Code: Select all
/interface eoip add
allow-fast-path=no
arp=proxy-arp
ipsec-secret=[SHARED_KEY]
keepalive=2s,2
local-address=[STATIC_WAN_IP]
mac-address=00:00:5E:80:20:05
name=eoip-remote-location
remote-address=remote.location.domain.com
tunnel-id=2
Code: Select all
/interface eoip add
allow-fast-path=no
arp=proxy-arp
ipsec-secret=[SHARED_KEY]
keepalive=2s,2
local-address=[DYNAMIC_WAN_IP]
mac-address=00:00:5E:80:20:06
name=eoip-home-location
remote-address=home.location.domain.com
tunnel-id=2
1. Local address cannot be a domain - you can type it, but it will be resolved only once. It works properly, for quite some time, for remote address however (wtf?)
2. The bigger problem and the bug hits where WAN IP changes and configuration needs to be updated on remote location. Changing the address changes it on interface only where all IPSec stuff like policy stays with old address. Since elements created in IPSec are dynamic you cannot alter them. This effectively makes impossible to change the IP or e.g. use script to change it. The worst part of that is the only way I've found to change the IP is to completely remove interface and re-add it (which of course creates gigantic mess in other places like firewall).
I performed all tests on 6.37.3, since 6.38 is not production-stable yet. Is anyone has any suggestions?