Did you mean that row will not work if MT acting as responder? Yes, that's what I had in mind. The value of my-id is used as the ID the local peer sends to the remote one to identify itself, the values of remote-id of the individual identity rows are matched to the ID provided by the remote peer in...

@td32, I assume you had in mind to set, in the /ip ipsec identity row at the Mikrotik serving as initiator (client), my-id=key-id:the-group-ID . So this addresses the OP. Do you also have an idea how to make the embedded Windows client use the groupID in L2TP/IPsec mode as @Normie requires? Did you...

set this
my-id=key-id
my-id=groupID

Thanks, will try. It may be solution for mac clients.
For win-clients you right - windows embedded l2tp/ipsec client not working with tunnel groups, sad but true.

It's time to switch to ikev2

It’s a pity that professional MT doesn’t do the same thing that home zyxel keenetic can do (although it has huge problems in implementing ikev2) or xiaomi. I really need different shared secrets, because groups of remote users should not know absolutely nothing about each other. Then the best option...

it’s impossible to set ipsec identities with different shared secrets on same peer, and if you setting up Road Warrior scheme (with ip-undefined remote users and MT as responder) you have 1 “universal” peer with address ::/0, so, you can’t set different secrets for grouping remote peers The above u...

Looks like it’s not possible, even with “pure” IPSec XAuth nor L2TP/IPSec, unfortunately. IPSec’s implementation is vendor-specific and MT’s version don’t have “group name” parameter, so leave it blank on client side, or it will not work. Also, it’s impossible to set ipsec identities with different ...

Hello all.

Still not work, ROS 6.45.6, RB4011, 1 WAN interface with DHCP-client ensbled, uplink to radio-bridge to ISP router, 2 LANs.