Greetings everyone!
I’ve encountered an issue that, in my opinion, falls within MikroTik’s area of responsibility.
So, we have an RB3011 running firmware 7.20.6 and a ZTE G5B modem purchased from the local operator KCELL, operating behind Carrier-Grade NAT.
This ZTE G5B is not the best device for my task; nevertheless, it is a 5G modem with IPSec support for $30. The configuration options on this modem are minimal:
Service IP: 203.0.113.250
Preshared password: jG7yW8iV3cZ7uO4
Dest. IP Address: 192.168.2.0
Dest. Subnet Mask: 24
Enable advanced configuration: true
IKE Protocol: IKE V2
First stage encryption algorithm: aes
First stage authentication algorithm: sha1
Phase I DH group: 2048 bit
Second stage encryption algorithm: aes
Second stage authentication algorithm: sha1
Auto Connect: false
These are all the available settings!
The local network interface of this modem has the address: 192.168.0.1/24
After configuring it and reviewing the exchange log, we find the following entries:
Dec/05/2025 18:46:30 ipsec processing payload: ID_I
Dec/05/2025 18:46:30 ipsec ID_I (ADDR4): 192.168.0.0
Dec/05/2025 18:46:30 ipsec processing payload: ID_R (not found)
Dec/05/2025 18:46:30 ipsec processing payload: AUTH
Dec/05/2025 18:46:30 ipsec,error identity not found for peer: ADDR4: 192.168.0.0
Dec/05/2025 18:46:30 ipsec reply notify: AUTHENTICATION_FAILED
This is despite the fact that the Identity looks as follows:
/ip/ipsec/identity> export
add generate-policy=port-strict my-id=address:203.0.113.250 peer=ZTE_G5B policy-template-group=ZTE_G5B remote-id=address:192.168.0.0
Why does RouterOS ignore this Identity and refuse the device’s connection?
Does it strictly verify the actual remote IP address against the one specified in the remote-id?