Community discussions

MUM Europe 2020
 
phuketmymac
newbie
Topic Author
Posts: 49
Joined: Thu Jun 05, 2014 7:56 pm

Site-to-site IPsec tunnel using DNS names (mynetname.net)

Sat Feb 15, 2020 5:29 am

Hello,

I am currently having an IPsec setup with 2 Mikrotiks routers.
In the peers menu, I've added the Cloud DNS name provided by Mikrotik (mynetname.net) as the address of the remote site.
Both sites have dynamic public IPs so I am using DNS names on both side.

The connection works fine but once in a while, I guess when one of the public changes, the tunnel drops.
A restart will do however I would like automate this part with a script.

But from what I've read and understand I am doing it wrong and I should rather set up the tunnel using temporary public IP as the remote address (in peers) and stop using the DNS name.
Then use scripts to check regularly for IP changes and update my tunnel accordingly.

Can someone confirm please?
Thanks!
 
McSee
Frequent Visitor
Frequent Visitor
Posts: 74
Joined: Tue Feb 26, 2019 12:49 pm

Re: Site-to-site IPsec tunnel using DNS names (mynetname.net)

Sat Feb 15, 2020 3:44 pm

But from what I've read and understand I am doing it wrong and I should rather set up the tunnel using temporary public IP as the remote address (in peers) and stop using the DNS name.
Then use scripts to check regularly for IP changes and update my tunnel accordingly.
No, it's absolutely fine to use DNS name for initiator peer.
Also you don't have to use any name or address for responder peer unless you have some specific requirements (several public IP etc.), just use ::/0 there.

If your tunnel doesn't reestablish by itself after several minutes than it's probably something wrong with your config.
Default DPD interval / failures setting found in IPsec Profile is a bit high on default, try to lower it for earlier detection when a tunnel is down.
 
phuketmymac
newbie
Topic Author
Posts: 49
Joined: Thu Jun 05, 2014 7:56 pm

Re: Site-to-site IPsec tunnel using DNS names (mynetname.net)

Sun Feb 16, 2020 8:10 am

Thank you for answering.

Actually, that might be the issue here. I believe I have set them both side to be initiator and responder.
When the tunnel fails reconnecting, I can see both side trying.

Also, I have road warrior connections available but it won't work when the tunnel is down. As if the entire IPsec module was overloaded or something.
I did try to kill connections on both side in active peers but it didn't help.

Should I set only side as the initiator?
 
phuketmymac
newbie
Topic Author
Posts: 49
Joined: Thu Jun 05, 2014 7:56 pm

Re: Site-to-site IPsec tunnel using DNS names (mynetname.net)

Mon Feb 17, 2020 11:37 am

Can anyone please direct me to a guide on how to set up a site to site IPsec VPN with dynamic public IPs?

I have 2 tunnels set up on 2 different customers and they do exactly the same thing, they will disconnect and not reconnect on their own.

If I try to set ::/0 on one node, to set it as the responder node only, I am then getting the error "This entry is unreachable" until I set again the URL of the other end.

Who is online

Users browsing this forum: Bing [Bot], eworm, Google [Bot], Hitchman, marisspringis, ronylove and 152 guests