Community discussions

MikroTik App
 
piwi3910
Member Candidate
Member Candidate
Topic Author
Posts: 141
Joined: Sun May 30, 2004 5:02 pm
Location: Belgium
Contact:

ipsec dynamic ip script

Wed Jul 27, 2005 2:07 pm

eugene one sended me this

Posted: Thu Aug 12, 2004 2:47 pm Post subject:

--------------------------------------------------------------------------------

I would configure something like the following:


/ip ipsec peer add address=1.1.1.2 secret=qazwsxedc generate-policy=no


/ip ipsec policy add sa-src-address=0.0.0.0 sa-dst-address=1.1.1.2 action=encrypt tunnel=yes <src- and dst- addresses as appropriate>


/system script add name=addr-refresh source={:foreach i in=[find] do {:if ([/ip address find address=[/ip route get $i preferred-source]]!="") do {:if([/ip address get [/ip address find address=[/ip route get $i preferred-source]] address]=[/ip dhcp-client lease get address]) do {:if ( [/ip ipsec policy get [/ip ipsec policy find sa-dst-address=1.1.1.2] sa-src-address] != [/ip route get $i preferred-source]) do {/ip ipsec policy set [/ip ipsec policy find sa-dst-address=1.1.1.2] sa-src-address=[/ip route get $i preferred-source] }}} }}


/system scheduler add name=run-15s interval=15s on-event=addr-refresh

it was to make ipsec connections from a dynamic ip adress to a static one...
but the script just doesn't work, i really tried everything... but i just don't see the fault...

i get this...

no sutch command or directory (find)

can someone check this

thxs

pascal
 
User avatar
Eugene
Forum Veteran
Forum Veteran
Posts: 993
Joined: Mon May 31, 2004 5:06 pm
Location: Cranfield, UK

Thu Jul 28, 2005 11:42 am

/system script add name=addr-refresh source={:foreach i in=[/ip route find] do {:if ([/ip address find address=[/ip route get $i preferred-source]]!="") do {:if([/ip address get [/ip address find address=[/ip route get $i preferred-source]] address]=[/ip dhcp-client lease get address]) do {:if ( [/ip ipsec policy get [/ip ipsec policy find sa-dst-address=1.1.1.2] sa-src-address] != [/ip route get $i preferred-source]) do {/ip ipsec policy set [/ip ipsec policy find sa-dst-address=1.1.1.2] sa-src-address=[/ip route get $i preferred-source] }}} }} 
However if you use 2.9 version there is a much shorter and simplier way to accomplish this.
Tout individu a droit à la vie, à la liberté et à la sûreté de sa personne.
 
piwi3910
Member Candidate
Member Candidate
Topic Author
Posts: 141
Joined: Sun May 30, 2004 5:02 pm
Location: Belgium
Contact:

mmmh not working still

Thu Jul 28, 2005 2:19 pm

i understand what you are trying to do with this script, but it's still not working.
i made the policie with the correct sa-dst-address
i changed the sa-dst-address in the script to the correct ip adress.
it doesn't give me any errors in the log file, but still my policie is't changed to put the sa-src-address to the correct ip address.

how do you start debugging someting like this?
you can't get any output.
 
User avatar
Eugene
Forum Veteran
Forum Veteran
Posts: 993
Joined: Mon May 31, 2004 5:06 pm
Location: Cranfield, UK

Thu Jul 28, 2005 3:02 pm

Remove everything and start from the outer loop. Place print commands to see the output and change them later with the actual constructs if they give expected output.


BTW, I suggest to upgrade to 2.9 - there are new scripting commands which made this task a piece of cake.
Tout individu a droit à la vie, à la liberté et à la sûreté de sa personne.
 
User avatar
tneumann
Member
Member
Posts: 394
Joined: Sat Apr 16, 2005 6:38 pm
Location: Germany

Fri Jul 29, 2005 4:57 pm

However if you use 2.9 version there is a much shorter and simplier way to accomplish this.
Which, I assume, would be generate-policy=yes ?

--Tom
 
User avatar
Eugene
Forum Veteran
Forum Veteran
Posts: 993
Joined: Mon May 31, 2004 5:06 pm
Location: Cranfield, UK

Fri Jul 29, 2005 5:17 pm

Nope, it works only if one endpoint has dynamic IP.
Tout individu a droit à la vie, à la liberté et à la sûreté de sa personne.
 
User avatar
FOV
Frequent Visitor
Frequent Visitor
Posts: 69
Joined: Tue Nov 29, 2005 5:34 pm
Location: ARGENTINA

Wed Dec 28, 2005 8:24 pm

Eugine, hi. I´m trying to do the same.

On one point I´ve a MTK with Dynamic IP, and on the other side, a Hotbrick with Dynamic IP to.

I´m looking for a script in order to actualize the policy.

Can you help me pls?

I´m using a Router board 500 with OS. 2.9.8

Rgs,

Fernando
 
User avatar
Eugene
Forum Veteran
Forum Veteran
Posts: 993
Joined: Mon May 31, 2004 5:06 pm
Location: Cranfield, UK

Thu Dec 29, 2005 6:46 pm

Read my previous posts.
Tout individu a droit à la vie, à la liberté et à la sûreté de sa personne.
 
viceft
just joined
Posts: 8
Joined: Wed Feb 02, 2005 2:18 am

ipsec

Sat Mar 04, 2006 6:03 am

how know in the central site (ip static) what is the ip from remote site?
 
User avatar
Eugene
Forum Veteran
Forum Veteran
Posts: 993
Joined: Mon May 31, 2004 5:06 pm
Location: Cranfield, UK

Sat Mar 04, 2006 1:08 pm

If one of the endpoints has a static IP address, just do not create the policy on this endpoint. Instead, set generate-policy=yes in its peer record.
Tout individu a droit à la vie, à la liberté et à la sûreté de sa personne.
 
blaze888
just joined
Posts: 1
Joined: Tue Jun 09, 2009 9:10 am

Re: ipsec dynamic ip script

Tue Jun 09, 2009 9:15 am

Hello,

im having same troubles here.. any inputs would be great!

Thanks!
assurance vie
 
hacki
just joined
Posts: 18
Joined: Fri Aug 28, 2009 1:18 am

Re: ipsec dynamic ip script

Thu Dec 03, 2009 7:07 pm

hi there,

standing in front of the same issue with dynamic ip adresses and ipsec.
has already someone running such a scenario?

greets

Who is online

Users browsing this forum: codered1983, mhmo567 and 54 guests