Hi!
I just upgraded my phone to Android 13 to discover that L2TP/IPsec VPN does not work anymore. 
So, I read, one has to move to IKEv2. I googled for a while, read a few notes different people did (this, for example, http://forum.mikrotik.com/t/getting-ipev2-ipsec-psk-mikrotik-android-13-vpns-working-and-maybe-other-key-sharing-methods-too/169573/1). My router (RB2011) also used to hava an old version of RouterOS (6.40.9 actually), so I also decided to upgrade to 7.16.2 through a line of 6.49 → 7.12 → 7.16. After all of that it turned out that all the old settings are working just fine, including my L2TP/IPsec. So, I started to configure IKEv2, with an old pool of IP-addresses:
/ip pool add name=l2tp-pool ranges=10.161.1.104-10.161.1.110
/ip ipsec mode-config add name=ike2-config address-pool=l2tp-pool address-prefix-length=32
/ip ipsec policy group add name=ike2-group
/ip ipsec profile add name=ike2-profile dh-group=\
ecp256,ecp384,ecp521,modp8192,modp6144,modp4096,modp3072,modp2048 dpd-interval=2m dpd-maximum-failures=5 enc-algorithm=aes-256,aes-192,aes-128 hash-algorithm=sha512 proposal-check=claim
/ip ipsec peer add name=ike2-peer comment="Listen incoming IKEv2 connections" exchange-mode=ike2 passive=yes profile=ike2-profile
/ip ipsec proposal add name=ike2-proposal auth-algorithms=sha512,sha256 enc-algorithms="aes-256-cbc,aes-256-ctr,aes-\
256-gcm,aes-192-cbc,aes-192-ctr,aes-192-gcm,aes-128-cbc,aes-128-ctr,aes-128-gcm" lifetime=31m pfs-group=modp2048
/ip ipsec policy add comment="Policy to be used in IKEv2-identity and IKEv2-policy" group=ike2-group proposal=ike2-proposal template=yes
/ip ipsec identity add comment="Identity to be used in IKEv2" generate-policy=port-strict \
mode-config=ike2-config my-id=fqdn:ZZZ.ZZZ.ZZZ peer=ike2-peer policy-template-group=ike2-group
“ZZZ.ZZZ.ZZZ” is my domain name for cnnection (its IP is real and static). After all of that the IKE connection was established successfully but there is no traffic going between the peers! The firewall settings stay the same from the oled times of L2TP/IPsec:
/ip firewall filter
add action=accept chain=input comment="Allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="Open L2TP/IPsec connections" connection-state=new dst-port=1701 protocol=udp
add action=accept chain=input connection-state=new dst-port=4500 protocol=udp
add action=accept chain=input protocol=ipsec-ah
add action=accept chain=input protocol=ipsec-esp
Forums say one has to add a NAT rule above masquarading, so I did, and even rebooted the router to flush whatever stays in active connections:
/ip firewall address-list add address=10.161.1.104-10.161.1.110 comment="Addresses from VPN (same as L2TP)" list=IKEv2-pool
/ip firewall nat add action=accept chain=srcnat src-address-list=IKEv2-pool
Trying again makes no difference! No matter what I did, the connection stays established but no internal IPs are accessable. Looking at the logs does not seem to tell anything useful: I can see all the IPsec negitiations, proposals, authentication and finally a getting a right IP from the pool. I cal also see what looks like an IPsec heartbeat
08:30:50 ipsec,debug ipsec: 1 times of 1 bytes message will be sent to xxx.xxx.xxx.xx[5979]
08:30:50 ipsec,debug,packet ipsec: ff
08:31:10 ipsec,debug ipsec: KA: yy.yyy.yy.yyy[4500]->xxx.xxx.xxx.xx[5979]
where ‘xxx’ is an IP from my mobile and ‘yyy’ is a real IP for my server. What is somewhat bizzare is that when an L2TP is working I can see an additional interface appearing , It is obvioulsy a P-t-P between a configured local 10.161.1.101 and whatever a mobile is getting from the pool. This interface shows some traffic going etc. In the case of IKEv2 there is no such thing.
I am obviously doing something wrong here but can’t figure out what…
Thanks!
If I find the section where I set the routing I will post it here.