I just "upgrade" my configuration to certificates/rsa signature.
And with static IP it works well.
Now I tried out to set the peer IP 0.0.0.0 and set generate policy = yes.
In this case I have to remove the policies of the "concentrator", correct?
this is the config
MT1 (concentrator): 192.168.1.1 (labo setup) /ip ipsec proposal set default auth-algorithms=sha1 disabled=no enc-algorithms=3des lifetime=30m \ name=default pfs-group=modp1024 /ip ipsec peer add address=0.0.0.0/32:500 auth-method=rsa-signature certificate=cert1 \ dh-group=modp1024 disabled=no dpd-interval=disable-dpd \ dpd-maximum-failures=1 enc-algorithm=3des exchange-mode=aggressive \ [b] generate-policy=yes[/b] hash-algorithm=md5 lifebytes=0 lifetime=1d \ nat-traversal=no proposal-check=obey remote-certificate=cert2 \ send-initial-contact=no MT2 (remote office) 192.168.1.2 (labo setup) /ip ipsec proposal set default auth-algorithms=sha1 disabled=no enc-algorithms=3des lifetime=30m \ name=default pfs-group=modp1024 /ip ipsec peer add address=192.168.1.1/32:500 auth-method=rsa-signature certificate=cert2 \ dh-group=modp1024 disabled=no dpd-interval=disable-dpd \ dpd-maximum-failures=1 enc-algorithm=3des exchange-mode=aggressive \ [b]generate-policy=no[/b] hash-algorithm=md5 lifebytes=0 lifetime=1d \ nat-traversal=yes proposal-check=obey remote-certificate=cert1 \ send-initial-contact=yes /ip ipsec policy add action=encrypt disabled=no dst-address=172.16.12.0/24:any \ ipsec-protocols=esp level=require priority=0 proposal=default protocol=\ all sa-dst-address=192.168.1.1 sa-src-address=0.0.0.0 src-address=\ 192.168.10.0/24:any tunnel=yes add action=encrypt disabled=no dst-address=10.0.0.0/8:any ipsec-protocols=esp \ level=require priority=-2147483646 proposal=default protocol=all \ sa-dst-address=192.168.1.1 sa-src-address=0.0.0.0 src-address=\ 192.168.10.0/24:any tunnel=yes
I tried setting on MT2 the sa-src-address=0.0.0.0 and 192.168.1.2, BUT it doesn't works
please please help me, I'm not far I need a concrete confi example.
regards
Stefano