I'm trying to configure the Mikrotik to be an IPSec server for multiple clients, with dynamic remote IPs, each client has a unique certificate signed by the same CA and multiple machines which may connect simultaneously.
My end goal is to have a different set of ip ranges allocated for each client. i.e. client1: 192.168.1.0/24, client2: 192.168.2.0/24
For one client I got it working - I was able to configure an IP pool, a policy and a peer. (certificate: server.crt, remote certificate: client1.crt)
But when I added the second client2, I encountered a problem, the peer was matched arbitrarily - since the certificate exchange occured in phase2. Thus the verification failed (Mikrotik tried to verify client1 with client2's peer configuration)
So, a couple of questions:
1. Is it really not possible to create multiple peer configurations with overlapping IPs (0.0.0.0/0) and different remote certificates, and have the Mikrotik check all peer configurations?
2. In order for all clients to share a single peer configuration, I need to verify the clients' certificates using a CA (by setting remote certificate to "none").
But I was not able to import a CA _without_ a private key, and without generating it locally on the Mikrotik (i.e. I want the IPSec policy to verify the certificates based on an external ca.crt with public only). Is it possible?
3. As far as I understand, there is no way to allocate different pools of IPs based on the certificate. The closest thing I found was to be able to create XAuth users (with certificate hybrid authentication) and allocate a single IP for each. (i.e. to create 254 users for each client. client1_1 with 192.168.1.1 ... client1_254 with 192.168.1.254 and same for client2..)
Am I doing something wrong, or are these limitations I have to live with?