Jump to content
Калькуляторы

IPsec с Микротика с динамическим IP Как победить policy?

Сделал туннель до офиса с удалённого объекта - там RB750UP(OS.6.32)+huawei3372 с серым ip.

 

[admin@MikroTik] > ip ipsec peer prFlags: X - disabled, D - dynamic0	address=1.2.3.4/32 local-address=:: passive=no port=500 auth-method=pre-shared-key secret="Passw0rd" generate-policy=port-override 	policy-template-group=default exchange-mode=main send-initial-contact=yes nat-traversal=yes proposal-check=obey hash-algorithm=sha1 enc-algorithm=aes-256 	dh-group=modp1024 lifetime=1d lifebytes=0 dpd-interval=2m dpd-maximum-failures=5[admin@MikroTik] > ip ipsec policy prFlags: T - template, X - disabled, D - dynamic, I - inactive, * - default0 T * group=default src-address=::/0 dst-address=::/0 protocol=all proposal=default template=yes1 	src-address=192.168.56.0/24 src-port=any dst-address=192.168.0.0/24 dst-port=any protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes  	sa-src-address=100.70.160.234 sa-dst-address=1.2.3.4 proposal=prop_karz priority=02 	src-address=192.168.56.0/24 src-port=any dst-address=192.168.1.0/24 dst-port=any protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes  	sa-src-address=100.70.160.234 sa-dst-address=1.2.3.4 proposal=prop_karz priority=0[admin@MikroTik] > ip firewall nat prFlags: X - disabled, I - invalid, D - dynamic0    chain=srcnat action=accept src-address=192.168.56.0/24 dst-address=192.168.0.0/24 log=no log-prefix=""1    chain=srcnat action=accept src-address=192.168.56.0/24 dst-address=192.168.1.0/24 log=no log-prefix=""5	;;; default configuration  	chain=srcnat action=masquerade to-addresses=0.0.0.0 out-interface=ether1-gateway log=no log-prefix=""6	chain=srcnat action=masquerade out-interface=ppp-out2 log=no log-prefix=""

 

Когда роутер с модемом выключают на выходные на модеме меняется ip и sa-src-address становится неактуальным. Как победить?

1. Вроде, на микротике можно автоматически генерировать policy, у меня сходу не завелось, может, лыжи н

е едут?

2. Или можно ли создать какой-нибудь loopback-интерфейс внутри микротика, и завернуть через него?

UPD:

Запинал скрипом:

 

:local localIP [/ip address get [find interface=ppp-out2] address]:for i from=( [:len $localIP] - 1) to=0 do={:if ( [:pick $localIP $i] = "/") do={ :set localIP [:pick $localIP 0 $i]} }:local ipsecIP [/ip ipsec policy get [find comment=office_nets] sa-src-address];:if ($ipsecIP != $localIP) do={log warning "Modem IP Changed"/ip ipsec policy set [find comment=office_nets] sa-src-address=$localIP;}

 

Edited by pukoid

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.