#.* by RouterOS
#
# Dynamic Site To Site VPN Script - EoIP over IPSec Only
#
# Set Comments (Tunnel, Peer, Policy) = "+<HOSTNAME>"
#
# Variables
#
:local currentLocalSiteInterface "ether01-gateway"
:local currentLocalSite ""
:local forceUpdate false
:local IPSecCyclePeers false
:local IPSecFlushSAs false
:local IPSecKillConnections false
#
# Script
#
:global localSite
:set currentLocalSite [/ip dhcp-client get [/ip dhcp-client find interface=$currentLocalSiteInterface] address]
:set currentLocalSite [:pick $currentLocalSite 0 [:find $currentLocalSite "/" -1]]
:if ([:typeof $localSite] = "nothing") do={
:set localSite ""
}
:if ($currentLocalSite != $localSite) do={
:set forceUpdate true
:set localSite $currentLocalSite
}
/ip ipsec {
:local hadUpdate false
:foreach i in=[peer find comment~"^([^+]*\\+([^+]*)\$"] do={
:local remoteSite [peer get $i address]
:set remoteSite [:pick $remoteSite 0 [:find $remoteSite "/" -1]]
:local peerComment [peer get $i comment]
:local policyNumber [policy find comment=$peerComment]
:local peerNumber $i
:local tcomment [:pick $peerComment ([:find $peerComment "+"]+1) [:len $peerComment]]
:local mode [:pick $tcomment 0 ([:find $tcomment "+"])]
:local dnsName [:pick $tcomment ([:find $tcomment "+"]+1) [:len $tcomment]]
:do {
:local currentRemoteSite [:resolve $dnsName]
:if ($forceUpdate || $remoteSite != $currentRemoteSite) do={
peer set $peerNumber address="$currentRemoteSite/32"
policy set $policyNumber sa-dst-address=$currentRemoteSite sa-src-address=$currentLocalSite
:if ($IPSecCyclePeers) do={
peer disable $peerNumber
peer enable $peerNumber
}
:set hadUpdate true
}
} on-error={
:log error ("DynamicSiteToSiteVPNMini: Failed Updating - \"" . $peerComment . "\"")
}
}
:if ($hadUpdate) do={
:if ($IPSecFlushSAs) do={
installed-sa flush
}
:if ($IPSecKillConnections) do={
remote-peers kill-connections
}
}
}
Modified it a little... I think it will work... you don't modify the script. You just put +hostname comments on the peer and policy and the script looks for them. E.g.
Peer and Policy should have comments "+blah.dyndns.org" ....
Does that make sense? Then just run the script every x minutes....
Basically I designed it so you don't have to modify the script really at all.... The variables at the top control how the script determines the local ip address.... and whether to forcefully recycle the connections. Other than that the script will just look for the peer and policy that have the specific comment on them. It will actually handle as many tunnels as you want...