Community discussions

MikroTik App
 
bsturgis
just joined
Topic Author
Posts: 4
Joined: Mon Feb 11, 2013 4:03 pm

Need help with IPSec script with dynamic IP changing

Tue Mar 05, 2013 7:20 am

Here is my current script that is failing (Sorry, I am new at scripting and coding):

:local WANip [/ip address get [find interface="ether1-gateway"] address]

:log info "Interface IP is $WANip"

:local WANip [:pick "$WANip" 0 ([:len $WANip] - 3)]

:log info "IP sans the slash notation is $WANip"

/ip ipsec policy set 0 src-address= $WANip sa-src-address=$WANip

I need the src-address=$WANip to have /32 and the sa-src-address=$WANip to not have a /32. The sa-src-address is working but the src-address is not.

Please help. Thanks.
 
User avatar
skot
Long time Member
Long time Member
Posts: 584
Joined: Wed Nov 30, 2011 3:05 am

Re: Need help with IPSec script with dynamic IP changing

Tue Mar 05, 2013 6:54 pm

1. Right now you're using the same WANip variable for what should be 2 different variables.

2. On the last line, it's a better idea to use [find] instead of a number (set 0) because the number doesn't exist unless you do a print command prior to, and even then the number may change if items are added or removed. Using [find], you want to search for something in that item that won't change. For the example, by adding a unique comment to the policy, you can use the [find] command as I did below.

ros code

:local WANip1 [/ip address get [find interface="ether1-gateway"] address]
:log info "Interface IP is $WANip1"
:local WANip2 [:pick "$WANip1" 0 ([:len $WANip1] - 3)]
:log info "IP sans the slash notation is $WANip2"
/ip ipsec policy set [find comment="myIPsec"] src-address=$WANip1 sa-src-address=$WANip2
Last edited by skot on Thu Mar 14, 2013 7:47 pm, edited 1 time in total.
 
bsturgis
just joined
Topic Author
Posts: 4
Joined: Mon Feb 11, 2013 4:03 pm

Re: Need help with IPSec script with dynamic IP changing

Tue Mar 05, 2013 11:20 pm

Thanks for the help. The issue is that the interface has a netmask of /24 ex. 1.1.1.1/24. I need it to capture 1.1.1.1 but add /32 ex. 1.1.1.1/32.

So, I need a way of taking $WANip2 (the one without the netmask) and appending /32 to the end of it.

Thanks.
 
User avatar
skot
Long time Member
Long time Member
Posts: 584
Joined: Wed Nov 30, 2011 3:05 am

Re: Need help with IPSec script with dynamic IP changing

Wed Mar 06, 2013 2:23 am

Ah, ok. Change this line to:

ros code

:local WANip2 ([:pick "$WANip1" 0 ([:len $WANip1] - 3)]."/32")
 
bsturgis
just joined
Topic Author
Posts: 4
Joined: Mon Feb 11, 2013 4:03 pm

Re: Need help with IPSec script with dynamic IP changing

Wed Mar 06, 2013 4:37 am

Thanks. It works. I appreciate the help.
 
User avatar
THG
Member
Member
Posts: 472
Joined: Thu Oct 15, 2009 1:05 am

Re: Need help with IPSec script with dynamic IP changing

Sun Mar 09, 2014 7:13 pm

I have a script to compare whether WAN IP address has been changed and another script to update sa-src-address. Do I need to add something else to the script like kill remote peers and flush installed SAs?
 
efaden
Forum Guru
Forum Guru
Posts: 1708
Joined: Sat Mar 30, 2013 1:55 am
Location: New York, USA

Re: Need help with IPSec script with dynamic IP changing

Sun Mar 09, 2014 8:05 pm

I have a script to compare whether WAN IP address has been changed and another script to update sa-src-address. Do I need to add something else to the script like kill remote peers and flush installed SAs?

