Community discussions

MikroTik App
 
LifeGame
newbie
Topic Author
Posts: 40
Joined: Mon Sep 26, 2016 5:30 pm

How to add public ip to address and ipsec peers local address

Wed May 11, 2022 12:06 pm

Hi,
My Mikrotik behind modem;
Modem Public : 176.41.xxx.xxx (Dynamic)
Modem Lan : 192.168.1.0/24

Mikrotik - UpLink(ether1) : 192.168.1.15/32 (WAN)
Mikrotik - bridge - Lan : 10.10.5.1/24 (eth 2-3-4-5)

i have a working ipsec vpn but when the modem is reboot my public ip changing.
For ipsec vpn to work again, I need to add the new public ip address to;

/ip address set interface=UpLink address="New IP Adress"
/ip ipsec peer set myvpn local-address="New IP Adress"

Is there a way to add new public ip address (IP -> Cloud -> Public Address ) to "IP -> Addresses" and "IP -> IPsec -> Peers -> Local Address"

Thanks,
Last edited by LifeGame on Thu Jun 02, 2022 10:01 am, edited 1 time in total.
 
User avatar
own3r1138
Long time Member
Long time Member
Posts: 680
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: How to add public ip to address and ipsec peers local address

Wed May 11, 2022 12:20 pm

At the local address, I don't think so.

Can you config your modem in bridge mode or perhaps you could use "Site to Site GRE tunnel over IPsec IKEv2 using DDNS"
https://help.mikrotik.com/docs/display/ ... 2)usingDNS
 
LifeGame
newbie
Topic Author
Posts: 40
Joined: Mon Sep 26, 2016 5:30 pm

Re: How to add public ip to address and ipsec peers local address

Wed May 11, 2022 12:47 pm

At the local address, I don't think so.

Can you config your modem in bridge mode or perhaps you could use "Site to Site GRE tunnel over IPsec IKEv2 using DDNS"
https://help.mikrotik.com/docs/display/ ... 2)usingDNS
My ISP dont allow Bridge Mode and also Mikrotik to Palo Alto, ipsec over GRE or GRE over ipsec is not working (or I could not configure the tunnel lol )
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: How to add public ip to address and ipsec peers local address

Wed May 11, 2022 4:11 pm

Why don't you accept that you're behind NAT and live with it? If modem has the public address, it shouldn't be duplicated on your router. Leave the Local Address empty. IPSec can handle it.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10185
Joined: Mon Jun 08, 2015 12:09 pm

Re: How to add public ip to address and ipsec peers local address

Wed May 11, 2022 5:57 pm

That is right, when you are behind NAT your "local address" in the GRE tunnel is the address you get on the 192.168.x.x network, not your public address.
So enter 192.168.1.15 in your case.
It is still advisable to make it static (not obtained using DHCP) and enter it in that field, I have bad experience with leaving it empty.
E.g. when the whole environment powercycles and the MikroTik comes up before the ISP router and starts setting up the tunnel before it has obtained the address, things go haywire.
(when doing this with IPv6 it fails completely, with IPv4 it will probably recover)
 
LifeGame
newbie
Topic Author
Posts: 40
Joined: Mon Sep 26, 2016 5:30 pm

Re: How to add public ip to address and ipsec peers local address

Wed May 11, 2022 9:23 pm

Why don't you accept that you're behind NAT and live with it? If modem has the public address, it shouldn't be duplicated on your router. Leave the Local Address empty. IPSec can handle it.
Afer leave the local address empty my palo alto says "the is no config for 192.168.1.15 bıla bıla bıla..." i thing mikrotik use interface ip, not public ip.. so my address list;

[admin@Home] > /ip address print
# ADDRESS NETWORK INTERFACE
0 10.10.2.1/24 10.10.2.0 Bridge_LAN
1 176.41.XXX.XXX/32 176.41.XXX.XXX UpLink
2 192.168.1.15/24 192.168.1.0 UpLink

[admin@Home] > /ip ipsec peer print
0 name="pa" address=28.28.XXX.XXX/32 local-address=176.41.XXX.XXX profile=ike_crypto exchange-mode=main
send-initial-contact=yes

with this conf, ipsec i works well... But modem restart is big problem for me. I need scpipt for renew UpLink interface ip and local-adress ip..

is there a solition ?
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: How to add public ip to address and ipsec peers local address

Wed May 11, 2022 10:07 pm

Modem needs to be doing srcnat (which I'd assume should be default when it's in router mode), then anything from 192.168.1.15 to internet will have source changed to 176.41.x.x and config on the remote device will match.

On the other hand, if your original config works and you're happy with it, your plan with script is possible too. Give your address some unique comment and then you can do something like this:
:local Address [/ip cloud get public-address]
/ip address set [find where comment="pubaddr"] address=$Address
And similar with IPSec peer. It would be good to add some error checking and update address only when it actually changes, it shouldn't be difficult, but RouterOS scripting doesn't like me, so I'll leave that to you (check manual).
 
