is it possible to set up IKEv2 in response only mode with a dynamic remote peer IP address?
In the "IPsec IKEv2 Tunnel" you can configure 0.0.0.0/0 as the remote peer when you set "Initiates Tunnel" to no. But then I always get a "no proposal chosen" failure from the NG Firewall when the remote peer tries to connect.
Other vendors can manage this and I think the problem is, that the NG-Firewall can not match the Initiator Request to any existing tunnel configuration because it does not know the peer ID at this Moment. But in IKev2 it should response with one of the requested and supported proposals, so that the SA_AUTH is possible and the remote client can send its ID, so the NG-Firewall can match the connection to a configured tunnel configuration.
Has anyone got such a scenario working yet?