Hi,

I'm having a hard time replacing a Fortigate firewall which is acting mainly as a VPN gateway with a RB5009.
Remote peers are consisting of various devices, which all have different requirements:

• Fortigate with static IP

• Fortigate with dynamic IP behind NAT (NAT-T req'd)

• Mikrotik wAP ac LTE kit with static IP (ROS 7)

• AVM Fritzbox with dynamic IP - very limited in IPSEC configurability

Mostly I'm struggling with the fact that the Fortigate with the dynamic IP behind NAT collides with the AVM Fritzbox, which also has a dynamic IP address (not behind NAT).
These two devices need different phase1 settings aka IPsec profiles but as soon as I create a second peer with ::/0 in the "address" field, I get the error message "This entry is unreachable".

Basically this boils down to this question:
two dialup IPSEC peers (aggressive mode) with different IPsec profiles: impossible with RouterOS?

Thanks in advance

Just replace the Fortigate and Fritz with MT devices.
{ This is not a paid political announcement but just to show MT I can be very supportive, all you have to do is add cloudflare zerotrust tunnel as an option package for all devices. }

Sadly, I have no experience in IPSEC but if the MT cannot handle that in ipsec, then throw the 5009 in the garbage as it would not be worthy in the VPN market segment.

unfortunately one doesn't always have control over all peer sites and devices. so replacing the remote devices unfortunately is not an option here.

replacing the mikrotik with a different solution like pfsense, opnsense or sophos xg is an option though.

however, i'd favor to achieve the goal with the rb5009.

Aggressive mode should be avoided - it has vulnerabilities which have been known about for decades and will not pass PCI compliance tests, for example.

Presumably you are using IKE and PSK. You cannot have multiple IPsec profiles for ::/0 as the only supported identity type is the IP address. Using other identities (key ID / fqdn / user fqdn) as an identity is only supported with IKE2.

Ahh so is this a case of trying to stuff a square peg of current and secure RoS into a round hole of old and unsecured VPN Protocols.

One could say it looks like your up shits creek without a paddle.

Hypothetically speaking of course, someone needs the powers to be to know that that the other boxes need a changin........ because any admin that keeps supporting insecure setups is not much of an admin and worse, now liable for not protecting the business one is paid to protect. In other words, dont go down with the sinking ship, provide the lifeline suggestion and if rejected, get into the liferaft and sail away.,

Ahh so is this a case of trying to stuff a square peg of current and secure RoS into a round hole of old and unsecured VPN Protocols.

One could say it looks like your up shits creek without a paddle.

Hypothetically speaking of course, someone needs the powers to be to know that that the other boxes need a changin........ because any admin that keeps supporting insecure setups is not much of an admin and worse, now liable for not protecting the business one is paid to protect. In other words, dont go down with the sinking ship, provide the lifeline suggestion and if rejected, get into the liferaft and sail away.,

dude, you are not wrong. but sometimes you do not have a choice.
all i know is that the fortigate has to be replaced now and it seems that a mikrotik cannot be a simple drop-in replacement.

the setup as it currently is, uses ike2 and high encryption wherever possible but there are still two old peers who need different settings and they are pretty limited in access to any resources anyway.
i guess I'll try to get the AVM Fritzbox and the dialup nat-t fortigate to talk ike2 then...

Aggressive mode should be avoided - it has vulnerabilities which have been known about for decades and will not pass PCI compliance tests, for example.

Presumably you are using IKE and PSK. You cannot have multiple IPsec profiles for ::/0 as the only supported identity type is the IP address. Using other identities (key ID / fqdn / user fqdn) as an identity is only supported with IKE2.

thanks, that info helped.

by the way I ended up getting rid of aggressive mode completely and reconfigured the peers to main mode and IKE2.