alsacecom

your voip specialist



Search

MIKROTIK ROUTEROS SITE-TO-SITE CONFIGURATION FOR PEERS WITH DYNAMIC IP


Source: This solution is based on the following post :
http://wiki.mikrotik.com/wiki/Dynamic_DNS_Update_Script_for_DNSoMatic.com_behind_NAT

Overview:
In case you need to implement a Site-to-Site VPN link between two sites that are connected to the Internet only via dynamic IP address, you need to resolve two issues for each site:
  1. monitor the other peer public IP address so you can catch that it has changed
  2. monitor your own public IP address so you can reset the encrypted keys and re-establish the tunnel
Design:


IP Configuration:

Router1:
/ip address
add address=10.0.3.1/24 comment=interco disabled=no interface=ether1 network=10.0.3.0
add address=192.168.1.1/24 comment=HQ disabled=no interface=ether2 network=192.168.1.0


/ip ipsec policy
add action=encrypt disabled=no dst-address=192.168.2.0/24 dst-port=any ipsec-protocols=esp \
   level=require priority=0 proposal=default protocol=all sa-dst-address=10.0.2.1 \
   sa-src-address=10.0.3.1 src-address=192.168.1.0/24 src-port=any tunnel=yes


Router2:

/ip ipsec peer
add address=10.0.1.1/32 auth-method=pre-shared-key dh-group=modp1024 disabled=no \
   dpd-interval=2m dpd-maximum-failures=5 enc-algorithm=3des exchange-mode=main \
   generate-policy=no hash-algorithm=md5 lifebytes=0 lifetime=1d my-id-user-fqdn="" \
   nat-traversal=yes port=500 proposal-check=obey secret=mysecret send-initial-contact=yes


/ip ipsec policy
add action=encrypt disabled=no dst-address=192.168.1.0/24 dst-port=any ipsec-protocols=esp \
   level=require priority=0 proposal=default protocol=all sa-dst-address=10.0.1.1 \
   sa-src-address=10.0.4.1 src-address=192.168.2.0/24 src-port=any tunnel=yes


Script Configuration:

Router1:

The following script checks if the Factory public IP address has changed, and if so, modifies the configuration in order to re-establish the vpn tunnel.

/system script
add name=checkmypeer-router-update policy=\
 ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive source="\
 :global currentpeerip [:resolve router2.alsacecom.fr]\r\
 :global previouspeerip\r\
 :if (\$currentpeerip != \$previouspeerip) do={\r\
 :log info \"CHECKPEERIP: Update required \$currentpeerip\"\r\
 :set previouspeerip \$currentpeerip\r\
 /ip ipsec policy set 0 sa-dst-address=\$currentpeerip sa-src-address=10.0.3.1\r\
 /ip ipsec peer set 0 address=\"\$currentpeerip/32\" port=500\r\
 /ip ipsec remote-peers kill-connections\r\
 }"


The following script checks if the HQ public IP address has changed, and if so, resets the ipsec keys in order to re-establish the vpn tunnel.

/system script
add name=checkmyip-router-update policy=\
 ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive source="\
 :global previousmyip\r\
 # Print values for debug\r\
 # get the current IP address from the internet (in case of double-nat)\r\
 /tool fetch mode=http address=\"checkip.dyndns.org\" src-path=\"/\" url=\"http://checkip.dyndns.org/dyndns.checkip.html\"\r\
 :local result [/file get dyndns.checkip.html contents]\r\
 # parse the current IP result\r\
 :local resultLen [:len \$result]\r\
 :local startLoc [:find \$result \": \" -1]\r\
 :set startLoc (\$startLoc + 2)\r\
 :local endLoc [:find \$result \"</body>\" -1]\r\
 :global currentmyip [:pick \$result \$startLoc \$endLoc]\r\
 :if (\$currentmyip != \$previousmyip) do={\r\
 :set previousmyip \$currentmyip\r\
 :log info \"CHECKMYIP: Update required \$currentmyip\"\r\
 /ip ipsec remote-peers kill-connections\r\
 }"


Each script then runs every minute:

/system scheduler
add comment="" disabled=no interval=1m name=checkmypeer-schedule on-event=\
   "checkmypeer-router-update" policy=\
   ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive \
   start-date=jan/01/1970 start-time=00:00:01

/system scheduler
add comment="" disabled=no interval=1m name=checkmyip-schedule on-event=checkmyip-router-update \
   start-date=jan/01/1970 start-time=00:00:01

Router2:

The following script checks if the HQ public IP address has changed, and if so, modifies the configuration in order to re-establish the vpn tunnel.

/system script
add name=checkmypeer-router-update policy=\
  ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive source="\
  :global currentpeerip [:resolve router1.alsacecom.fr]\r\
  :global previouspeerip\r\
  :if (\$currentpeerip != \$previouspeerip) do={\r\
  :log info \"CHECKPEERIP: Update required \$currentpeerip\"\r\
  :set previouspeerip \$currentpeerip\r\
  /ip ipsec policy set 0 sa-dst-address=\$currentpeerip sa-src-address=10.0.4.1\r\
  /ip ipsec peer set 0 address=\"\$currentpeerip/32\" port=500\r\
  /ip ipsec remote-peers kill-connections\r\
  }"


The following script checks if the Factory public IP address has changed, and if so, resets the ipsec keys in order to re-establish the vpn tunnel.

/system script
add name=checkmyip-router-update policy=\
  ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive source="\
  :global previousmyip\r\
  # Print values for debug\r\
  # get the current IP address from the internet (in case of double-nat)\r\
  /tool fetch mode=http address=\"checkip.dyndns.org\" src-path=\"/\" url=\"http://checkip.dyndns.org/dyndns.checkip.html\"\r\
  :local result [/file get dyndns.checkip.html contents]\r\
  # parse the current IP result\r\
  :local resultLen [:len \$result]\r\
  :local startLoc [:find \$result \": \" -1]\r\
  :set startLoc (\$startLoc + 2)\r\
  :local endLoc [:find \$result \"</body>\" -1]\r\
  :global currentmyip [:pick \$result \$startLoc \$endLoc]\r\
  :if (\$currentmyip != \$previousmyip) do={\r\
  :set previousmyip \$currentmyip\r\
  :log info \"CHECKMYIP: Update required \$currentmyip\"\r\
  /ip ipsec remote-peers kill-connections\r\
  }"


Each script then runs every minute:

/system scheduler
add comment="" disabled=no interval=1m name=checkmypeer-schedule on-event=\
   "checkmypeer-router-update" policy=\
   ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive \
   start-date=jan/01/1970 start-time=00:00:01


/system scheduler
add comment="" disabled=no interval=1m name=checkmyip-schedule on-event=checkmyip-router-update \
   start-date=jan/01/1970 start-time=00:00:01



REMOTE WORK WITH OPENVPN


Allow your remote users to phone using the OpenVPN feature of the AT620. This IP Phone can connect to the enterprise OpenVPN server and can establish an encrypted tunnel between the user and the enterprise Asterisk server. The AT620 IP Phone can hence access all voice over IP features of the Asterisk server as if it was physically connected inside the company network. You will be able to reach this IP Phone using the internal dialplan, make outbound calls using the enterprise outbound access trunks, join internal conferences, access internal voicemail, etc.
The communication is authenticated and secured with a certificate installed on the AT620. The enterprise OpenVPN server will verify the identity of the AT620 and will secure the confidentiality of the communication between the IP Phone and the enterprise network. An Internet access on the remote user side is required for this connection.