Thanks Erkexzcx,
I did read your guide which was very detailed and informative, thank you! I can confirm again that I am using different VPN servers for each connection. However, I am only able to get two tunnels to connect concurrently. I have tried even adding a forth server and it also exhibits the same limitation where only the first two tunnels complete Phase 2.
We're probably to the point that I should just post my example configuration:
# jun/21/2021 13:58:31 by RouterOS 6.48.3
# software id = 5S11-WSAP
#
# model = RBD52G-5HacD2HnD
# serial number = SN#
/interface bridge
add name=Local
/interface ethernet
set [ find default-name=ether4 ] name=LAN1
set [ find default-name=ether5 ] name=LAN2
set [ find default-name=ether1 ] comment=PPPoE name=WAN1
set [ find default-name=ether2 ] comment=DSL name=WAN2
set [ find default-name=ether3 ] comment=LTE name=WAN3
/interface pppoe-client
add comment=PPPoE disabled=no interface=WAN1 max-mtu=1492 name=pppoe1 user=JoeSmith
/interface wireless
set [ find default-name=wlan1 ] ssid=MikroTik station-roaming=enabled
set [ find default-name=wlan2 ] ssid=MikroTik station-roaming=enabled
/interface list
add include=all name=WAN_Interfaces
add include=all name=LAN_Interfaces
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec mode-config
add connection-mark=to_VPN name=NordVPN responder=no use-responder-dns=no
add connection-mark=to_VPN2 name=NordVPN2 responder=no use-responder-dns=no
add connection-mark=to_VPN3 name=NordVPN3 responder=no use-responder-dns=no
/ip ipsec policy group
add name=NordVPN
/ip ipsec profile
set [ find default=yes ] enc-algorithm=aes-256 hash-algorithm=sha256
add dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha512 name=NordVPN
/ip ipsec peer
add address=us1.nordvpn.com disabled=yes exchange-mode=ike2 name="NordVPN Seattle 1" profile=NordVPN send-initial-contact=no
add address=us2.nordvpn.com disabled=yes exchange-mode=ike2 name="NordVPN Seattle 2" profile=NordVPN send-initial-contact=no
add address=us3.nordvpn.com exchange-mode=ike2 name="NordVPN Seattle 3" profile=NordVPN send-initial-contact=no
add address=us4.nordvpn.com disabled=yes exchange-mode=ike2 name="NordVPN Seattle 4" profile=NordVPN send-initial-contact=no
/ip ipsec proposal
set [ find default=yes ] disabled=yes
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc,aes-256-ctr name=NordVPN pfs-group=none
/ip pool
add name=dhcp_pool0 ranges=192.168.15.51-192.168.15.243
/ip dhcp-server
add address-pool=dhcp_pool0 bootp-lease-time=4w2d bootp-support=dynamic disabled=no interface=Local lease-time=1d name=dhcp1
/ppp profile
add change-tcp-mss=yes name=OVPN-Profile only-one=yes use-encryption=required use-mpls=no
/user group
set full policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api,romon,dude,tikapp
/interface bridge port
add bridge=Local interface=LAN1
add bridge=Local interface=LAN2
add bridge=Local interface=wlan1
add bridge=Local interface=wlan2
/ip firewall connection tracking
set enabled=yes
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface detect-internet
set detect-interface-list=WAN_Interfaces internet-interface-list=WAN_Interfaces lan-interface-list=LAN_Interfaces
/interface list member
add interface=WAN3 list=WAN_Interfaces
add interface=WAN2 list=WAN_Interfaces
add interface=pppoe1 list=WAN_Interfaces
add interface=WAN1 list=WAN_Interfaces
add interface=LAN1 list=LAN_Interfaces
add interface=LAN2 list=LAN_Interfaces
add interface=Local list=LAN_Interfaces
add interface=wlan1 list=LAN_Interfaces
add interface=wlan2 list=LAN_Interfaces
/ip address
add address=192.168.122.3/24 interface=WAN3 network=192.168.122.0
add address=192.168.15.1/24 interface=Local network=192.168.15.0
/ip dhcp-client
add add-default-route=no interface=WAN1 use-peer-dns=no
add add-default-route=no disabled=no interface=WAN2 use-peer-dns=no
add add-default-route=no interface=WAN3 use-peer-dns=no
