I would like to build a chain of firewall rules, then assign that chain to road-warrior VPN clients that authenticate with ike2 and thus are identified by the ipsec identity, and thus the ipsec mode-config.
What would be great is if the src-address-list attribute on ipsec mode-config worked in responder mode. That way I can identify a specific user/key in ipsec identity, attach them to a specific mode-config which will assign them to a specific src-address-list which I can reference in my firewall rules.
As it looks like today, the only way to do this is to assign static IP addresses or specific pools of ip addresses to mode-config then in the firewall match on that IP or pool.
Did I get this right? Is there a better way to do it?
Mikrotik, please add support for a way to conveniently identity specific ipsec peers in the firewall rules.
Thanks,
schu