Community discussions

MUM Europe 2020
 
leonset
Member Candidate
Member Candidate
Topic Author
Posts: 256
Joined: Wed Apr 01, 2009 9:09 pm

Script to disable IPSec peers

Wed Aug 07, 2013 2:42 pm

Hello

I'm trying to find a way to disable all or a set of IPSec peers within a script in v6.2. In theory something like this should do the trick:

/ip ipsec peer enable [/ip ipsec peer find port=500]

But it doesn't... it just enables the first peer (number 0) and then the terminal prompt just hangs. The extrange thig is that the same line but replacing enable with disable does work ok!:

/ip ipsec peer disable [/ip ipsec peer find proposal-check="obey"

Maybe a bug?
Thanks!
 
efaden
Forum Guru
Forum Guru
Posts: 1711
Joined: Sat Mar 30, 2013 1:55 am
Location: New York, USA

Re: Script to disable IPSec peers

Wed Aug 07, 2013 2:59 pm

Hello

I'm trying to find a way to disable all or a set of IPSec peers within a script in v6.2. In theory something like this should do the trick:

/ip ipsec peer enable [/ip ipsec peer find port=500]

But it doesn't... it just enables the first peer (number 0) and then the terminal prompt just hangs. The extrange thig is that the same line but replacing enable with disable does work ok!:

/ip ipsec peer disable [/ip ipsec peer find proposal-check="obey"

Maybe a bug?
Thanks!
I have never used it that way. I always used loops like below. I wasn't aware that a single command like that worked if find returned more than one.
/ipsec peer {
    :foreach i in=[find port=500] do={
        enable $i
    }
}
 
leonset
Member Candidate
Member Candidate
Topic Author
Posts: 256
Joined: Wed Apr 01, 2009 9:09 pm

Re: Script to disable IPSec peers

Wed Aug 07, 2013 3:14 pm

Yes, I use this to en/disable IPSec Policies since almost ever:

/ip ipsec policy enable [find sa-src-address=1.2.3.4]

Your script block doesn't work, exactly the same behavior: only the first peer got enabled and then the prompt halts until I press Ctlr+C

Thanks!
 
efaden
Forum Guru
Forum Guru
Posts: 1711
Joined: Sat Mar 30, 2013 1:55 am
Location: New York, USA

Re: Script to disable IPSec peers

Wed Aug 07, 2013 3:22 pm

Yes, I use this to en/disable IPSec Policies since almost ever:

/ip ipsec policy enable [find sa-src-address=1.2.3.4]

Your script block doesn't work, exactly the same behavior: only the first peer got enabled and then the prompt halts until I press Ctlr+C

Thanks!
Good to know that works... As for 6.2. I switched back to 6.1 because it was too buggy. My guess would be that you found another bug where find only returns the first or something.
 
leonset
Member Candidate
Member Candidate
Topic Author
Posts: 256
Joined: Wed Apr 01, 2009 9:09 pm

Re: Script to disable IPSec peers

Wed Aug 07, 2013 3:36 pm

I have sent an email tu support about this issue, I'll post the answer here...

I can't use 6.1 because it has bugs with IPSec, can't use v6.0 cause has bug with VRRP, can't use v5.x because it has problems with Mangle rules and performance with RB1000... I hope that I get a "good" version for me soon, I'm having too many headaches whith Mikrotik lately!!

Thanks for your help!
 
n4p
Member Candidate
Member Candidate
Posts: 111
Joined: Wed Nov 25, 2015 9:54 pm

Re: Script to disable IPSec peers

Fri Jun 30, 2017 1:38 pm

Hi,
i need to push this thread, because i currently searching for the same solution. Is there any way to disable ipsec peers with a script which looks on the firewall address list.
Background for that is, i detect bad-peers on the firewall and blacklist them. To prefent them to do more bad stuff i wanna disable their ipsec peer until it is localy checked.

Thanks for help!
 
efaden
Forum Guru
Forum Guru
Posts: 1711
Joined: Sat Mar 30, 2013 1:55 am
Location: New York, USA

Re: Script to disable IPSec peers

Sat Jul 01, 2017 3:01 pm

Hi,
i need to push this thread, because i currently searching for the same solution. Is there any way to disable ipsec peers with a script which looks on the firewall address list.
Background for that is, i detect bad-peers on the firewall and blacklist them. To prefent them to do more bad stuff i wanna disable their ipsec peer until it is localy checked.

