Community discussions

MikroTik App
  4. RouterOS
  5. General

IPSEC dynamic peer ip

Post Reply
 
karadn
just joined
Topic Author
Posts: 7
Joined: Mon Jun 08, 2015 4:44 pm

IPSEC dynamic peer ip

Wed Feb 20, 2019 8:49 am

Hello,

I have Mikrotik router on server side with static public IP. Other side have dynamic public IP and it is Edgerouter.
The traffic betwen clients works if I create ipsec policy with SA Src. Address and SA Dst. Address.

Because remote side have dynamic IP I like to have dynamic policy, that there is no need to change SA Dst. Address. I create template policy with 0.0.0.0 SA Dst. Address, IPSEC is enstablished but there is no traffic betwen?

Have can I correct set up the ipsec and policy template? Or is there some other configuration if remote peer have dynamic IP?

There is my setup:
Code: Select all
/ip ipsec> policy print 
Flags: T - template, X - disabled, D - dynamic, I - invalid, A - active, 
* - default 
 0 TX* group=default src-address=::/0 dst-address=::/0 protocol=all 
       proposal=default template=yes 

 1 T   ;;; VPN1
       group=grp-VPN1 src-address=10.99.9.0/24 dst-address=192.168.254.0/24 
       protocol=all proposal=VPN1 template=yes 
       
/ip ipsec> peer print 
Flags: X - disabled, D - dynamic, R - responder 
 0     ;;; VPN1
       address=ddns.domain.net profile=VPN1 
       auth-method=pre-shared-key secret="XXXX" 
       generate-policy=port-strict policy-template-group=grp-VPN1
       exchange-mode=ike2 send-initial-contact=no
Top
 
Farseer
just joined
Posts: 22
Joined: Sat Feb 09, 2019 11:25 pm

Re: IPSEC dynamic peer ip

Wed Feb 20, 2019 1:37 pm

Hi,

As far as I know, RouterOS doesn't have a way to update the SA Src. Address and SA Dst. Address if any of the sites is on Dynamic IP. The solution to this is to create a script, test it out manually, and if its fine, put it on a scheduler to run every minute.

Here is a script that I used, can be set in System > Scripts :
Code: Select all
:log info "Starting IPSEC update"

# Set needed variables and resolve remotedomain and local domain

:global RemoteIp [:resolve PUT DDNS OR CLOUD IP HERE FOR SA DST LOCATION]
:global LocalIp [:resolve PUT DDNS OR CLOUD IP HERE FOR SA SRC LOCATION]

# get actual values of sa-dst-address and sa-src-address (change numbers accordingly in this section and in the section below)

:global actual [/ip ipsec policy get 0 sa-dst-address]
:global actuallocal [/ip ipsec policy get 0 sa-src-address]

#change policy if remote or local ip changed

:if ($RemoteIp !=$actual)  do={
:log info "Check Remote Ip: Update required $RemoteIp"
/ip ipsec policy set 0 sa-dst-address=$RemoteIp sa-src-address=$LocalIp} else= {:log info "No need to update"}
:log info "Remote update done, next local"
:if ($LocalIp !=$actuallocal) do={
:log info "CheckLocalIp: Update required $LocalIp"
/ip ipsec policy set 0 sa-dst-address=$RemoteIp sa-src-address=$LocalIp} else= {:log info "No need to update"}
:log info "IPSEC update done"
You can use the Cloud feature of the RouterOS to work like a DDNS service but be prepared as this will expose the router publicly and you will need to have a good non standard password AND also to block ssh/telnet brute force attacks on the router. This is the basic gist of it.
Top
 
karadn
just joined
Topic Author
Posts: 7
Joined: Mon Jun 08, 2015 4:44 pm

Re: IPSEC dynamic peer ip

Wed Feb 20, 2019 2:30 pm

Thank you for your answer and script, I will check it.

Does someone know how then dynamic policy works with ipsec?
Top
 
pe1chl
Forum Guru
Forum Guru
Posts: 10240
Joined: Mon Jun 08, 2015 12:09 pm

Re: IPSEC dynamic peer ip

Wed Feb 20, 2019 2:56 pm

Dynamic policy refers to policies created internally by RouterOS as a result of other configuration (i.e. not adding the policy in the ipsec menu).
It can be:
- using simple IPsec config in tunnel interfaces
- incoming IPsec connections from dynamic addresses e.g. using L2TP?IPsec

There is no easy support for direct IPsec tunnels to dynamic addresses.
Top
 
Farseer
just joined
Posts: 22
Joined: Sat Feb 09, 2019 11:25 pm

Re: IPSEC dynamic peer ip

Wed Feb 20, 2019 3:13 pm

Thank you for your answer and script, I will check it.

