Community discussions

 
User avatar
sjoram
Member Candidate
Member Candidate
Topic Author
Posts: 117
Joined: Sun Feb 10, 2013 8:47 pm
Location: Essex, UK

IPSec - Dynamic IP with Double NAT

Fri Jul 18, 2014 1:58 pm

Hi All,

I need to compile a script that will get the WAN IP address from an internet source (because the RB750 is doing double-NAT so its WAN IP address is not a public IP address).

I then need this to run a script to update the local WAN IP address of an IPSec tunnel. (The other end has a fixed IP)

I have found scripts to do both of the above, but I am struggling on how to mash the two together.

Can anyone help please?

Edit:
If it helps:
The WAN interface of the RB750 will have an IP address of 192.168.20.250/24, GW 192.168.20.1
The device running as 192.168.20.1 then has a public (dynamic) WAN IP address.
The firewall on this device is configured to have 192.168.20.250 as DMZ.
I have successfully had IPSec working between a Netgear FVG318 at this end and DGFV338 at the remote end before I switched to RB750s.
Home user, working in IT. Home network is my lab.
ISP: Uno Communications
Hardware:
2x RB750Gr3
Draytek Vigor 120v2 ADSL2+ Annex M
Draytek Vigor 130 FTTC (VDSL)
 
User avatar
tomaskir
Trainer
Trainer
Posts: 1110
Joined: Sat Sep 24, 2011 2:32 pm
Location: Slovakia

Re: IPSec - Dynamic IP with Double NAT

Fri Jul 18, 2014 3:22 pm

Scripts will not help you here.

MikroTik IPSec requires the IPSec responder [IPSec server] to directly terminate a public IP [not be behind NAT].

NAT-T only works on client side with MikroTik.
Unimus - configuration management, automation and backup solution
Mass Config Push, network-wide RouterOS upgrades, and more!
 
User avatar
sjoram
Member Candidate
Member Candidate
Topic Author
Posts: 117
Joined: Sun Feb 10, 2013 8:47 pm
Location: Essex, UK

Re: IPSec - Dynamic IP with Double NAT

Fri Jul 18, 2014 5:26 pm

Scripts will not help you here.
MikroTik IPSec requires the IPSec responder [IPSec server] to directly terminate a public IP [not be behind NAT].
NAT-T only works on client side with MikroTik.
So just to be clear, you think the Netgear that has worked previously must have been behaving differently?
I'm going to test with the current dynamic WAN IP hard set in the config and see what happens without worrying about updating it.

If this doesn't work, I noticed whilst checking over the wiki that I may be able to use L2TP with IPSec to make this work.
Home user, working in IT. Home network is my lab.
ISP: Uno Communications
Hardware:
2x RB750Gr3
Draytek Vigor 120v2 ADSL2+ Annex M
Draytek Vigor 130 FTTC (VDSL)
 
User avatar
tomaskir
Trainer
Trainer
Posts: 1110
Joined: Sat Sep 24, 2011 2:32 pm
Location: Slovakia

Re: IPSec - Dynamic IP with Double NAT

Fri Jul 18, 2014 5:44 pm

So just to be clear, you think the Netgear that has worked previously must have been behaving differently?
I'm going to test with the current dynamic WAN IP hard set in the config and see what happens without worrying about updating it.

If this doesn't work, I noticed whilst checking over the wiki that I may be able to use L2TP with IPSec to make this work.
Other vendor's NAT-T implementation can work with NAT even for the IPSec responder. MikroTik's doesnt.

I cant speat for Netgear, but for example Cisco ASAs have no problem being an IPSec responder behind NAT.

If you are interested in L2TP/IPSec i suggest you take a look at my presentation about it here:
http://tiktube.com/video/mIgH3hmodoLHnH ... tKlGonDpI=
Unimus - configuration management, automation and backup solution
Mass Config Push, network-wide RouterOS upgrades, and more!
 
jarda
Forum Guru
Forum Guru
Posts: 7603
Joined: Mon Oct 22, 2012 4:46 pm

Re: IPSec - Dynamic IP with Double NAT

Fri Jul 18, 2014 6:51 pm

I have ipsec running in eoip tunnel when one side has fixed public ip natted 1:1 and other side has direct public ip but changing sometimes.
 
User avatar
sjoram
Member Candidate
Member Candidate
Topic Author
Posts: 117
Joined: Sun Feb 10, 2013 8:47 pm
Location: Essex, UK

Re: IPSec - Dynamic IP with Double NAT

Fri Jul 18, 2014 11:57 pm

Right, I've managed to 'fudge' this.

Phase1 came up no problems but when I enabled debug logging for IPSec, the RB750 with the double NAT gave the error that it ignored the packet because it does not listen on the public IP address.
Since nothing going to the WAN interface of the RB750 from the WAN side will actually be using that public IP address as a destination address (it will be using the private IP assigned to the WAN interface), I assigned a second IP to the WAN interface (being the current public IP) and it now seems that Phase2 is working.