Here is the script I wrote... It does EoIP over IPSec. Basically it looks for IPSec Peers with a comment that looks like
"+eoip+<HOSTNAME>" ... it then looks for the policy, eoip tunnel, etc that all share the same comment. You can use this to update as many as you want...

ros code

#
# Dynamic Site To Site VPN Script - EoIP over IPSec
#

# Set Comments (Tunnel, Peer, Policy) = "+eoip+<HOSTNAME>"

#
# Variables
#
:local currentLocalSiteInterface "ether01-gateway"
:local currentLocalSite ""

:local forceUpdate false

:local IPSecCyclePeers false
:local IPSecFlushSAs false
:local IPSecKillConnections false

#
# Script
#
:global localSite 

#:set currentLocalSite [/ip address get [/ip address find interface=$currentLocalSiteInterface] address]
:set currentLocalSite [/ip dhcp-client get [/ip dhcp-client find interface=$currentLocalSiteInterface] address]
:set currentLocalSite [:pick $currentLocalSite 0 [:find $currentLocalSite "/" -1]]

:if ([:typeof $localSite] = "nothing") do={
	:set localSite ""
}

:if ($currentLocalSite != $localSite) do={
	:set forceUpdate true
	:set localSite $currentLocalSite
}

/ip ipsec {
	:local hadUpdate false

	:foreach i in=[peer find comment~"^([^+]*\\+eoip\\+([^+]*)\$"] do={
		:local remoteSite [peer get $i address]
		:set remoteSite [:pick $remoteSite 0 [:find $remoteSite "/" -1]]

		:local peerComment [peer get $i comment]
		
		:local policyNumber [policy find comment=$peerComment]
		:local peerNumber $i

		:local tcomment [:pick $peerComment ([:find $peerComment "+"]+1) [:len $peerComment]]
		:local mode [:pick $tcomment 0 ([:find $tcomment "+"])]
		:local dnsName [:pick $tcomment ([:find $tcomment "+"]+1) [:len $tcomment]]

		:do {
			:local currentRemoteSite [:resolve $dnsName]
		
			:if ($forceUpdate || $remoteSite != $currentRemoteSite) do={
				peer set $peerNumber address="$currentRemoteSite/32"
				policy set $policyNumber dst-address="$currentRemoteSite/32" src-address="$currentLocalSite/32" sa-dst-address=$currentRemoteSite sa-src-address=$currentLocalSite

				:local tunnelNumber [/interface eoip find comment=$peerComment]
				/interface eoip set $tunnelNumber remote-address=$currentRemoteSite

				:if ($IPSecCyclePeers) do={
					peer disable $peerNumber
					peer enable $peerNumber
				}

				:set hadUpdate true
			}
		} on-error={
			:log error ("DynamicSiteToSiteVPNMini: Failed Updating - \"" . $peerComment . "\"")
		}
	}

	:if ($hadUpdate) do={
		:if ($IPSecFlushSAs) do={
			installed-sa flush
		}

		:if ($IPSecKillConnections) do={
			remote-peers kill-connections 
		}
	}
}
 
User avatar
THG
Member
Member
Posts: 472
Joined: Thu Oct 15, 2009 1:05 am

Re: Need help with IPSec script with dynamic IP changing

Sun Mar 09, 2014 9:12 pm

Here is the script I wrote... It does EoIP over IPSec. Basically it looks for IPSec Peers with a comment that looks like
"+eoip+<HOSTNAME>" ... it then looks for the policy, eoip tunnel, etc that all share the same comment. You can use this to update as many as you want...
Thanks for the script, I will certainly use it some day. At the moment I will only use part of the script.
 
efaden
Forum Guru
Forum Guru
Posts: 1708
Joined: Sat Mar 30, 2013 1:55 am
Location: New York, USA

Re: Need help with IPSec script with dynamic IP changing

Mon Mar 10, 2014 1:49 pm

Here is the script I wrote... It does EoIP over IPSec. Basically it looks for IPSec Peers with a comment that looks like
"+eoip+<HOSTNAME>" ... it then looks for the policy, eoip tunnel, etc that all share the same comment. You can use this to update as many as you want...
Thanks for the script, I will certainly use it some day. At the moment I will only use part of the script.

No worries. I actually have a ton of scripts for different things I wrote over time. I'd love to put them on the WIKI, but its not open for editing any more.

Feel free to do whatever you want with it... I have versions for EOIP, IPIP, Straight IPSec, etc... ... I also have a massive script with ALL of them built in.... it just looks at the comments.. e.g. +ipip+hostname, +eoip+hostname, etc.

Who is online

Users browsing this forum: alexantao and 19 guests