/ip dhcp-server network
add address=192.168.15.0/24 dns-server=192.168.15.15 domain=XYZ.net. gateway=192.168.15.1 netmask=24 ntp-server=45.79.214.107,192.243.100.160,184.105.182.7
/ip dns
set allow-remote-requests=yes cache-size=5000KiB max-udp-packet-size=2048 servers=192.168.15.15
/ip firewall address-list
add address=192.168.15.1-192.168.15.255 list=allowed_users
add address=10.198.36.0/24 comment="ACME Location A" list=PPPoE-Dst
add address=107.23.193.11 comment="DynIP Updates" list=PPPoE-Dst
add address=192.168.12.0/19 comment="Bravo Servers" list=PPPoE-Dst
add address=10.12.129.0/24 comment="ACME Location B" list=LTE-Dst
add address=192.168.243.35 comment="Gamma PPPoE CRM" list=LTE-Dst
add address=216.239.32.21 comment="DynDNS Updates" list=DSL-Dst
add address=216.239.34.21 comment="DynDNS Updates" list=DSL-Dst
add address=216.239.36.21 comment="DynDNS Updates" list=DSL-Dst
add address=216.239.38.21 comment="DynDNS Updates" list=DSL-Dst
add address=192.168.15.169 comment="TV Ethernet Connection" list=PPPoE-Src
add address=192.168.15.170 comment="TV Wifi Connection" list=LTE-Src
add address=192.168.15.66 comment="Bedroom FireStick" list=PPPoE-Src
add address=192.168.15.61 comment="#### PC #####" list=LTE-Src
add address=172.16.31.255 comment="Bogus Source" list=DSL-Src
add address=1.1.1.11 list=PPPoE-Dst
add address=1.1.1.12 list=DSL-Dst
add address=1.1.1.13 list=LTE-Dst
add address=192.168.124.224/28 comment="Monitor Source - Dallas" list=PingSources
add address=192.168.42.240/28 comment="Monitor Source - Dallas" list=PingSources
add address=192.168.221.80/28 comment="Monitor Source - Dallas" list=PingSources
add address=192.168.199.16/28 comment="Monitor Source - Dallas" list=PingSources
add address=192.64.80.8 comment="XYZ Host" list=PingSources
add address=4.2.2.0/29 comment="Tracked Route Sources" list=PingSources
add address=10.12.129.0/24 comment="ACME Location B" list=noVPN
add address=10.198.36.0/24 comment="ACME Location A" list=noVPN
add address=4.2.2.0/29 comment="Tracked Route Sources" list=noVPN
add address=192.168.15.166 comment=FireTV list=noVPNsrc
add address=192.168.12.0/19 comment="Bravo Servers" list=noVPN
add address=192.168.15.69 comment=PA220 list=noVPNsrc
add address=192.168.15.0/24 comment="Private IP Subnet" list=noVPN
add address=192.168.15.15 comment="Pi 4 - PiHole Server" list=noVPNsrc
add address=us1.nordvpn.com list=IKEVtraffic
add address=us2.nordvpn.com list=IKEVtraffic
add address=us3.nordvpn.com list=IKEVtraffic
add address=us4.nordvpn.com list=IKEVtraffic
/ip firewall filter
add action=drop chain=input dst-port=21-22,80,443,8443,8080,8291 log=yes protocol=tcp src-address=!192.168.15.0/24
add action=accept chain=input dst-port=21-22,80,443,8443,8080,8291 in-interface-list=LAN_Interfaces protocol=tcp src-address-list=allowed_users
add action=accept chain=input connection-state=!established,related in-interface-list=LAN_Interfaces protocol=icmp src-address-list=allowed_users
add action=drop chain=input connection-state=!established,related in-interface-list=!LAN_Interfaces protocol=icmp src-address-list=!PingSources
add action=drop chain=input connection-state=!established,related in-interface-list=WAN_Interfaces protocol=icmp src-address-list=!PingSources
/ip firewall mangle
add action=accept chain=prerouting comment="ACME Lab" dst-address=10.122.122.0/24 dst-address-type=!local in-interface=Local
add action=accept chain=prerouting comment="ACME Location A" dst-address=10.198.36.0/24 dst-address-type=!local in-interface=Local
add action=accept chain=prerouting comment="ACME Location B" dst-address=10.12.129.0/24 dst-address-type=!local in-interface=Local
add action=accept chain=prerouting comment="LTE Peering IP" dst-address=192.168.122.0/24 in-interface=Local
add action=accept chain=prerouting comment="US1.NORDVPN.COM - Seattle" dst-address=23.82.194.1 in-interface=Local
