What I mean is: identify different peers that are all on dynamic addresses (so remote IP has to be 0.0.0.0/0).RouterOS decides which peer configuration to use based on the initiator IP (and its own interface IP) from top to bottom.You can only indentify different peers before starting parameter negotiation when using exchange mode "agressive" instead of the default "main". That will again be a problem when you want to abide by the rules of several different client OSes.
The associated P1 configuration(profile) has to match the initiator's proposal.
In this scenario, the P1 configuration is the result of the selection process and not an input parameter.
Of course when peers are static you can make peer-specific configuration, but when you have road warriors of different OS types, you will have a problem because all of them have to work with the same profile, which may be unacceptable for one of them.
(because OS maintainers arbitrarily "deprecated" certain modes, while others my not support the required modes).
You are correct that local interface IP is another factor in deciding which profile to use, so when you have multiple IP addresses you can often work around this issue.
Having multiple options in the same profile is not always a solution, because e.g. PFS group can have only one value, and also because some OSes simply fail when there are modes in the profile that the do not know about (some bug in the selection mechanism).
All of this is not a RouterOS issue, it is more of an IPsec issue combined with overzealous "security improvements" by OS maintainers.
Statistics: Posted by pe1chl — Fri Mar 22, 2024 11:05 am