Thanks for help!
It shouldn't be hard. Just iterate over the peers and then search if they are in the address list. But I don't have anything off hand to do it. I'd have to write it.
 
n4p
Member Candidate
Member Candidate
Posts: 111
Joined: Wed Nov 25, 2015 9:54 pm

Re: Script to disable IPSec peers

Sat Jul 01, 2017 9:44 pm

Yeah,
it would be great if you can give me some advice.
My idea was do check the addresslist every second or something like that and look if there is a peer with name blacklist.
There i need to look about the ip range if it is 172.8.10.xxx or 172.8.11.xxx and search with this for the matching ipsec peer/policiy.

Thats the way it should work, but the problem is that i need some help to get there.
 
efaden
Forum Guru
Forum Guru
Posts: 1711
Joined: Sat Mar 30, 2013 1:55 am
Location: New York, USA

Re: Script to disable IPSec peers

Sat Jul 01, 2017 10:13 pm

Can't you just use the address list to block the ipsec through the firewall? It would benefit much much more efficient then running a script that frequently.

Sent from my Pixel XL using Tapatalk
 
n4p
Member Candidate
Member Candidate
Posts: 111
Joined: Wed Nov 25, 2015 9:54 pm

Re: Script to disable IPSec peers

Sun Jul 02, 2017 8:51 pm

The idea behind that was to made the system more secure. I have only one engine behind every ipsec Tunnel.

And if there was a Security issue or somebody try to attack the server i wanna Block them completle until a employe that a look at those engine.
 
msatter
Forum Guru
Forum Guru
Posts: 1338
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Script to disable IPSec peers

Sun Jul 02, 2017 10:47 pm

I use IPSEC on location or when I am in a location with WiFi. I use port knocking to request a certain number of hours 1-8. The IP address I am on is entered in the addresslist to grant me access to port 400+4500.

When I need more tome that I estimated before I just knock again but I have first to disconnect the IPSEC because I am still on a private address. The time will be added to or set if the was no time left.

I can also knock to remove the entry in the addresslist by tuning a scheduled script on a set interval which looks in the to remove addresses.
Two RB760iGS (hEX S) in series. One does PPPoE and both do IKEv2.
Running:
RouterOS 6.46Beta68 / Winbox 3.20 / MikroTik APP 1.3.7
Having an Android device, use https://github.com/M66B/NetGuard/releases (no root required)
 
n4p
Member Candidate
Member Candidate
Posts: 111
Joined: Wed Nov 25, 2015 9:54 pm

Re: Script to disable IPSec peers

Wed Jul 05, 2017 9:40 pm

Thats not really a help for me, because i use side to side tunnel. And if there is a security issue i wanna block this tunnel.
But if there is nothing the tunnel should be up everytime.
 
msatter
Forum Guru
Forum Guru
Posts: 1338
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Script to disable IPSec peers

Wed Jul 05, 2017 10:11 pm

What is the result of this:
:put [/ip ipsec remote-peers find remote-address~"172.8.1[0-1].*];
If you want to remove those addresses then this should do it:
:put [/ip ipsec remote-peers remove [find remote-address~"172.8.1[0-1].*"]];
However I see the client connecting again and only after a few times it gives up.

You want to look at names and compare it to policies so I need more info on that. I use IKe2 so no names.
Two RB760iGS (hEX S) in series. One does PPPoE and both do IKEv2.
Running:
RouterOS 6.46Beta68 / Winbox 3.20 / MikroTik APP 1.3.7
Having an Android device, use https://github.com/M66B/NetGuard/releases (no root required)
 
n4p
Member Candidate
Member Candidate
Posts: 111
Joined: Wed Nov 25, 2015 9:54 pm

Re: Script to disable IPSec peers

Fri Jul 07, 2017 11:21 am

Thanks for answer,
my idea is not only to disconnect them, i wanna disable his Profile.
For our Setup its not possible that this happens anytime, only if anybody try to attack the server. The outstanding peer's normaly should connect everytime and stay up.

So what i had done until now is:
I added Firewall rules to identify them and add the ip-address to the blacklist.

My idea was to read with a script this blacklist and identify the third Oktett from the blacklistet ip. With this Oktett i know the peer policy. My System is configured that those Oktett is alwasy the same, also in the wan ip which establishe the tunnel.

Hope you can understand what i mean.

Thanks for help!
 
Prister
just joined
Posts: 1
Joined: Wed Jul 11, 2018 9:20 am

Re: Script to disable IPSec peers

Fri Aug 24, 2018 10:03 am

I have the same problem! in version 6.40.8
how to solve this problem?
:(

Who is online

Users browsing this forum: No registered users and 11 guests