add action=accept chain=prerouting comment="US2.NORDVPN.COM - Seattle" dst-address=23.82.194.2 in-interface=Local
add action=accept chain=prerouting comment="US3.NORDVPN.COM - Seattle" dst-address=23.82.194.3 in-interface=Local
add action=accept chain=prerouting dst-address=192.168.86.0/24 in-interface=Local
add action=accept chain=prerouting dst-address=192.168.99.1.1 in-interface=Local
add action=mark-connection chain=prerouting comment="Solo NordVPN1" connection-mark=no-mark dst-address-list=!noVPN new-connection-mark=to_VPN3 passthrough=yes src-address=192.168.15.0/24 src-address-list=!noVPNsrc
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=pppoe1 new-connection-mark=WAN1_conn passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=WAN2 new-connection-mark=WAN2_conn passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=WAN3 new-connection-mark=WAN3_conn passthrough=yes
add action=mark-connection chain=prerouting comment="PPPoE Destinations" connection-mark=no-mark dst-address-list=PPPoE-Dst dst-address-type=!local in-interface=Local new-connection-mark=WAN1_conn passthrough=yes
add action=mark-connection chain=prerouting comment="LTE Destinations" connection-mark=no-mark dst-address-list=LTE-Dst dst-address-type=!local in-interface=Local new-connection-mark=WAN3_conn passthrough=yes
add action=mark-connection chain=prerouting comment="DSL Destinations" connection-mark=no-mark dst-address-list=DSL-Dst dst-address-type=!local in-interface=Local new-connection-mark=WAN2_conn passthrough=yes
add action=mark-connection chain=prerouting comment="PPPoE Sources" connection-mark=no-mark dst-address-type=!local in-interface=Local new-connection-mark=WAN1_conn passthrough=yes src-address-list=PPPoE-Src
add action=mark-connection chain=prerouting comment="LTE Sources" connection-mark=no-mark dst-address-type=!local in-interface=Local new-connection-mark=WAN3_conn passthrough=yes src-address-list=LTE-Src
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=!local in-interface=Local new-connection-mark=WAN2_conn passthrough=yes src-address-list=DSL-Src
add action=mark-connection chain=prerouting comment="TEST Default" connection-mark=no-mark dst-address-type=!local in-interface=Local new-connection-mark=WAN1_conn passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=!local in-interface=Local new-connection-mark=WAN1_conn passthrough=yes per-connection-classifier=src-address:3/0
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=!local in-interface=Local new-connection-mark=WAN2_conn passthrough=yes per-connection-classifier=src-address:3/1
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=!local in-interface=Local new-connection-mark=WAN3_conn passthrough=yes per-connection-classifier=src-address:3/2
add action=mark-routing chain=prerouting connection-mark=WAN1_conn in-interface=Local new-routing-mark=to_WAN1 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=WAN2_conn in-interface=Local new-routing-mark=to_WAN2 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=WAN3_conn in-interface=Local new-routing-mark=to_WAN3 passthrough=yes
add action=change-mss chain=forward connection-mark=to_VPN new-mss=1340 passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=!0-1360
add action=change-mss chain=forward connection-mark=to_VPN2 new-mss=1360 passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=!0-1360
add action=change-mss chain=forward connection-mark=to_VPN3 new-mss=1340 passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=!0-1360
add action=mark-routing chain=output connection-mark=WAN1_conn new-routing-mark=to_WAN1 passthrough=yes
add action=mark-routing chain=output connection-mark=WAN2_conn new-routing-mark=to_WAN2 passthrough=yes
add action=mark-routing chain=output connection-mark=WAN3_conn new-routing-mark=to_WAN3 passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat out-interface=pppoe1
