Jump to content
Калькуляторы

IPsec с Микротика с динамическим IP Как победить policy?

Сделал туннель до офиса с удалённого объекта - там RB750UP(OS.6.32)+huawei3372 с серым ip.

 

[admin@MikroTik] > ip ipsec peer prFlags: X - disabled, D - dynamic0	address=1.2.3.4/32 local-address=:: passive=no port=500 auth-method=pre-shared-key secret="Passw0rd" generate-policy=port-override 	policy-template-group=default exchange-mode=main send-initial-contact=yes nat-traversal=yes proposal-check=obey hash-algorithm=sha1 enc-algorithm=aes-256 	dh-group=modp1024 lifetime=1d lifebytes=0 dpd-interval=2m dpd-maximum-failures=5[admin@MikroTik] > ip ipsec policy prFlags: T - template, X - disabled, D - dynamic, I - inactive, * - default0 T * group=default src-address=::/0 dst-address=::/0 protocol=all proposal=default template=yes1 	src-address=192.168.56.0/24 src-port=any dst-address=192.168.0.0/24 dst-port=any protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes  	sa-src-address=100.70.160.234 sa-dst-address=1.2.3.4 proposal=prop_karz priority=02 	src-address=192.168.56.0/24 src-port=any dst-address=192.168.1.0/24 dst-port=any protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes  	sa-src-address=100.70.160.234 sa-dst-address=1.2.3.4 proposal=prop_karz priority=0[admin@MikroTik] > ip firewall nat prFlags: X - disabled, I - invalid, D - dynamic0    chain=srcnat action=accept src-address=192.168.56.0/24 dst-address=192.168.0.0/24 log=no log-prefix=""1    chain=srcnat action=accept src-address=192.168.56.0/24 dst-address=192.168.1.0/24 log=no log-prefix=""5	;;; default configuration  	chain=srcnat action=masquerade to-addresses=0.0.0.0 out-interface=ether1-gateway log=no log-prefix=""6	chain=srcnat action=masquerade out-interface=ppp-out2 log=no log-prefix=""

 

Когда роутер с модемом выключают на выходные на модеме меняется ip и sa-src-address становится неактуальным. Как победить?

1. Вроде, на микротике можно автоматически генерировать policy, у меня сходу не завелось, может, лыжи н

е едут?

2. Или можно ли создать какой-нибудь loopback-интерфейс внутри микротика, и завернуть через него?

UPD:

Запинал скрипом:

 

:local localIP [/ip address get [find interface=ppp-out2] address]:for i from=( [:len $localIP] - 1) to=0 do={:if ( [:pick $localIP $i] = "/") do={ :set localIP [:pick $localIP 0 $i]} }:local ipsecIP [/ip ipsec policy get [find comment=office_nets] sa-src-address];:if ($ipsecIP != $localIP) do={log warning "Modem IP Changed"/ip ipsec policy set [find comment=office_nets] sa-src-address=$localIP;}

 

Edited by pukoid

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this