (Tunnel, Peer, Policy) = "+eoip+<HOSTNAME>"

#
# Variables
#
:local currentLocalSiteInterface "ether01-gateway"
:local currentLocalSite ""

:local forceUpdate false

:local IPSecCyclePeers false
:local IPSecFlushSAs false
:local IPSecKillConnections false


#
# Script
#
:global localSite 

:set currentLocalSite [/ip dhcp-client get [/ip dhcp-client find interface=$currentLocalSiteInterface] address]
:set currentLocalSite [:pick $currentLocalSite 0 [:find $currentLocalSite "/" -1]]

:if ([:typeof $localSite] = "nothing") do={
	:set localSite ""
}

:if ($currentLocalSite != $localSite) do={
	:set forceUpdate true
	:set localSite $currentLocalSite
}

/ip ipsec {
	:local hadUpdate false

	:foreach i in=[peer find comment~"^([^+]*\\+eoip\\+([^+]*)\$"] do={
		:local remoteSite [peer get $i address]
		:set remoteSite [:pick $remoteSite 0 [:find $remoteSite "/" -1]]

		:local peerComment [peer get $i comment]
		
		:local policyNumber [policy find comment=$peerComment]
		:local peerNumber $i

		:local tcomment [:pick $peerComment ([:find $peerComment "+"]+1) [:len $peerComment]]
		:local mode [:pick $tcomment 0 ([:find $tcomment "+"])]
		:local dnsName [:pick $tcomment ([:find $tcomment "+"]+1) [:len $tcomment]]

		:do {
			:local currentRemoteSite [:resolve $dnsName]
		
			:if ($forceUpdate || $remoteSite != $currentRemoteSite) do={
				peer set $peerNumber address="$currentRemoteSite/32"
				policy set $policyNumber dst-address="$currentRemoteSite/32" src-address="$currentLocalSite/32" sa-dst-address=$currentRemoteSite sa-src-address=$currentLocalSite

				:local tunnelNumber [/interface eoip find comment=$peerComment]
				/interface eoip set $tunnelNumber remote-address=$currentRemoteSite

				:if ($IPSecCyclePeers) do={
					peer disable $peerNumber
					peer enable $peerNumber
				}

				:set hadUpdate true
			}
		} on-error={
			:log error ("DynamicSiteToSiteVPNMini: Failed Updating - \"" . $peerComment . "\"")
		}
	}

	:if ($hadUpdate) do={
		:if ($IPSecFlushSAs) do={
			installed-sa flush
		}

		:if ($IPSecKillConnections) do={
			remote-peers kill-connections 
		}
	}
}
Top
 
josu
Member Candidate
Member Candidate
Topic Author
Posts: 152
Joined: Wed May 27, 2015 6:20 pm

Re: IPSec with dyndns

Thu Jun 09, 2016 10:11 am

Thank you very much.

Could you send my the pure IPSec?

I am new with script, where could I define the remote dns name?

Do you run it with a schedule?

Thank you very much.

Best regards.
Top
 
efaden
Forum Guru
Forum Guru
Posts: 1708
Joined: Sat Mar 30, 2013 1:55 am
Location: New York, USA

Re: IPSec with dyndns

Sat Jun 11, 2016 9:44 pm

Code: Select all
#.* by RouterOS
#
# Dynamic Site To Site VPN Script - EoIP over IPSec Only
#

# Set Comments (Tunnel, Peer, Policy) = "+<HOSTNAME>"

#
# Variables
#
:local currentLocalSiteInterface "ether01-gateway"
:local currentLocalSite ""

:local forceUpdate false

:local IPSecCyclePeers false
:local IPSecFlushSAs false
:local IPSecKillConnections false


#
# Script
#
:global localSite 

:set currentLocalSite [/ip dhcp-client get [/ip dhcp-client find interface=$currentLocalSiteInterface] address]
:set currentLocalSite [:pick $currentLocalSite 0 [:find $currentLocalSite "/" -1]]

:if ([:typeof $localSite] = "nothing") do={
   :set localSite ""
}

:if ($currentLocalSite != $localSite) do={
   :set forceUpdate true
   :set localSite $currentLocalSite
}

/ip ipsec {
   :local hadUpdate false

   :foreach i in=[peer find comment~"^([^+]*\\+([^+]*)\$"] do={
      :local remoteSite [peer get $i address]
      :set remoteSite [:pick $remoteSite 0 [:find $remoteSite "/" -1]]

      :local peerComment [peer get $i comment]
      
      :local policyNumber [policy find comment=$peerComment]
      :local peerNumber $i

      :local tcomment [:pick $peerComment ([:find $peerComment "+"]+1) [:len $peerComment]]
      :local mode [:pick $tcomment 0 ([:find $tcomment "+"])]
      :local dnsName [:pick $tcomment ([:find $tcomment "+"]+1) [:len $tcomment]]

      :do {
         :local currentRemoteSite [:resolve $dnsName]
      
         :if ($forceUpdate || $remoteSite != $currentRemoteSite) do={
            peer set $peerNumber address="$currentRemoteSite/32"
            policy set $policyNumber sa-dst-address=$currentRemoteSite sa-src-address=$currentLocalSite

            :if ($IPSecCyclePeers) do={
               peer disable $peerNumber
               peer enable $peerNumber
            }

            :set hadUpdate true
         }
      } on-error={
         :log error ("DynamicSiteToSiteVPNMini: Failed Updating - \"" . $peerComment . "\"")
      }
   }

   :if ($hadUpdate) do={
      :if ($IPSecFlushSAs) do={
         installed-sa flush
      }

      :if ($IPSecKillConnections) do={
         remote-peers kill-connections 
      }
   }
}

Modified it a little... I think it will work... you don't modify the script.  You just put +hostname comments on the peer and policy and the script looks for them.  E.g. 
Peer and Policy should have comments "+blah.dyndns.org" ....

Does that make sense?  Then just run the script every x minutes.... 
Basically I designed it so you don't have to modify the script really at all....   The variables at the top control how the script determines the local ip address.... and whether to forcefully recycle the connections.  Other than that the script will just look for the peer and policy that have the specific comment on them.  It will actually handle as many tunnels as you want... 
Top
 
josu
Member Candidate
Member Candidate
Topic Author
Posts: 152
Joined: Wed May 27, 2015 6:20 pm

Re: IPSec with dyndns

Thu Jun 16, 2016 5:08 pm

Thanks!

I will try it.

Regards.
Top
Post Reply

Who is online

Users browsing this forum: phascogale and 129 guests
  4. RouterOS
  5. General