add action=masquerade chain=srcnat out-interface=WAN1
add action=masquerade chain=srcnat out-interface=WAN2
add action=masquerade chain=srcnat out-interface=WAN3
add action=dst-nat chain=dstnat comment="Zulu - NVR - App" dst-port=3500 in-interface=pppoe1 protocol=tcp to-addresses=192.168.15.250 to-ports=3500
/ip firewall raw
add action=notrack chain=prerouting protocol=ipsec-esp src-address-list=IKEVtraffic
add action=notrack chain=prerouting protocol=ipsec-ah src-address-list=IKEVtraffic
add action=notrack chain=output dst-address-list=IKEVtraffic protocol=ipsec-esp
add action=notrack chain=output dst-address-list=IKEVtraffic protocol=ipsec-ah
/ip ipsec identity
add auth-method=eap certificate="NordVPN CA" eap-methods=eap-mschapv2 generate-policy=port-strict mode-config=NordVPN3 peer="NordVPN Seattle 3" policy-template-group=NordVPN username=XXX
add auth-method=eap certificate="NordVPN CA" eap-methods=eap-mschapv2 generate-policy=port-strict mode-config=NordVPN peer="NordVPN Seattle 1" policy-template-group=NordVPN username=XXX
add auth-method=eap certificate="NordVPN CA" eap-methods=eap-mschapv2 generate-policy=port-strict mode-config=NordVPN2 peer="NordVPN Seattle 2" policy-template-group=NordVPN username=XXX
add auth-method=eap certificate="NordVPN CA" eap-methods=eap-mschapv2 generate-policy=port-strict mode-config=NordVPN3 peer="NordVPN Seattle 4" policy-template-group=NordVPN username=XXX
/ip ipsec policy
set 0 disabled=yes
add action=none dst-address=192.168.15.0/24 src-address=0.0.0.0/0
add dst-address=0.0.0.0/0 group=NordVPN proposal=NordVPN src-address=0.0.0.0/0 template=yes
/ip route
add check-gateway=ping distance=1 gateway=4.2.2.1 pref-src=192.168.192.193 routing-mark=to_WAN1 scope=10
add check-gateway=ping distance=2 gateway=4.2.2.2 routing-mark=to_WAN1 target-scope=30
add check-gateway=ping distance=3 gateway=4.2.2.3 routing-mark=to_WAN1 target-scope=30
add check-gateway=ping distance=1 gateway=4.2.2.2 routing-mark=to_WAN2 scope=10
add check-gateway=ping distance=2 gateway=4.2.2.3 routing-mark=to_WAN2 target-scope=30
add check-gateway=ping distance=3 gateway=4.2.2.1 routing-mark=to_WAN2 target-scope=30
add check-gateway=ping distance=1 gateway=4.2.2.3 routing-mark=to_WAN3 scope=10
add check-gateway=ping distance=2 gateway=4.2.2.1 routing-mark=to_WAN3 target-scope=30
add check-gateway=ping distance=3 gateway=4.2.2.2 routing-mark=to_WAN3 target-scope=30
add distance=30 gateway=192.168.122.1 scope=200 target-scope=200
add distance=1 dst-address=4.2.2.1/32 gateway=10.99.1.1 pref-src=64.62.192.193 scope=10
add distance=1 dst-address=4.2.2.2/32 gateway=63.225.86.254 scope=10
add distance=1 dst-address=4.2.2.3/32 gateway=192.168.122.1 scope=10
add distance=1 dst-address=8.8.8.8/32 gateway=pppoe1 pref-src=64.62.192.193 target-scope=30
add distance=1 dst-address=10.122.122.0/24 gateway=192.168.15.69 target-scope=30
add distance=1 dst-address=10.12.129.0/24 gateway=192.168.122.1 target-scope=30
add distance=1 dst-address=23.82.194.66/32 gateway=4.2.2.2 scope=10
add distance=1 dst-address=23.82.194.165/32 gateway=4.2.2.1 pref-src=64.62.192.193 scope=10
add distance=1 dst-address=23.82.194.170/32 gateway=4.2.2.3 scope=10
add distance=1 dst-address=10.198.36.0/24 gateway=pppoe1 pref-src=64.62.192.193 target-scope=30
/ip service
set telnet disabled=yes
set ftp address=192.168.15.0/24 disabled=yes
set www disabled=yes
set ssh address=192.168.5.0/24,192.168.10.0/24,192.168.15.0/24
set www-ssl address=192.168.5.0/24,192.168.10.0/24,192.168.15.0/24 disabled=no tls-version=only-1.2
set api disabled=yes
set winbox address=192.168.5.0/24,192.168.10.0/24,192.168.15.0/24
set api-ssl disabled=yes
/system clock
set time-zone-name=America/New_York
/system identity
set name=XTik
I've adjusted most public addresses and names I could find. It is working at the moment, but I am only running the one tunnel until I can get all three going.
Thanks again for all the input!