Mikrotik RouterOS Site-to-Site configuration for Peers with Dynamic IP

mai 24th, 2012 by alsacecom

\n:global currentpeerip [:resolve router2.alsacecom.fr]\r\

\n:global previouspeerip\r\

\n:if (\$currentpeerip != \$previouspeerip) do={\r\

\n:log info \"CHECKPEERIP: Update required \$currentpeerip\"\r\

\n:set previouspeerip \$currentpeerip\r\

\n/ip ipsec policy set 0 sa-dst-address=\$currentpeerip sa-src-address=10.0.3.1\r\

\n/ip ipsec peer set 0 address=\"\$currentpeerip/32\" port=500\r\

\n/ip ipsec remote-peers kill-connections\r\

\n}"

The following script checks if the HQ public IP address has changed, and if so, resets the ipsec keys in order to re-establish the vpn tunnel.

/system script

add name=checkmyip-router-update policy=\

ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive source="\

\n:global previousmyip\r\

\n# Print values for debug\r\

\n# get the current IP address from the internet (in case of double-nat)\r\

\n/tool fetch mode=http address=\"checkip.dyndns.org\" src-path=\"/\" url=\"http://checkip.dyndns.org/dyndns.checkip.html\"\r\

\n:local result [/file get dyndns.checkip.html contents]\r\

\n# parse the current IP result\r\

\n:local resultLen [:len \$result]\r\

\n:local startLoc [:find \$result \": \" -1]\r\

\n:set startLoc (\$startLoc + 2)\r\

\n:local endLoc [:find \$result \"</body>\" -1]\r\

\n:global currentmyip [:pick \$result \$startLoc \$endLoc]\r\

\n:if (\$currentmyip != \$previousmyip) do={\r\

\n:set previousmyip \$currentmyip\r\

\n:log info \"CHECKMYIP: Update required \$currentmyip\"\r\

\n/ip ipsec remote-peers kill-connections\r\

\n}"

Each script then runs every minute:

/system scheduler

add comment="" disabled=no interval=1m name=checkmypeer-schedule on-event=\

"checkmypeer-router-update" policy=\

ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive \

start-date=jan/01/1970 start-time=00:00:01

/system scheduler

add comment="" disabled=no interval=1m name=checkmyip-schedule on-event=checkmyip-router-update \

start-date=jan/01/1970 start-time=00:00:01

Router2:

The following script checks if the HQ public IP address has changed, and if so, modifies the configuration in order to re-establish the vpn tunnel.

/system script

add name=checkmypeer-router-update policy=\

ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive source="\

\n:global currentpeerip [:resolve router1.alsacecom.fr]\r\

\n:global previouspeerip\r\

\n:if (\$currentpeerip != \$previouspeerip) do={\r\

\n:log info \"CHECKPEERIP: Update required \$currentpeerip\"\r\

\n:set previouspeerip \$currentpeerip\r\

\n/ip ipsec policy set 0 sa-dst-address=\$currentpeerip sa-src-address=10.0.4.1\r\

\n/ip ipsec peer set 0 address=\"\$currentpeerip/32\" port=500\r\

\n/ip ipsec remote-peers kill-connections\r\

\n}"

The following script checks if the Factory public IP address has changed, and if so, resets the ipsec keys in order to re-establish the vpn tunnel.

/system script

add name=checkmyip-router-update policy=\

ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive source="\

\n:global previousmyip\r\

\n# Print values for debug\r\

\n# get the current IP address from the internet (in case of double-nat)\r\

\n/tool fetch mode=http address=\"checkip.dyndns.org\" src-path=\"/\" url=\"http://checkip.dyndns.org/dyndns.checkip.html\"\r\

\n:local result [/file get dyndns.checkip.html contents]\r\

\n# parse the current IP result\r\

\n:local resultLen [:len \$result]\r\

\n:local startLoc [:find \$result \": \" -1]\r\

\n:set startLoc (\$startLoc + 2)\r\

\n:local endLoc [:find \$result \"</body>\" -1]\r\

\n:global currentmyip [:pick \$result \$startLoc \$endLoc]\r\

\n:if (\$currentmyip != \$previousmyip) do={\r\

\n:set previousmyip \$currentmyip\r\

\n:log info \"CHECKMYIP: Update required \$currentmyip\"\r\

\n/ip ipsec remote-peers kill-connections\r\

\n}"

Each script then runs every minute:

/system scheduler

add comment="" disabled=no interval=1m name=checkmypeer-schedule on-event=\

"checkmypeer-router-update" policy=\

ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive \

start-date=jan/01/1970 start-time=00:00:01

/system scheduler

add comment="" disabled=no interval=1m name=checkmyip-schedule on-event=checkmyip-router-update \

start-date=jan/01/1970 start-time=00:00:01

/ip ipsec peer add address=10.0.1.1/32 auth-method=pre-shared-key dh-group=modp1024 disabled=no dpd-interval=2m \ dpd-maximum-failures=5 enc-algorithm=3des exchange-mode=main generate-policy=no hash-algorithm=md5 \ lifebytes=0 lifetime=1d my-id-user-fqdn="" nat-traversal=yes port=500 proposal-check=obey secret=test \ send-initial-contact=yes

Page 2 of 2 | Previous page

Posted in Mikrotik, VPN | Commentaires fermés sur Mikrotik RouterOS Site-to-Site configuration for Peers with Dynamic IP

Previous post:
Next post: