Mikrotik. Building VPN ipsec tunnels with dynamic ip clients

He was engaged in the transfer of the network of their VPN tunnels from the equipment D link DV 804 HV to Mikrotik. When translating problems have a solution which I will share with you.

But first, some input.

Given 192.168.0.0/21 my local network; 192.168.112.0/24 local area network of the remote office; yyyy is my white ip, and xxxx is the white ip of the remote office (dynamic).

Mikrotik server settings:
')

/ip ipsec peer address.0.0.0/0 port=500 auth-methodre-shared-key secret="12345678" generate-policy=no exchange-mode=main send-initial-contact=yes nat-traversal=no my-id-user-fqdn="" proposal-checkbey hash-algorithm=sha1 enc-algorithm=3des dh-group=modp768 lifetime=1d lifebytes dpd-interval=2m dpd-maximum-failures=5 

Politicians:

 /ip ipsec policy src-address=192.168.0.0/21 src-port=any dst-address=192.168.112.0/24 dst-port=any protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=yyyy sa-dst-address=0.0.0.0 comment=pobug </code>          3 installed-sa: <source> 0 E spi src-address=yyyy dst-address=0.0.0.0 auth-algorithm=none enc-algorithm=none replay state=larval add-lifetimes/30s 1 E spi=0x2010010 src-address=yyyy dst-address=zzzz auth-algorithm=sha1 enc-algorithm=3des replay=4 state=mature auth-key="sss" enc-key="fff" addtime=jun/10/2013 12:42:47 expires-in=7h41m33s add-lifetime=6h24m/8h current-bytes=240 2 E spixDBEA2D2 src-address=zzzz dst-address=yyyy auth-algorithm=sha1 enc-algorithm=3des replay=4 state=mature auth-key="sss" enc-key="fff" addtime=jun/10/2013 12:42:47 expires-in=7h41m33s add-lifetime=6h24m/8h current-bytes=3376 

And as a result, the traffic in the opposite direction goes through the tunnel with the number 0, and not through the dynamically created when the client connects. I solved this problem for myself by using ddns entries for remote clients and determining their ip with substitution into the appropriate policy. I had already configured DDNS on remote routers.

Here is a script that pulls an ip address from the remote DNS name and inserts it into the desired policy. Since the policies for different networks have already added a comment for each policy, according to which we will determine the one we need.

 :local nname pobug; :log info "start $nname"; :local newip [:resolve "lanlan69.zapto.org"]; :local curip [/ip ipsec policy get [/ip ipsec policy find comment=$nname] sa-dst-address]; :log info "newip = $newip"; :log info "currentip = $curip"; :if ($newip != $curip) do={ :log info "ip $nname is $curip not $newip"; /ip ipsec policy set [/ip ipsec policy find comment=$nname] sa-dst-address=$newip; :log info "end $nname"; } 

And we add the execution of this script to the scheduler:

  /system scheduler add disabled=no interval=7m name=pobug on-event=lan112 policy=\ read,write,policy,test,sensitivei start-date=jun/12/2013 start-time=08:11:19 

If used as routers in remote offices of Mikrotika, then a couple of scripts would be helpful.

The script that substitutes the current ip on the remote side into the policy:

 :global lastip :local wanip :local wanif "pppoe-out1" :if ([ :typeof $lastip ] = nil ) do={ :global lastip "0" } :local wanip [ /ip address get [/ip address find interface=$wanif ] address ] :if ([ :typeof $wanip ] = nil ) do={ :log info ("WANIP: no ip address on $wanif .") } else= { :for i from=( [:len $wanip] - 1) to=0 do={ :if ( [:pick $wanip $i] = "/") do={ :set wanip [:pick $wanip 0 $i]; :log info ("wan ip now is $wanip") } } :if ($wanip != $lastip) do={ :log info ("Renew ipsec Policy: $wanif -> $wanip") #   ipsec /ip ipsec policy set 0 sa-src-address=$wanip :global lastip $wanip } } 

How to update the No-ip.com micro service is described here: wiki.mikrotik.com/wiki/Dynamic_DNS_Update_Script_for_No-IP_DNS