Old Solution: we had a pure IPSec VPN (backed by raccoon) running on a rather whacked out Netgear FVX538. RWs used Shrew to connect, were not restricted by their IP address and ended up getting an IP address in a mode config pool outside our internal network but somehow magically routed in. I have no access to the actual configurations on this router (it's got some weirdo custom shell like RouterOS that I can't back out of, like RouterOS) and the Web UI bares only a passing resemblence to the IPSec Tools documentation.
Potential New Solutions: for those using Windows, SSTP would work fine or at a pinch, L2TP/IPSec (although I had trouble reading the "L2TP/IPSec and Windows XP" article on the wiki, it has a suggestion about using 0.0.0.0/0 as an IP address to get around the dynamic IP issue but RouterOS refuses to accept it as valid). The Linux guys can use Shrew as well. If possible though I'd like to continue using a pure IPSec VPN. We would dearly, dearly love for it to work on our iPhones and iPads too since connecting in and managing the servers by remote or accessing the voip system from outside in a secure manner would be appreciated by all. PPTP is out, and OpenVPN is definitely not even close to a preferred solution due to the difficulty of making it work for many users running Windows, VMWare or VirtualBox and the interaction of the OpenVPN bridge with the VMWare bridge networking drivers (case in point; it breaks VMware networking totally just by being installed for some reason, and no amount of restricting adapters or changing vmnetcfg settings makes it work).
The question is, how on earth do we get that to work? Given the IPSec suggestions in the manual are basically non-working by default in that I get a flurry of syntax error kind of warnings trying to enter values it's telling me to enter, I would really appreciate some help and basically a quick tutorial on how this would work. Everything I can find online as an example is entirely focused on site-to-site tunnels, and we need something a bit more dynamic like we had with the Netgear.
Thanks for any help you guys can give (and if it works I will definitely be writing this up as an article or blog post somewhere since it doesn't seem to exist on the internet as of now). We are a fairly technical bunch here (Linux kernel developers, electronics engineers) so having to configure a VPN connection through config files and so on is not beyond us on the client side, but I need help on the RouterOS side of things. Again we're confounded by subtle differences between RouterOS config items and the way we know the backend software RouterOS is based on operates..
