Generally speaking it's possible to run IPsec with dynamic addresses, but it's a real pain in RouterOS. Also, generally speaking the hub site should be running a static IP as that simplifies the spoke set up. I get the financial concerns, but a dynamic hub IP doesn't do anything at all for security. The vast majority of attacks you'll see are the result of a port scan across huge network ranges, you don't escape those by having a dynamic IP. Anyone targeting you specifically is not going to be deterred by a changing IP address. You need to protect the hub router either way, with the same mechanisms.I don't use ipsec as the remote stations are on dynamic ip addresses - is it possible to run ipsec with dynamic addresses? For the moment the main office has a fixed ip address but I have to pay extra for that and would sooner do away with it as it encourages attacks etc.