Community discussions

MikroTik App
  4. RouterOS
  5. Beginner Basics

strongSwan and dynamic IP address

Post Reply
 
resca
newbie
Topic Author
Posts: 33
Joined: Sat Mar 26, 2016 12:23 pm

strongSwan and dynamic IP address

Sat Jan 27, 2024 7:04 pm

My MikroTink router is running v7.12.1, I managed to create a IKEv2 VPN to remotely connect my Android phone thanks to the useful script IKEv2-server-autoscript.rsc found on Github and it used to wok fine for several days. Than suddenly stopped to work. After a very hard (for me!) investigation, I found that:
-a packet from the phone reaches the router firewall, input chain.
-it is accepted.
-nothing else happens.
After a more-in-depth investigation, I managed to enable the logging for ipsec, and I found this meaningful message in the log:
Code: Select all
17:34:27 ipsec ipsec,!packet: -> ike2 request, exchange: SA_INIT:0 37.162.229.55[61658] 032e1ba2e32cd267:0000000000000000
17:34:27 ipsec ipsec,!packet: no IKEv2 peer config for 37.162.229.55
I do have a peer created for this IKEv2 vpn:
Code: Select all
Flags: X - disabled; D - dynamic; R - responder
 0   R name="peer-80.181.227.212" local-address=80.181.227.212 passive=yes profile=profile-703b066b6af4.sn.mynetname.net
       exchange-mode=ike2 send-initial-contact=yes
Both my router and the phone have dynamic IP and I suspect it worked until the phone and/or the router changed the IP address.
37.162.229.55 is the IP address of my phone NOW.
95.245.79.106 is the IP address of my router NOW.
80.181.227.212 may be my provider's first router? This is a traceroute from inside my lan:
Code: Select all
C:\WINDOWS\system32>tracert 80.181.227.212

Tracing route to host-80-181-227-212.retail.telecomitalia.it [80.181.227.212]
over a maximum of 30 hops:

  1    <1 ms    <1 ms    <1 ms  router.lan [10.3.50.11]
  2     *        *        *     Request timed out.
  3     8 ms     7 ms     7 ms  host-80-181-227-212.retail.telecomitalia.it [80.181.227.212]

Trace complete.
What can be done? Is an IKEv2 possible in this scenario?
Top
 
rplant
Member
Member
Posts: 314
Joined: Fri Sep 29, 2017 11:42 am

Re: strongSwan and dynamic IP address

Sun Jan 28, 2024 3:25 am

Perhaps add a script to your dhcp/pppoe client on the Router, to update the ikev2 VPN settings when its public ip address changes.

Or perhaps consider using wireguard.
Top
 
resca
newbie
Topic Author
Posts: 33
Joined: Sat Mar 26, 2016 12:23 pm

Re: strongSwan and dynamic IP address

Sun Jan 28, 2024 9:28 am

I entered my case on the subsection Beginner Basics, not in the section Experts, for this reason your kind reply sounds like a: you cannot!
I may have an idea and I for sure can find documentation to write and run a script, but I certainly cannot add a script to your dhcp/pppoe client on the Router (what is the dhcp/pppoe client? how can I add a script TO something?)
I don't have an idea, how can I update the ikev2 VPN settings.
I have no idea how to detect when its public ip address changes (in addition, is "its" referred to the client or to the server?).
Furthermore, I see wireguard may be a replacement for strongSwan. Is it insensible to dynamic ip changes? Are there sample scripts to setup MikroTik side?

It is very disappointing that my old phone worked with native VPN but Xiaomi decided to remove it in the newer. I also can connect with no problems with any Linux box with native VPN. Those devices don't use this very tricky IKEv2. If a client VPN for android NOT IKEv2 is available, it is welcome.
Top
Post Reply

Who is online

Users browsing this forum: Ahrefs [Bot] and 15 guests
  4. RouterOS
  5. Beginner Basics