LifeGame
newbie
Topic Author
Posts: 40
Joined: Mon Sep 26, 2016 5:30 pm

Re: How to add public ip to address and ipsec peers local address

Thu Jun 02, 2022 10:07 am

Modem needs to be doing srcnat (which I'd assume should be default when it's in router mode), then anything from 192.168.1.15 to internet will have source changed to 176.41.x.x and config on the remote device will match.

On the other hand, if your original config works and you're happy with it, your plan with script is possible too. Give your address some unique comment and then you can do something like this:
:local Address [/ip cloud get public-address]
/ip address set [find where comment="pubaddr"] address=$Address
And similar with IPSec peer. It would be good to add some error checking and update address only when it actually changes, it shouldn't be difficult, but RouterOS scripting doesn't like me, so I'll leave that to you (check manual).
It shouldn't be this hard and complicated...
 
pe1chl
Forum Guru
Forum Guru
Posts: 10185
Joined: Mon Jun 08, 2015 12:09 pm

Re: How to add public ip to address and ipsec peers local address

Thu Jun 02, 2022 10:14 am

But it is. That is just IPsec. Look at your Palo Alto. It is complicated too. And it cannot even communicate with NATted GRE/IPsec peers.
When you do not want all this fuss you either need to find a connection without NAT (what about IPv6?) or not use IPsec.
 
LifeGame
newbie
Topic Author
Posts: 40
Joined: Mon Sep 26, 2016 5:30 pm

Re: How to add public ip to address and ipsec peers local address

Thu Jun 02, 2022 10:24 am

But it is. That is just IPsec. Look at your Palo Alto. It is complicated too. And it cannot even communicate with NATted GRE/IPsec peers.
When you do not want all this fuss you either need to find a connection without NAT (what about IPv6?) or not use IPsec.
yep.. there's a lot missing in paloalto. I don't have a chance to get out behind nat..
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: How to add public ip to address and ipsec peers local address

Thu Jun 02, 2022 9:01 pm

I'd argue that it's not that much complicated, or that RouterOS is not the only one to blame. IPSec can work behind NAT. I think that IKEv1 had it as extension, but IKEv2 has it built-in. And neither is too new, so everything should support it by now.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10185
Joined: Mon Jun 08, 2015 12:09 pm

Re: How to add public ip to address and ipsec peers local address

Thu Jun 02, 2022 10:49 pm

I'd argue that it's not that much complicated, or that RouterOS is not the only one to blame. IPSec can work behind NAT. I think that IKEv1 had it as extension, but IKEv2 has it built-in. And neither is too new, so everything should support it by now.
NAT extension for IKEv1 works only for tunnel mode, not for transport mode.
GRE over IPsec usually operates in transport mode because that is most efficient.
RouterOS knows to switch to tunnel mode automatically when NAT is into play, but other routers can not always do that.
There you have your first operational problem when using NAT.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: How to add public ip to address and ipsec peers local address

Fri Jun 03, 2022 4:02 am

Right, I keep forgetting about some parts of IPSec.
 
LifeGame
newbie
Topic Author
Posts: 40
Joined: Mon Sep 26, 2016 5:30 pm

Re: How to add public ip to address and ipsec peers local address

Fri Jun 03, 2022 8:21 am

Hey guys.. @Sob, @pe1chl
My problem is not about ipsec. Actually this is a normal problem.. Because Mikrotik behind nat. I need script :)

How can i add my public ip to;
/ip address set interface=UpLink address="Public IP"
/ip ipsec peer set myvpn local-address="Public IP"

Note:
Public IP : 172.41.XXX.XXX
Modem Wan : 10.XXX.XXX.XXX
Modem Lan : 192.168.1.0/24
Mikrotik Wan : 192.168.1.15
Mikrotik Lan : 10.10.5.0/24

The real problem is the my ISP ... !!! Even if I can put the modem in bridge mode, which I can't, the problem will not be fixed.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10185
Joined: Mon Jun 08, 2015 12:09 pm

Re: How to add public ip to address and ipsec peers local address

Fri Jun 03, 2022 10:39 am

But it will not work when you set your public IP as the local IP in IPsec when in fact you are behind NAT!
In that case you have to set it to the local IP (RFC1918) you got behind NAT.
Also, when you have double NAT (e.g. because you have a local router that does NAT and then you have carrier NAT at the provider as well) it usually will not work at all.
(depending on the exact IPsec profile that you are using)
That is because the port number potentially is translated twice, and the IPsec profile checks the port number and it does not match.
That is something you can work around by using generate-policy=port-override in the ipsec identity. (instead of port-strict)
 
User avatar
Larsa
Forum Guru
Forum Guru
Posts: 1025
Joined: Sat Aug 29, 2015 7:40 pm
Location: The North Pole, Santa's Workshop

Re: How to add public ip to address and ipsec peers local address

Fri Jun 03, 2022 12:21 pm

And in addition to @Pe1chl's post in case of double NAT (ie ISP CG-NAT and NAT in you own router) or/and for example if both endpoints are behind NAT, there are various technics for NAT traversal like "hole punching" used by SIP/STUN and similar.

