After I had big problems with ipsec in 6.44.1/hAP ac I remained using 44.1 for a while. Thinking that beta31 had already those issues fixed, I tried to upgrade with the following IPsec configuration:
/ip ipsec peer
add exchange-mode=ike2 name=router passive=yes
/ip ipsec policy group
add name=RoadWarrior
/ip pool
add name=vpn2 ranges=192.168.90.2-192.168.90.254
/ip ipsec mode-config
add address-pool=vpn2 name=RW-cfg split-include=\
192.168.88.0/24,192.168.89.0/24,192.168.90.0/24
/ip ipsec identity
add generate-policy=port-strict mode-config=RW-cfg my-id=\
fqdn:router.mydns.com peer=router policy-template-group=RoadWarrior
/ip ipsec policy
add dst-address=192.168.90.0/24 group=RoadWarrior src-address=192.168.88.0/24 \
template=yes
add dst-address=192.168.90.0/24 group=RoadWarrior src-address=192.168.89.0/24 \
template=yes
add dst-address=192.168.90.0/24 group=RoadWarrior src-address=192.168.90.0/24 \
template=yes
add disabled=yes dst-address=192.168.90.0/24 group=RoadWarrior src-address=\
0.0.0.0/0 template=yes
After the upgrade, the CPU was 100%, most of it in ipsec, and / export would stop
after /ip hotspot, just where /ip ipsec should be printed, until I Ctrl-C it.
Same problem as before. 
The router was sluggish but I could select long-term and downgrade to 6.43.13.
Then the machine went up, but ssh was not responding. I got suspicious and checked: telnet was working. When
I got in, security was disabled. I went in, re-ebabled it, rebooted and the following IPsec configuration appeared:
/ip ipsec policy group
add name=RoadWarrior
/ip pool
add name=vpn2 ranges=192.168.90.2-192.168.90.254
/ip ipsec mode-config
add address-pool=vpn2 name=RW-cfg split-include=\
192.168.88.0/24,192.168.89.0/24,192.168.90.0/24
/ip ipsec peer
add exchange-mode=ike2 passive=yes
/ip ipsec policy
add dst-address=192.168.90.0/24 group=RoadWarrior src-address=192.168.88.0/24 \
template=yes
add dst-address=192.168.90.0/24 group=RoadWarrior src-address=192.168.89.0/24 \
template=yes
add dst-address=192.168.90.0/24 group=RoadWarrior src-address=192.168.90.0/24 \
template=yes
add disabled=yes dst-address=192.168.90.0/24 group=RoadWarrior src-address=\
0.0.0.0/0 template=yes
I copied away the ipsec config, which was broken in any case, and tried an experiment: remove all ipsec config, piece by piece
until /ip ipsec export would produce an empty comment. Then I upgraded to get:
- 6.44.2 (100% CPU, could not get /ip ipsec export working)
- 6.45beta31 (same, 100% CPU, could not get /ip ipsec export working).
Is RouterOS keeping all configs hidden somethere, or where is this 100% CPU spinning coming from?
I settled by returning to long term and reconstructing my ipsec config, changing it to xauth and adding users. It is now working well… I was trying to test ike2,
but instead I’m now stuck in long-term.
Any way to empty ipsec and upgrade to 6.44.2 or 6.45betas without CPU spinning at 100%?
Thanks for any help, things are getting messy in this router. Other routers are having no problems at all with ipsec/6.44/6.54beta. I have a production h AP ac running 6.44, as I’m afraid to update it and get the same behaviour