Does someone know how then dynamic policy works with ipsec?
With that script running with a scheduler, every minute it will check for the DDNS names you entered and update the SA SRC and DST addresses. in IPsec > Peer, just set the address as the DDNS name of the remote site. If you cannot do it, update the firmware, as in the later versions they added this functionally. Simply put, IPSec works just as fine as long as you keep the addresses correct via DDNS names or Mikrotik cloud option. I have 3 vpn tunnels going between 3 sites, 2 of which have Dynamic WAN IP, and no issues with the scripts and scheduler.
Top
 
pe1chl
Forum Guru
Forum Guru
Posts: 10240
Joined: Mon Jun 08, 2015 12:09 pm

Re: IPSEC dynamic peer ip

Wed Feb 20, 2019 3:19 pm

Ok I did not look into the script exactly, but AFAIK it is not implemented in RouterOS to connect with a remote that has
a dynamic IP (identify it via remote ID or certificate) and then use that association without fixup via some script.
Using DDNS is kind of a workaround for that problem, but it would be better when it was solved or at least there
would be the option to run a script on IPsec connection establishment (so it would not have to be scheduled).
Top
 
User avatar
emils
Forum Veteran
Forum Veteran
Posts: 906
Joined: Thu Dec 11, 2014 8:53 am

Re: IPSEC dynamic peer ip

Wed Feb 20, 2019 3:34 pm

RouterOS will try to generate a policy from template if generate-policy is set when the other side requests a new Phase 2. In your 'print' commands it seems that the policy is not generated, but to further troubleshoot the issue, debug logs should be posted.

This is how I would deal with dynamic addresses and IPsec:

https://wiki.mikrotik.com/wiki/Manual:I ... _using_DNS
Top
 
Farseer
just joined
Posts: 22
Joined: Sat Feb 09, 2019 11:25 pm

Re: IPSEC dynamic peer ip

Wed Feb 20, 2019 4:07 pm

Ok I did not look into the script exactly, but AFAIK it is not implemented in RouterOS to connect with a remote that has
a dynamic IP (identify it via remote ID or certificate) and then use that association without fixup via some script.
Using DDNS is kind of a workaround for that problem, but it would be better when it was solved or at least there
would be the option to run a script on IPsec connection establishment (so it would not have to be scheduled).
The connection establishment will work automatically as long as both sites have the correct settings to establish an IPSec connection to each other. the Script is for resolving the host name and automatically updating it, sort of like what DDNS does, but we are just automating the function of refreshing the address in SA src and dst, which is the only one which has an issue. AFAIK, this is the only way of working with dynamic IPs. RouterOS can connect to a router that has a dynamic WAN IP, you can connect at any time. the issue is when that IP changes, and you need the new IP. The script checks for IP changes and resolves it and auto updates the SA src and dst fields. Using DDNS/Cloud is the only way to do it, and whilst yes it would great if workarounds were not needed, the system works quite well.
Top
 
pe1chl
Forum Guru
Forum Guru
Posts: 10240
Joined: Mon Jun 08, 2015 12:09 pm

Re: IPSEC dynamic peer ip

Wed Feb 20, 2019 4:18 pm

I see two different use cases:
1. you want to connect outbound to some other router which is mostly on a static address but it can change sometimes.
there you can use DDNS for a satisfactory solution

2. you want to accept inbound connections from other routers that are on wildly dynamic addresses (e.g. road warriors).
for this, DDNS is not satisfactory.

RouterOS can handle case 2 when you have e.g. L2TP/IPsec with a single key and additional user/pass to identify the user,
but not when you use e.g. GRE/IPsec to multiple peers each with a different key and ID. That can only be done with
a script, and the script cannot be triggered by the event itself (new incoming IPsec connection) so you have to kludge
with a script run every minute or so.
Top
 
karadn
just joined
Topic Author
Posts: 7
Joined: Mon Jun 08, 2015 4:44 pm

Re: IPSEC dynamic peer ip

Thu Feb 21, 2019 8:21 am

So the only resolution is to use the script or go with L2TP/IPSEC configuration. Thank you for answers.

I have two policy that must be change with a script, but I can change only one, the secondary not return actual IP?
Top
 
pe1chl
Forum Guru
Forum Guru
Posts: 10240
Joined: Mon Jun 08, 2015 12:09 pm

Re: IPSEC dynamic peer ip

Thu Feb 21, 2019 11:03 am

For an easy out-of-the-box solution for dynamic IP I always use L2TP/IPsec. And then I assign a fixed IP to each user
and setup BGP to communicate the subnet routes at their endpoints. (BGP set to passive at the central router)

For static addresses I normally use GRE/IPsec and still have BGP over it, but it can be static routes as well.

Thanks to MikroTik's easy setup of IPsec and BGP it can be done in a few minutes. When you have a little experience, of course.
Just setup the L2TP server with IPsec support (use a separate /24 subnet for this, assign it to a bridge with no ports at the central router),
the ppp secrets (user/pass) with their remote-address, set a different BGP AS number (above 65000) and the bgp peers on each router.
And add the local network ranges of each router into the bgp networks.

Easy VPN that easily extends with new networks.
Top
 
pawelkopec88
just joined
Posts: 10
Joined: Wed Mar 14, 2018 11:06 pm

Re: IPSEC dynamic peer ip

Mon Aug 19, 2019 9:14 am

https://pastebin.pl/view/babe9227?fbcli ... F9TN3qfwpY

Script for RouterOS 6.45 or higher for two sites dynamic
Top
Post Reply

Who is online

Users browsing this forum: GoogleOther [Bot] and 179 guests
  4. RouterOS
  5. General