Unfortunately there is no standard to solve this in IPsec tho some suppliers have this sorted out by their own custom made solutions like Cisco Meraki.

- How NAT traversal works
- NAT Traversal - IPSec over NAT Tutorial
 
LifeGame
newbie
Topic Author
Posts: 40
Joined: Mon Sep 26, 2016 5:30 pm

Re: How to add public ip to address and ipsec peers local address

Fri Jun 03, 2022 12:37 pm

But it will not work when you set your public IP as the local IP in IPsec when in fact you are behind NAT!
In that case you have to set it to the local IP (RFC1918) you got behind NAT.
Also, when you have double NAT (e.g. because you have a local router that does NAT and then you have carrier NAT at the provider as well) it usually will not work at all.
(depending on the exact IPsec profile that you are using)
That is because the port number potentially is translated twice, and the IPsec profile checks the port number and it does not match.
That is something you can work around by using generate-policy=port-override in the ipsec identity. (instead of port-strict)
Bro.. my ipsec is WORKING !!! only i need a script which can add new ip adress to ;

/ip address set interface=UpLink address="New IP Adress"
/ip ipsec peer set myvpn local-address="New IP Adress"

Becouse my public ip is dynamic and i dont understand why but my public ip is changing every day..
 
pe1chl
Forum Guru
Forum Guru
Posts: 10185
Joined: Mon Jun 08, 2015 12:09 pm

Re: How to add public ip to address and ipsec peers local address

Fri Jun 03, 2022 12:37 pm

And of course the working solution is to setup the IPsec tunnel over IPv6.
An ISP that has implemented CG-NAT should at least offer IPv6, IMHO.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: How to add public ip to address and ipsec peers local address

Fri Jun 03, 2022 6:30 pm

I already posted a hint how you can script that.
 
LifeGame
newbie
Topic Author
Posts: 40
Joined: Mon Sep 26, 2016 5:30 pm

Re: How to add public ip to address and ipsec peers local address

Sat Jun 04, 2022 3:43 pm

I already posted a hint how you can script that.
Yep.. This is working :)
:local NewIP [/ip cloud get public-address]
/ip address add interface=UpLink address=$NewIP
/ip ipsec peer set onurgroup local-address=$NewIP
and scheduler 1h ...

i want to improve this.. i want to do;
find new ip and check it with current ip. if not equal ... ... ...

:global currentIP;
:local newIP [/ip cloud get public-address];

:if ($newIP != $currentIP) do={
/ip address add interface=UpLink address=$NewIP
/ip ipsec peer set myvpn local-address=$NewIP
};


is this the right way ?
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: How to add public ip to address and ipsec peers local address

Sat Jun 04, 2022 6:16 pm

You want to change existing address, not add new ones and let them pile up. You can mark it using unique comment as I've shown, and then you can use that to access it. Otherwise it's the right direction.
 
LifeGame
newbie
Topic Author
Posts: 40
Joined: Mon Sep 26, 2016 5:30 pm

Re: How to add public ip to address and ipsec peers local address

Mon Jun 06, 2022 12:52 pm

You want to change existing address, not add new ones and let them pile up. You can mark it using unique comment as I've shown, and then you can use that to access it. Otherwise it's the right direction.
Hııımmm... U mean ;

[admin@Home] > ip address print
Columns: ADDRESS, NETWORK, INTERFACE
# ADDRESS NETWORK INTERFACE
0 10.10.2.1/24 10.10.2.0 Bridge_LAN
1 192.168.1.15/24 192.168.1.0 UpLink
;;; pubaddr
2 176.41.XXX.XXX/32 176.41.XXX.XXX UpLink




#Script
:global currentIP;
:local NewIP [/ip cloud get public-address];

:if ($NewIP != $currentIP) do={
/ip address set [find where comment="pubaddr"] address=$NewIP network=$NewIP
/ip ipsec peer set myvpn local-address=$NewIP
};



[admin@Home] > /system scheduler print
Flags: X - DISABLED
Columns: NAME, START-DATE, START-TIME, INTERVAL
# NAME START-DATE START-TIME INTERVAL
0 email apr/07/2022 00:01:00 23h59m59s
1 PubIP jan/01/1970 23:59:59 1h
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: How to add public ip to address and ipsec peers local address

Mon Jun 06, 2022 2:51 pm

You have global variable currentIP, but you don't set any value for it, so it won't work. But I wouldn't use global variable anyway, better read what's actually on interface, so again find it by comment and read the address (but I don't know from top of my head the command to do it). And don't set "network" parameter, let the system fill it automatically (but you may need to reset it, if you already set it once).

Who is online

Users browsing this forum: Google [Bot], totpbi, UkRainUa and 22 guests