IPsec Xauth PSK NAT-T roadwarrior config (the Android-compatible one) still seems to be broken (since v6.38), phase 2 fails. Also tried on 6.38.3, 6.38.4 and 6.39rc45, same results.
Reverting to v6.37.4 (or 6.37.3 or older) removes the problem. No changes are done to the configuration.
mar/09 00:15:55 ipsec,info respond new phase 1 (Identity Protection): y.y.y.y[500]<=>x.x.x.x[29243]
mar/09 00:15:55 ipsec,info ISAKMP-SA established y.y.y.y[4500]-x.x.x.x[24396] spi:c8dc4a12a919f674:041afe17fc36e624
mar/09 00:15:55 ipsec,info XAuth login succeeded for user: ipsecuser
mar/09 00:15:55 ipsec,info acquired y.y.z.z address for x.x.x.x[24396]
mar/09 00:15:56 ipsec,error x.x.x.x failed to pre-process ph2 packet.
mar/09 00:15:59 ipsec,error x.x.x.x peer sent packet for dead phase2
mar/09 00:16:02 ipsec,error x.x.x.x peer sent packet for dead phase2
mar/09 00:16:05 ipsec,error x.x.x.x peer sent packet for dead phase2
mar/09 00:16:08 ipsec,error x.x.x.x peer sent packet for dead phase2
mar/09 00:16:11 ipsec,error x.x.x.x peer sent packet for dead phase2
mar/09 00:16:14 ipsec,error x.x.x.x peer sent packet for dead phase2
mar/09 00:16:17 ipsec,error x.x.x.x peer sent packet for dead phase2
mar/09 00:16:20 ipsec,error x.x.x.x peer sent packet for dead phase2
mar/09 00:16:23 ipsec,error x.x.x.x peer sent packet for dead phase2
mar/09 00:18:20 ipsec,info purging ISAKMP-SA y.y.y.y[4500]<=>x.x.x.x[24396] spi=c8dc4a12a919f674:041afe17fc36e624:fefba073.
mar/09 00:18:21 ipsec,info ISAKMP-SA deleted y.y.y.y[4500]-x.x.x.x[24396] spi:c8dc4a12a919f674:041afe17fc36e624 rekey:1
The same issue was already reported by GioMac in the v6.38 thread (I haven’t noticed any reply or acknowledgement):
http://forum.mikrotik.com/t/v6-38-current-is-released/104797/1
Does v6.38+ need some configuration changes for this type of IPsec setup or is this a bug?