Page 1 of 1

IPSec - Dynamic IP with Double NAT

Posted: Fri Jul 18, 2014 1:58 pm
by sjoram
Hi All,

I need to compile a script that will get the WAN IP address from an internet source (because the RB750 is doing double-NAT so its WAN IP address is not a public IP address).

I then need this to run a script to update the local WAN IP address of an IPSec tunnel. (The other end has a fixed IP)

I have found scripts to do both of the above, but I am struggling on how to mash the two together.

Can anyone help please?

Edit:
If it helps:
The WAN interface of the RB750 will have an IP address of 192.168.20.250/24, GW 192.168.20.1
The device running as 192.168.20.1 then has a public (dynamic) WAN IP address.
The firewall on this device is configured to have 192.168.20.250 as DMZ.
I have successfully had IPSec working between a Netgear FVG318 at this end and DGFV338 at the remote end before I switched to RB750s.

Re: IPSec - Dynamic IP with Double NAT

Posted: Fri Jul 18, 2014 3:22 pm
by tomaskir
Scripts will not help you here.

MikroTik IPSec requires the IPSec responder [IPSec server] to directly terminate a public IP [not be behind NAT].

NAT-T only works on client side with MikroTik.

Re: IPSec - Dynamic IP with Double NAT

Posted: Fri Jul 18, 2014 5:26 pm
by sjoram
Scripts will not help you here.
MikroTik IPSec requires the IPSec responder [IPSec server] to directly terminate a public IP [not be behind NAT].
NAT-T only works on client side with MikroTik.
So just to be clear, you think the Netgear that has worked previously must have been behaving differently?
I'm going to test with the current dynamic WAN IP hard set in the config and see what happens without worrying about updating it.

If this doesn't work, I noticed whilst checking over the wiki that I may be able to use L2TP with IPSec to make this work.

Re: IPSec - Dynamic IP with Double NAT

Posted: Fri Jul 18, 2014 5:44 pm
by tomaskir
So just to be clear, you think the Netgear that has worked previously must have been behaving differently?
I'm going to test with the current dynamic WAN IP hard set in the config and see what happens without worrying about updating it.

If this doesn't work, I noticed whilst checking over the wiki that I may be able to use L2TP with IPSec to make this work.
Other vendor's NAT-T implementation can work with NAT even for the IPSec responder. MikroTik's doesnt.

I cant speat for Netgear, but for example Cisco ASAs have no problem being an IPSec responder behind NAT.

If you are interested in L2TP/IPSec i suggest you take a look at my presentation about it here:
http://tiktube.com/video/mIgH3hmodoLHnH ... tKlGonDpI=

Re: IPSec - Dynamic IP with Double NAT

Posted: Fri Jul 18, 2014 6:51 pm
by jarda
I have ipsec running in eoip tunnel when one side has fixed public ip natted 1:1 and other side has direct public ip but changing sometimes.

Re: IPSec - Dynamic IP with Double NAT

Posted: Fri Jul 18, 2014 11:57 pm
by sjoram
Right, I've managed to 'fudge' this.

Phase1 came up no problems but when I enabled debug logging for IPSec, the RB750 with the double NAT gave the error that it ignored the packet because it does not listen on the public IP address.
Since nothing going to the WAN interface of the RB750 from the WAN side will actually be using that public IP address as a destination address (it will be using the private IP assigned to the WAN interface), I assigned a second IP to the WAN interface (being the current public IP) and it now seems that Phase2 is working.

So somehow, I need to script obtaining the current public IP from an internet source and then updating the IP address in the IPSec configuration and amending the additional IP address assigned to the WAN interface.

Is this possible?

Re: IPSec - Dynamic IP with Double NAT

Posted: Wed Aug 06, 2014 2:48 pm
by sjoram
Update to this: I haven't found a way to deal automatically with the dynamic IP on one side yet, but it hasn't as yet changed - I'm not sure how the lease works from the ISP but it seems semi-sticky.

But I've upgraded ROS on the RB750 at one end to v6.18 with the other end still on v6.17 and cannot pass traffic now, but it's showing there is a connection there.

Previously with both on v6.17, if the tunnel was down only the end with the dynamic IP/double NAT could bring it up by initiating packets but it worked...

Any ideas?

Re: IPSec - Dynamic IP with Double NAT

Posted: Wed Aug 06, 2014 6:09 pm
by jarda
It's possible. As I am in traffic now I have no comfort access to my devices. I will provide my approach description when I am able to.

Re: IPSec - Dynamic IP with Double NAT

Posted: Thu Aug 07, 2014 9:36 am
by jarda
Ok, I am back.

Let say, you have RB1 with public ip that is changing and RB2 with fix IP that is not changing, but behind nat, so actually wan interface of RB2 has different IP from some internal range.

First of all, you have to register some dyndns service for the ip which is changing. Let say it is RB1.mydomain.tld. You run a script that regularly checks its change and eventually updates the DNS record. The script should correspond to the dynds service you use.

Then on RB2 you can easily check what is the RB1 real IP address and keep it in address list of firewall (you could use it for accepting firewall rule also - as I do). I am using such script:

ros code

:global RB1IPold [/ip firewall address-list get [find list=RB1IP] address];
:global RB1IP [:resolve "RB1.mydomain.tld"];

:if ($RB1IP != $RB1IPold) do={
:log info "DynamicIP: RB1IP changed. Old: $RB1IPold. New:$RB1IP."
:log info "DynamicIP: Change setting of EOIP tunnel."
/interface eoip set remote-address=$RB1IP eoip-RB1
:log info "DynamicIP: Settings of EOIP tunnel changed."
:log info "DynamicIP: Change settings of firewall."
/ip firewall address-list set address=$RB1IP [find list=RB1IP]
:log info "DynamicIP: Settings of firewall changed."
:set RB1IPold $RB1IP
} else={
:log info ("DynamicIP: RB1IP has not changed.")
};
As you see, it is for EOIP, but you can use the same approach in your case.

Re: IPSec - Dynamic IP with Double NAT

Posted: Sun Aug 10, 2014 4:27 pm
by sjoram
I'll check out the script, thanks.

Ref the tunnel not passing traffic after one end upgraded to v6.18 with other end still on v6.17, I've now upgraded the other RB750 and have both ends on v6.18 and the tunnel is now passing traffic.

Re: IPSec - Dynamic IP with Double NAT

Posted: Mon Aug 11, 2014 11:01 am
by jarda
I am moving from eoip/ipsec to sstp tunnels these days. They are more stable and easier to use.

Re: IPSec - Dynamic IP with Double NAT

Posted: Sat Jul 04, 2015 12:29 pm
by tania
ipsec site to site vpn one have dynamic ip address see the solution https://www.youtube.com/watch?v=ulfCVCCLiVQ