Hello!
I'm trying to set up a tunnel between the two routers. WAN connection via 3G USB modems (ppp-out1). WAN IP address is dynamic so you must use DynDNS to update them on the router. Interenet works tunnel does not rise, could help me what am I doing wrong?
The script that I have used have listed below. OS Version 5.16


siteA


/system script
add name=dynamic-dns-script policy=\
ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive source="\
# User account info of DNSoMatic\r\
\n:global maticuser \"ххххх\"\r\
\n:global maticpass \"ххххх\"\r\
\n:global matichost \"testtele2sitea.dyndns.org\"\r\
\n# No more changes need\r\
\n\r\
\n:global previousIP\r\
\n\r\
\n# Print values for debug\r\
\n:log info \"DNSoMatic: Updating dynamic IP on DNS for host \$matichost\"\
\r\
\n:log info \"DNSoMatic: User \$maticuser y Pass \$maticpass\"\r\
\n:log info \"DNSoMatic: Last IP \$previousIP\"\r\
\n\r\
\n# get the current IP address from the internet (in case of double-nat)\r\
\n/tool fetch mode=http address=\"checkip.dyndns.org\" src-path=\"/\" dst-\
path=\"/dyndns.checkip.html\"\r\
\n:local result [/file get dyndns.checkip.html contents]\r\
\n\r\
\n# parse the current IP result\r\
\n:local resultLen [:len \$result]\r\
\n:local startLoc [:find \$result \": \" -1]\r\
\n:set startLoc (\$startLoc + 2)\r\
\n:local endLoc [:find \$result \"</body>\" -1]\r\
\n:global currentIP [:pick \$result \$startLoc \$endLoc]\r\
\n:log info \"DNSoMatic: IP actual \$currentIP\"\r\
\n\r\
\n# Touching the string passed to fetch command on \"src-path\" option\r\
\n:local str \"/nic/update\?hostname=\$matichost&myip=\$currentIP&wildcard\
=NOCHG&mx=NOCHG&backmx=NOCHG\"\r\
\n\r\
\n:if (\$currentIP != \$previousIP) do={\r\
\n:log info \"DNSoMatic: Update need\"\r\
\n:set previousIP \$currentIP\r\
\n:log info \"DNSoMatic: Sending update \$currentIP\"\r\
\n:log info [ :put [/tool fetch host=MT user=\$maticuser password=\$maticp\
ass mode=http address=\"updates.dnsomatic.com\" src-path=\$str dst-path=\$\
matichost]]\r\
\n:log info \"DNSoMatic: Host \$matichost updated on DNSoMatic with IP \$c\
urrentIP\"\r\
\n} else={\r\
\n:log info \"DNSoMatic: Previous IP \$previousIP and current \$currentIP \
equal, no update need\"\r\
\n}"

/system scheduler
add comment="" disabled=no interval=10m name=dynamic-dns-schedule on-event=dynamic-dns-script \
start-date=jan/01/1970 start-time=00:00:01


/ip firewall nat
add action=accept chain=srcnat comment="NAT bypass" disabled=no dst-address=\
192.168.0.0/16 out-interface=ppp-out1
add action=masquerade chain=srcnat comment="default PAT" disabled=no out-interface=\
ppp-out1


/ip ipsec peer
add address=1.1.1.1/32 port=500 auth-method=pre-shared-key dh-group=modp1024 \
disabled=no dpd-interval=disable-dpd dpd-maximum-failures=1 \
enc-algorithm=3des exchange-mode=main generate-policy=no hash-algorithm=\
md5 lifebytes=0 lifetime=1d nat-traversal=no proposal-check=obey secret=\
test send-initial-contact=yes

/ip ipsec policy
add action=encrypt disabled=no dst-address=192.168.88.0/24 dst-port=any \
ipsec-protocols=esp level=require priority=0 proposal=default protocol=\
all sa-dst-address=2.2.2.2 sa-src-address=1.1.1.1 src-address=\
192.168.87.0/24 src-port=any tunnel=yes


/system script
add name=dynamic-router-update policy=\
ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive source="\
:global LocalSite [:resolve testtele2sitea.dyndns.org]\r\
\n:global RemoteSite [:resolve testtele2siteb.dyndns.org]\r\
\n/ip ipsec policy set 0 sa-dst-address=\$RemoteSite sa-src-address=\$Loca\
lSite\r\
\n/ip ipsec peer set 0 address=\"\$RemoteSite/32:500\""

couple of questions


Do you see the entries in the environment tab after resolve of the local and remote sites???

Do you see the Installed SAs of the tunnel?

I have a similar set of scripts doing the same thing working properly.

For multiple tunnels.

THat nat bypass rule is a little different than what I use.

What exactly happens when you ping the gateway of 87 from 88??

if the tunnel constructs first two or three pings will say packet rejected...then it starts passing.

What is the ping response message?

Network 87 and 88 do not see each other. No connection between sites (no peer). Can you lay out the working configuration files?
Or try the ones that I posted?

turn on logging for ipsec and log it to disk capture.

Then look at the entries....you may see the problem there.

You should try to set up the tunnel first without dyndns...use the addresses currently assigned ,temporarily in the policies and peers to see if the resolve-change address script is causing trouble.

if you have succeess...the dyn script is not working.

If you take the script for resolving and changing...and copy it, and then paste it into a terminal cursor, does it run with out errors?

There will be a log entry if it works....ipsec peer changed by admin, ipsec ploicy changed by admin


but, of course you must know for sure that the tunnel setup is right.

I cant try your code, but it looks correct. A static try between two routers on a switch using same policies in a bench lab would tell you if you got it right.

ipsec debug log is your friend.