Hello all!

For a router replacement we need to connect with ipsec to a remote bintec router.
Problem is, that the remote router is configured to use email identity authentication (proto esp, 3des, md5).
Instead of authenticate by the ip pair of both SA, this one is using an email address plus the preshared key.

But in mikrotik it seems to be not possible to configure such a case.

Any help and tips would be appreciated...

With best regards,
Juergen

I don't think you can.

However, going through the bintec manual it seems like you should be able to add a new phase 1 profile there and set the local id type to IPv4. That should not affect pre-existing VPN configuration but allow you to use IPv4 as peer ID between the bintec and the Mikrotik device.

Thank you, that was what i thought - hopefully the technician on the ofter side will cooperate

Anyhow, do you know if its possible to only have one static ip address for successful ipsec tunnelling?

I.e.

[dynamic ip] <=> {internet} <=> [static ip]

Mikrotik is thy dynamic ip, the bintec has the static.

Now the bintec doesn't know the others SA-IP-Address. Just 0.0.0.0 like i am using in mikrotik for SA Src. Address.
I will give it a try with 0.0.0.0 but not sure if this will work.
If you have the answer, i don't need to rush the other rechnician

Otherwise i will write a simple SA Src. Address update script checking every minute if the ip address has changed.

Thank you.
Juergen

Never used bintec (had never heard of them before your post), but yeah, that would work in most IPsec implementations.

Thank you.
As far as i found is the email address or domain name implementation of the authenticator some special thing.
But not only bintec is using this, also found this on some cisco manuals.

However, i prefer to use the ip pairing for src/dst on static ip addresses on both sides which is the most secure way.