Can We Configure VPN With Dynamic IP Public - MUM

Can We Configure VPN With Dynamic IP Public On
The Both Side?
Mikrotik User Meeting
Turkey 2014
By Mochamad Asnul Bahar Arief
1
About me
• Mochamad Asnul Bahar Arief
• Jakarta , Indonesia
• PT.UFOAKSES SUKSES LUARBIASA
• Technical Director
• MTCNA,MTCWE,MTCTCE
2
Statistic
• Most of them have dynamic ip
• Most of them need vpn
3
Solution
1. Lease DNS services ( Dyndns, NoIP ) ( 25$/year )
on RouterOS Ver 6.11, It’s possible for PPTP,L2TP fill in the address on
the connect-to column with a domain name.
2. Communication router to router ( Free )
4
Knowledge Requirement
• VPN-Tunnel
• Static routing
• Command-Line
• Fetch-Tool
• Scripting ( Scripts Repository + Scheduler )
http://wiki.mikrotik.com/wiki/Manual:Scripting
- Global Scope & Variable
- Local Scope & Variable
- Global Commands
- Common Commands
- Print Commands
- Conditional Statement
- Logical Operators
5
What is necessary for PPTP,SSTP,L2TP Client
Configuration?
• User
• Password
• Connect-to ( IP Address PPTP Server )
6
Case
7
8
9
The Idea
10
The Idea
11
The Idea
12
The Idea
13
Implement The Idea with Script
• Both of the router configured with PPTP
• Both of the router has dynamic ip on ether2
• Setup the ntp client
• Create the script into script repository
• Execute the script with scheduler
14
Script Router-B (Send IP)
Execute this script just once by manual ( without scheduler )
15
Router-B
On files Menu will appear ROUTER-B.txt
On files Menu Router-A will appear ROUTER-B.txt
16
Script Router-B (update)
:global currentTime;
{
:local a [/file get ROUTER-A.txt creation-time];
:if ($a !=$currentTime) do={:log info message="update ROUTER-A.txt";
:local b [/file get ROUTER-A.txt contents];
:local c [:len $b];
:local d [:pick $b 200 217];
:local e [:find $d "/"];
:local f [:pick $d 0 $e];
:set currentTime $a;
:put [/interface pptp-client set numbers=0 connect-to=$f];} else={:log info message="There is noUpdate From ROUTER-A.txt"};
}
17
Script Router-B (check-IP)
:global currentIP;
{
:local d [/ip address get [find interface="ether2"] address];
:if ($d != $currentIP) do={:log info message=" IP Has change from $currentIP to $d";
:set currentIP $d;
:local a [/ip address print file=ROUTER-B where interface="ether2"];
:local b [/interface pptp-client get number=0 connect-to];
:put [/tool fetch address=$b src-path=ROUTER-B.txt dst-path=ROUTER-B.txt mode=ftp port=21 user=admin password=“” upload=yes
keep-result=yes];} else={:log info message="IP Public is still Same"};
}
18
ROUTER-B ( execute by schedule )
19
Script ROUTER-A (Send IP)
Execute this script just once by manual ( without schedule )
20
ROUTER-A
• On files menu will appear ROUTER-A.txt , ROUTER-B.txt
• On files menu ROUTER-B will appear ROUTER-A.txt, ROUTER-B.txt
21
Script ROUTER-A (Check-IP)
:global currentIP;
{
:local a [/ip address get [find interface="ether2"] address];
:if ($a != $currentIP) do={:log info message=" IP has change from $currentIP to $a";
:local b [/file get ROUTER-B.txt contents];
:local c [:len $b];
:local d [:pick $b 200 217];
:local e [:find $d "/"];
:local f [:pick $d 0 $e];
:local g [/ip address print file=ROUTER-A where interface=ether2];
:local h [/tool fetch address=$f src-path=ROUTER-A.txt dst-path=ROUTER-A.txt mode=ftp port=21 user=admin password=""
upload=yes];
:set currentIP $a;
:put ($g+$h);} else={:log info message="IP is still same"};
}
22
ROUTER-A ( execute by schedule )
23
Security Issue
• It’s dynamic IP, how can you mark the ftp connection only from
trusted connection ?
- labeling the ftp connection just before it leave the router
by changing the dscp on mangle
24
ROUTER-A ( mangle )
25
ROUTER-B ( mangle )
26
ROUTER-B ( Filter Rule )
27
ROUTER-B ( Filter Rule )
28
• Advantage
 Fast Respose
• Disadvantage
 Can only be call by the IP address
 If both of the router having a change of ip simultaneously, then
admin shall update the ip address by manual.
29
Thank You
Contact Detail
Mochamad Asnul Bahar Arief
PT.UFOAKSE SUKSES LUARBIASA
Tel : +62 7257577
Email : anuno@ufoakses.co.id
FB : napst3r_org@yahoo.com
Website : www.ufoakses.co.id
30
Download PDF