Hello, thanks for replying.
Cert-only authentication requires that you have the own certificate of the device and the CA certificate of the remote IPsec responder (server) installed; if you want to match a certificate of a particular responder, not just any responder with a valid certificate signed by the same CA, you need to install (import) also the certificate of the responder. The own certificate must have the private key installed, the other one(s) must not.
Do I get this right - mikrotik must have public+private key of his own cert and a public key of CA that issues mikrotik’s cert? Mikrotik’s own cert (public+private) make sense to me, but I never thought that RouterOS would also need a CA cert (public part). Thanks, will make sure to import that too.
I assume Always On VPN is a client-to site setup, i.e. the responder dynamically assigns a single IP address to the initiator, is that correct?
It is correct.
If so, you need to create a copy of the pre-configured mode-config row with type=request-only, and set src-address-list and/or connection-mark items to tell the router which LAN traffic to send via the IPsec tunnel, and set that row as mode-config on the /ip ipsec identity row. This will make the initiator request an IP address from the responder, and dynamically create corresponding src-nat rules whenever the tunnel goes up.
Honestly I didn’t get this at all.
I mean mode-config only has one option “request-only” available to choose (I use winbox) and where do I set src-address-list and/or connection-mark?