eugene one sended me this

Posted: Thu Aug 12, 2004 2:47 pm Post subject:

--------------------------------------------------------------------------------

I would configure something like the following:


/ip ipsec peer add address=1.1.1.2 secret=qazwsxedc generate-policy=no


/ip ipsec policy add sa-src-address=0.0.0.0 sa-dst-address=1.1.1.2 action=encrypt tunnel=yes <src- and dst- addresses as appropriate>


/system script add name=addr-refresh source={:foreach i in=[find] do {:if ([/ip address find address=[/ip route get $i preferred-source]]!="") do {:if([/ip address get [/ip address find address=[/ip route get $i preferred-source]] address]=[/ip dhcp-client lease get address]) do {:if ( [/ip ipsec policy get [/ip ipsec policy find sa-dst-address=1.1.1.2] sa-src-address] != [/ip route get $i preferred-source]) do {/ip ipsec policy set [/ip ipsec policy find sa-dst-address=1.1.1.2] sa-src-address=[/ip route get $i preferred-source] }}} }}


/system scheduler add name=run-15s interval=15s on-event=addr-refresh

it was to make ipsec connections from a dynamic ip adress to a static one...
but the script just doesn't work, i really tried everything... but i just don't see the fault...

i get this...

no sutch command or directory (find)

can someone check this

thxs

pascal

However if you use 2.9 version there is a much shorter and simplier way to accomplish this.

i understand what you are trying to do with this script, but it's still not working.
i made the policie with the correct sa-dst-address
i changed the sa-dst-address in the script to the correct ip adress.
it doesn't give me any errors in the log file, but still my policie is't changed to put the sa-src-address to the correct ip address.

how do you start debugging someting like this?
you can't get any output.

Remove everything and start from the outer loop. Place print commands to see the output and change them later with the actual constructs if they give expected output.


BTW, I suggest to upgrade to 2.9 - there are new scripting commands which made this task a piece of cake.

However if you use 2.9 version there is a much shorter and simplier way to accomplish this.

Which, I assume, would be generate-policy=yes ?

--Tom

Nope, it works only if one endpoint has dynamic IP.

Eugine, hi. I´m trying to do the same.

On one point I´ve a MTK with Dynamic IP, and on the other side, a Hotbrick with Dynamic IP to.

I´m looking for a script in order to actualize the policy.

Can you help me pls?

I´m using a Router board 500 with OS. 2.9.8

Rgs,

Fernando

Read my previous posts.

how know in the central site (ip static) what is the ip from remote site?

If one of the endpoints has a static IP address, just do not create the policy on this endpoint. Instead, set generate-policy=yes in its peer record.

Hello,

im having same troubles here.. any inputs would be great!

Thanks!
assurance vie

hi there,

standing in front of the same issue with dynamic ip adresses and ipsec.
has already someone running such a scenario?

greets