Hello,

I am currently having an IPsec setup with 2 Mikrotiks routers.
In the peers menu, I've added the Cloud DNS name provided by Mikrotik (mynetname.net) as the address of the remote site.
Both sites have dynamic public IPs so I am using DNS names on both side.

The connection works fine but once in a while, I guess when one of the public changes, the tunnel drops.
A restart will do however I would like automate this part with a script.

But from what I've read and understand I am doing it wrong and I should rather set up the tunnel using temporary public IP as the remote address (in peers) and stop using the DNS name.
Then use scripts to check regularly for IP changes and update my tunnel accordingly.

Can someone confirm please?
Thanks!

But from what I've read and understand I am doing it wrong and I should rather set up the tunnel using temporary public IP as the remote address (in peers) and stop using the DNS name.
Then use scripts to check regularly for IP changes and update my tunnel accordingly.

No, it's absolutely fine to use DNS name for initiator peer.
Also you don't have to use any name or address for responder peer unless you have some specific requirements (several public IP etc.), just use ::/0 there.

If your tunnel doesn't reestablish by itself after several minutes than it's probably something wrong with your config.
Default DPD interval / failures setting found in IPsec Profile is a bit high on default, try to lower it for earlier detection when a tunnel is down.

Thank you for answering.

Actually, that might be the issue here. I believe I have set them both side to be initiator and responder.
When the tunnel fails reconnecting, I can see both side trying.

Also, I have road warrior connections available but it won't work when the tunnel is down. As if the entire IPsec module was overloaded or something.
I did try to kill connections on both side in active peers but it didn't help.

Should I set only side as the initiator?

Can anyone please direct me to a guide on how to set up a site to site IPsec VPN with dynamic public IPs?

I have 2 tunnels set up on 2 different customers and they do exactly the same thing, they will disconnect and not reconnect on their own.

If I try to set ::/0 on one node, to set it as the responder node only, I am then getting the error "This entry is unreachable" until I set again the URL of the other end.

Hi,

So on one side, I am getting these logs:

06:58:17 pppoe,ppp,info pppoe-3BB: terminating...
06:58:17 pppoe,ppp,info pppoe-3BB: disconnected
06:58:17 pppoe,ppp,info pppoe-3BB: initializing...
06:58:17 pppoe,ppp,info pppoe-3BB: connecting...
06:58:20 pppoe,ppp,info pppoe-3BB: authenticated
06:58:20 pppoe,ppp,info pppoe-3BB: connected
09:08:05 ipsec,info respond new phase 1 (Identity Protection):XXX.XXX.XXX.XXX[500]<=>XXX.XXX.XXX.XXX[1]
09:08:05 ipsec,error no suitable proposal found.
09:08:05 ipsec,error XXX.XXX.XXX.XXX failed to get valid proposal.
09:08:05 ipsec,error XXX.XXX.XXX.XXX failed to pre-process ph1 packet (side: 1, status 1).
09:08:05 ipsec,error XXX.XXX.XXX.XXX phase1 negotiation failed.

More or less, the tunnel stays connected for a day. Then my PPPOE connection is reset for whatever reason and then I get these "Identity protection" errors, over and over again.
I have both an IPsec and L2TP access available on this router but from the other site, even L2TP is failing.
I have to use my cellular network to remote connect using the L2TP VPN and reboot the router.

On the other side, I am getting these log lines:

09:05:05 ipsec,error XXX.XXX.XXX.XXX failed to pre-process ph2 packet
09:05:15 ipsec,error XXX.XXX.XXX.XXX peer sent packet for dead phase2

Any idea what I could to fix this please?