I have the same situation. You cannot have a traditional S2S vpn with a shared public ip on 1 end. Dynamic address are not the issue as long as they are dedicated and not shared. I fixed the issue by setting up the Rut as VPN client (ipsec) and use the central (static) firewall as it’s endpoint. When the tunnel is established, bidirectional traffic can flow over the vpn tunnel. Some firewalls call it dynamic vpn, others dialup. In this situation the Rut is the initiator of the vpn and the central firewall is the passive listener waiting for an inbound vpn tunnel.