So somehow, I need to script obtaining the current public IP from an internet source and then updating the IP address in the IPSec configuration and amending the additional IP address assigned to the WAN interface.

Is this possible?
Home user, working in IT. Home network is my lab.
ISP: Uno Communications
Hardware:
2x RB750Gr3
Draytek Vigor 120v2 ADSL2+ Annex M
Draytek Vigor 130 FTTC (VDSL)
 
User avatar
sjoram
Member Candidate
Member Candidate
Topic Author
Posts: 117
Joined: Sun Feb 10, 2013 8:47 pm
Location: Essex, UK

Re: IPSec - Dynamic IP with Double NAT

Wed Aug 06, 2014 2:48 pm

Update to this: I haven't found a way to deal automatically with the dynamic IP on one side yet, but it hasn't as yet changed - I'm not sure how the lease works from the ISP but it seems semi-sticky.

But I've upgraded ROS on the RB750 at one end to v6.18 with the other end still on v6.17 and cannot pass traffic now, but it's showing there is a connection there.

Previously with both on v6.17, if the tunnel was down only the end with the dynamic IP/double NAT could bring it up by initiating packets but it worked...

Any ideas?
Home user, working in IT. Home network is my lab.
ISP: Uno Communications
Hardware:
2x RB750Gr3
Draytek Vigor 120v2 ADSL2+ Annex M
Draytek Vigor 130 FTTC (VDSL)
 
jarda
Forum Guru
Forum Guru
Posts: 7603
Joined: Mon Oct 22, 2012 4:46 pm

Re: IPSec - Dynamic IP with Double NAT

Wed Aug 06, 2014 6:09 pm

It's possible. As I am in traffic now I have no comfort access to my devices. I will provide my approach description when I am able to.
 
jarda
Forum Guru
Forum Guru
Posts: 7603
Joined: Mon Oct 22, 2012 4:46 pm

Re: IPSec - Dynamic IP with Double NAT

Thu Aug 07, 2014 9:36 am

Ok, I am back.

Let say, you have RB1 with public ip that is changing and RB2 with fix IP that is not changing, but behind nat, so actually wan interface of RB2 has different IP from some internal range.

First of all, you have to register some dyndns service for the ip which is changing. Let say it is RB1.mydomain.tld. You run a script that regularly checks its change and eventually updates the DNS record. The script should correspond to the dynds service you use.

Then on RB2 you can easily check what is the RB1 real IP address and keep it in address list of firewall (you could use it for accepting firewall rule also - as I do). I am using such script:

ros code

:global RB1IPold [/ip firewall address-list get [find list=RB1IP] address];
:global RB1IP [:resolve "RB1.mydomain.tld"];

:if ($RB1IP != $RB1IPold) do={
:log info "DynamicIP: RB1IP changed. Old: $RB1IPold. New:$RB1IP."
:log info "DynamicIP: Change setting of EOIP tunnel."
/interface eoip set remote-address=$RB1IP eoip-RB1
:log info "DynamicIP: Settings of EOIP tunnel changed."
:log info "DynamicIP: Change settings of firewall."
/ip firewall address-list set address=$RB1IP [find list=RB1IP]
:log info "DynamicIP: Settings of firewall changed."
:set RB1IPold $RB1IP
} else={
:log info ("DynamicIP: RB1IP has not changed.")
};
As you see, it is for EOIP, but you can use the same approach in your case.
 
User avatar
sjoram
Member Candidate
Member Candidate
Topic Author
Posts: 117
Joined: Sun Feb 10, 2013 8:47 pm
Location: Essex, UK

Re: IPSec - Dynamic IP with Double NAT

Sun Aug 10, 2014 4:27 pm

I'll check out the script, thanks.

Ref the tunnel not passing traffic after one end upgraded to v6.18 with other end still on v6.17, I've now upgraded the other RB750 and have both ends on v6.18 and the tunnel is now passing traffic.
Home user, working in IT. Home network is my lab.
ISP: Uno Communications
Hardware:
2x RB750Gr3
Draytek Vigor 120v2 ADSL2+ Annex M
Draytek Vigor 130 FTTC (VDSL)
 
jarda
Forum Guru
Forum Guru
Posts: 7603
Joined: Mon Oct 22, 2012 4:46 pm

Re: IPSec - Dynamic IP with Double NAT

Mon Aug 11, 2014 11:01 am

I am moving from eoip/ipsec to sstp tunnels these days. They are more stable and easier to use.
 
tania
newbie
Posts: 42
Joined: Fri Feb 07, 2014 10:15 am

Re: IPSec - Dynamic IP with Double NAT

Sat Jul 04, 2015 12:29 pm

ipsec site to site vpn one have dynamic ip address see the solution https://www.youtube.com/watch?v=ulfCVCCLiVQ

Who is online

Users browsing this forum: No registered users and 22 guests