Well, understand, I don’t have a choice to be going and changing the remote equipment.
Most of them are brand new Juniper SRX300 series units. EVERY Juniper/Netscreen unit I’ve used supports Main-Mode and Aggressive – but my understanding was/is that aggressive most is what’s used when one end is dynamic. Main-mode only works when both ends are static. (feel free to correct me if I’m wrong – I’m going to be researching it now anyway)
While I understand that aggressive mode allows for plain-text auth transmission, Juniper had a tech article rating that vulnerability as “low” as long as quality PSKs and IDs are used.
In any case, from what you describe though, it’s probably worth loading up IPfire and checking to see if it will work.
I have a Juniper SSG140 as a backup plan (actually, it was my original plan, but I use that as a test router on my network for configuring client equipment before shipping it to them so the device is ready to plug into the network) – and the PC based firewalls have a lot of nice features.
Also, I could get an SRX300 series if I wanted… but honestly I kinda hate the interface and the limited set of features.
I was really disappointed to see OPNsense couldn’t handle remote VPNs without needing their IP address.