I’m facing a weird problem, with both 6.42 and 6.43rc on my Hap ac2.
Whenever I choose anything else than sha1 for my ipsec peer proposal, the ipsec client just keeps “crashing” and packets never reach the server
Another problem, when switching to sha1, the router never acknowledges the IKE2 response.
It will send 2 retransmits, then timeout and restart. The server (strongswan) sees the retransmits and reply every time.
I can see the packets coming on 4500/udp using the packet sniffer, and the firewall rules match, but for some reason they are ignored.
The only question which comes to my mind is whether your firmware is aligned with the RouterOS version (in /system routerboard print, check whether current-firmware and upgrade-firmware are the same). On my machine running 6.42 (but I admit it is a hAP ac lite, not hAP ac²), setting hash-algorithm=sha256 on a peer with exchange-mode=ike2 does not cause the ipsec subsystem to keep restarting.
