I will have multiple users at a remote site connecting into my local site using IKEv2. I have created my first IKEv2 server on my Mikrotik and it seems to work well. So now I want to somehow treat some remote users (managers) differently in terms of filter rules, and possibly also set upload/download limits, etc. Since the managers can be uniquely identified by their certificate, I think I need to use the cert to handle them differently, with the goal of applying filter rules unique to them

I'm very new to IKE/IPsec so I'm looking for help on HOW best to achieve this.

I THINK that I need to create a new 'identity' which identifies them by their cert, and then assigns them IP's from a different pool (with a different interface, different local IP). Then I can use that IP pool range to create unique rules for them.

If I copy the identity and change "Match By" to certificate, is that all I need to do? Can they share the same policies, group, proposals,peer, profile? Just need a different MODE CONFIG to assign IP's from the different pool?

Out of curiosity, how would a Win10 client specify the 'user fqdn' / 'fqdn' / 'key id'? There doesn't seem to be such an option in the Win10 VPN client.

I will have multiple users at a remote site connecting into my local site using IKEv2.
...
I THINK that I need to create a new 'identity' which identifies them by their cert, and then assigns them IP's from a different pool (with a different interface, different local IP). Then I can use that IP pool range to create unique rules for them.

Correct, except the interface, there is none.

If I copy the identity and change "Match By" to certificate, is that all I need to do? Can they share the same policies, group, proposals,peer, profile? Just need a different MODE CONFIG to assign IP's from the different pool?

To make it work, it is indeed enough to link the pool to a certificate via mode-config and identity. However, if you want to use every least bit of available security measures, you may want to use dedicated policy templates, allowing only addresses from the pool as dst-address. As the identity refers to policy template group, this means to create a group per pool, and a corresponding policy template in each group.

Out of curiosity, how would a Win10 client specify the 'user fqdn' / 'fqdn' / 'key id'? There doesn't seem to be such an option in the Win10 VPN client.

No way. Except if authentication by machine certificate is chosen, it always uses ADDR4 as the initiator ID. You can modify quite a lot of IPsec parameters using Powershell, but not these.

I'm not sure I understand:

except the interface, there is none.

Are you saying I should just apply a second IP address to the existing VPN bridge interface I created?

What I am saying is that IPsec on Mikrotik doesn't create any virtual interfaces, and you also don't need to add any address at the router side. Bare IPsec steals packets matching its traffic selectors and redirects them via the IPsec connection.

So whe the Windows client connects using IKEv2, you'll see a dynamically added IPsec policy with the address assigned to the client as dst-address and 0.0.0.0/0 as src-address. When a packet arrives from the client, its in-interface is the WAN interface through which its IKEv2 connection has been established. When you want to send a packet to the client, it must be routed "somewhere", but instead of being actually sent down the out-interface chosen by the normal routing, it gets intercepted by the IPsec policy, encrypted, and sent down the security association linked to that policy.

So your firewall rules must refer to the IP address ranges matching the pools used for different categories of IPsec clients. As the policies are created dynamically, you may want to use also in-interface(-list) and ipsec-policy=in,ipsec to match the packets from the clients, in order to prevent packets from same IP addresses from leaking in when no policy exists for them (if a policy exists, packets that inverse-match it but did not come in via the security association linked to that policy are silently dropped).

And btw, have I understood properly that you consider using a common certificate for multiple IPsec initiators? Because doing so is technically possible but it is a very bad idea. The Windows embedded client is unfortunately unable to request the password for the private key of the certificate at VPN login, so if someone steals the client PC, you have to install new certificates on all the remaining ones.

I see your point...sharing a cert is risky.

I'm investigating using a UN/PW (in Win10 VPN client ) to identify users but apparently Mikrotik firmware pre 7.2 can't do this in a way compatible with Win10. (Discussed in another thread)

Pre 7.x to be precise.

Whereas creating a client certificate the right way (i.e. generating a CSR on the Windows, delivering it to the CA for signing, and importing the signed certificate back to the Windows) is complicated on the Windows to put it softly, I haven't found any way how to do this on Android. So you may end up with the "wrong" way anyway, where you create the certificates including the private keys somewhere else and import them to the clients. And whilst this approach is less secure, it is also much less complicated.