Hi!

I'm having multiple IPSec "Active Peers", and they are all getting their dynamic IPs from a shared pool.
There is a way to differentiate them, by checking their ID, based on that it's obvious on which IP belongs to which client.

Can I somehow add the Peer ID to firewall rules (mangles)? I.e. mangling only those packets which are sourcing from this XY IPSec peer ID?

Or I have to use some scripts to check the active peers' ids, and modify my mangle (/ update a firewall address list)?

(Can I ask MikroTik to run my script after an IPSec connection is established / disconnected?)

Thank you!

No and no. The only thing related to IPsec you can use to match in firewall rules is whether a packet matches any existing IPsec policy. Nor is there a possibility to trigger a script when peer activity state changes, or at least to add the IP address assigned to a peer with mode-config=request-only to an address-list, like with /ppp profile or /ip dhcp lease. So a scheduled script is the only way.

Thank you Sindy!

You have not completely described your setup. For plain IPsec it is as sindy describes, but when you use L2TP/IPsec you can do such things in PPP profiles.
E.g. I use a PPP profile that puts some of the client interfaces in an interface list, based on the profile selected for each client secret.
You can then use the interface list membership in a firewall rule.

I always prefer to use some form of tunnel (L2TP, GRE) on top of IPsec.

I have plain IPSec, sorry for that - it was a common fact between Sindy and me.

On the other hand, since both ends are in your own hands, it is relatively easy for you to migrate to what @pe1chl proposes.