Hub:
/ip ipsec mode-config
add address=10.219.0.1 address-prefix-length=32 name=client-1 split-include=10.11.219.1/32
add address=10.219.0.2 address-prefix-length=32 name=client-2 split-include=10.11.219.1/32
/ip ipsec policy group
add name=special
/ip ipsec profile
add dh-group=ec2n185 enc-algorithm=aes-256 hash-algorithm=sha256 name=special
/ip ipsec peer
add exchange-mode=ike2 name=special passive=yes profile=special
/ip ipsec proposal
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc name=special pfs-group=ec2n185
/ip ipsec identity
add auth-method=digital-signature certificate=vpn-server generate-policy=port-strict match-by=certificate mode-config=\
client-1 peer=special policy-template-group=special remote-certificate=vpn-client-1
add auth-method=digital-signature certificate=vpn-server generate-policy=port-strict match-by=certificate mode-config=\
client-2 peer=special policy-template-group=special remote-certificate=vpn-client-2
/ip ipsec policy
add disabled=yes group=special proposal=special template=yes
add dst-address=10.219.0.1/32 group=special proposal=special src-address=10.11.219.1/32 template=yes
add dst-address=10.219.0.2/32 group=special proposal=special src-address=10.11.219.1/32 template=yes
add dst-address=192.168.125.0/24 group=special proposal=special src-address=10.11.219.0/24 template=yes
add dst-address=192.168.133.0/24 group=special proposal=special src-address=10.11.219.0/24 template=yes
Client:
/ip ipsec policy group
add name=special
/ip ipsec profile
add dh-group=ec2n185 enc-algorithm=aes-256 hash-algorithm=sha256 name=special
/ip ipsec peer
add address=public.ip.of.hub/32 exchange-mode=ike2 name=special profile=special send-initial-contact=no
/ip ipsec proposal
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc name=special pfs-group=ec2n185
/ip ipsec identity
add auth-method=digital-signature certificate=my-crt generate-policy=port-strict mode-config=request-only peer=special \
policy-template-group=special
/ip ipsec policy
add group=special proposal=special template=yes
add dst-address=10.11.219.0/24 level=unique peer=special proposal=special sa-dst-address=poblic.ip.of.hub sa-src-address=0.0.0.0 \
src-address=192.168.125.0/24 tunnel=yes
Input chain of /ip firewall filter must permit incoming connections to UDP port 4500 from clients; if clients' WAN addresses are public ones, also ESP must be permitted in the same chain, at both clients and the hub.
I'm not sure regarding self-signed certificates. If they are not accepted, follow my setup: on clients I only have the public certificate of the signing CA of the server's certificate and the private certificate of the client (which happens to be signed by the same CA so if these two CAs differ in your case, it is probably necessary to have both installed, one to verify the server certificate (this is for sure) and the other one to be (possibly - not sure here) sent along with the client's certificate itself); on the server, I have the CA certificate (the public certificate of each CA signing one or more client certificates is necessary), the private certificate of the server, and the public certificates of the clients as they are used in /ip ipsec identity to identify the clients.
This way (match-by=certificate), the common name of the certificate may be basically any distinctive string. I believe you could use some distinct fqdn-like strings something.something[.something] as client certificates' common names, and set the identities at server side to match-by=remote-id remote-id=fqdn:client's.fqdn.used.as.cert.common-name, and set my-id at client side to fqdn:client's.fqdn.used.as.cert.common-name, i.e. I believe no DNS query is sent to check that the fqdn sent by the client resolves to client's actual IP address.