Mikrotik RouterOS Site-to-Site configuration for Peers with Dynamic IP

mai 24th, 2012 by alsacecom

Post to Twitter

Source: This solution is based on the following post : http://wiki.mikrotik.com/wiki/Dynamic_DNS_Update_Script_for_DNSoMatic.com_behind_NAT

Overview:

In case you need to implement a Site-to-Site VPN link between two sites that are connected to the Internet only via dynamic IP address, you need to resolve two issues for each site:

  1. monitor the other peer public IP address so you can catch that it has changed
  2. monitor your own public IP address so you can reset the encrypted keys and re-establish the tunnel

Design:

Details:

The two issues are resolved by using two scripts that run every minute on each RouterOS.

  • first script checks the other peer public IP address with a DNS name resolution and it compares the result with the old IP address. If it has changed, than it modifies the RouterOS configuration by changing the ipsec peer IP address.

  • second script checks the site public IP address by using an http request to checkip.dyndns.org and compares the result with the old IP address. If it has changed, than it resets the ipsec connections in order to re-establish the vpn tunnel.

IP Configuration:

Router1

/ip address

add address=10.0.3.1/24 comment=interco disabled=no interface=ether1 network=10.0.3.0

add address=192.168.1.1/24 comment=HQ disabled=no interface=ether2 network=192.168.1.0

Router2

/ip address

add address=10.0.4.1/24 comment=interco disabled=no interface=ether1 network=10.0.4.0

add address=192.168.2.1/24 comment=Factory disabled=no interface=ether2 network=192.168.2.0

IPSec Configuration:

Router 1:

/ip ipsec peer

add address=10.0.2.1/32 auth-method=pre-shared-key dh-group=modp1024 disabled=no \

dpd-interval=disable-dpd dpd-maximum-failures=5 enc-algorithm=3des exchange-mode=main \

generate-policy=no hash-algorithm=md5 lifebytes=0 lifetime=1d my-id-user-fqdn="" \

nat-traversal=yes port=500 proposal-check=obey secret=mysecret send-initial-contact=yes

/ip ipsec policy

add action=encrypt disabled=no dst-address=192.168.2.0/24 dst-port=any ipsec-protocols=esp \

level=require priority=0 proposal=default protocol=all sa-dst-address=10.0.2.1 \

sa-src-address=10.0.3.1 src-address=192.168.1.0/24 src-port=any tunnel=yes

Router2:

/ip ipsec peer

add address=10.0.1.1/32 auth-method=pre-shared-key dh-group=modp1024 disabled=no \

dpd-interval=2m dpd-maximum-failures=5 enc-algorithm=3des exchange-mode=main \

generate-policy=no hash-algorithm=md5 lifebytes=0 lifetime=1d my-id-user-fqdn="" \

nat-traversal=yes port=500 proposal-check=obey secret=mysecret send-initial-contact=yes

/ip ipsec policy

add action=encrypt disabled=no dst-address=192.168.1.0/24 dst-port=any ipsec-protocols=esp \

level=require priority=0 proposal=default protocol=all sa-dst-address=10.0.1.1 \

sa-src-address=10.0.4.1 src-address=192.168.2.0/24 src-port=any tunnel=yes

Script Configuration:

Router1:

The following script checks if the Factory public IP address has changed, and if so, modifies the configuration in order to re-establish the vpn tunnel.

/system script

add name=checkmypeer-router-update policy=\

ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive source="\

Page 1 of 2 | Next page

Posted in Mikrotik, VPN | Commentaires fermés sur Mikrotik RouterOS Site-to-Site configuration for Peers with Dynamic IP

Previous post:
Next post: