Changing pfs-group didn't help...
Here's my config (sorry, it's a bit messy - I need to clean it up when I get it working):
Main router:
/ip ipsec mode-config
add address-pool=ipsec-roadwarrior-pool address-prefix-length=32 name=ipsec-roadw
/ip ipsec peer profile
add dh-group=modp1024 enc-algorithm=aes-128 name=profile_1
add dh-group=modp1024 name=profile_2 nat-traversal=no
add dh-group=modp1024 name=profile_3
add enc-algorithm=aes-256,aes-128,3des hash-algorithm=sha256 name=profile_4
add dh-group=modp1024 name=profile_5
/ip ipsec policy group
add name=default
add name=RoadWarrior
add name=Routers
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-256-cbc,aes-128-cbc,3des pfs-group=none
/ip ipsec peer
add address=0.0.0.0/0 auth-method=rsa-signature certificate=server-2019 comment="RoadWarrior Config - 2019" exchange-mode=ike2 generate-policy=port-strict mode-config=ipsec-roadw passive=yes policy-template-group=RoadWarrior profile=profile_4 remote-certificate=client-2019 send-initial-contact=no
add address=0.0.0.0/0 auth-method=rsa-signature certificate=server-2019 comment="Routers connection (client/server 2019)" generate-policy=port-override passive=yes policy-template-group=Routers profile=profile_5 send-initial-contact=no
/ip ipsec policy
set 0 dst-address=172.23.111.0/24 group=RoadWarrior src-address=0.0.0.0/0
add dst-address=172.23.111.0/24 group=RoadWarrior src-address=172.23.2.0/24 template=yes
add dst-address=172.23.111.0/24 group=RoadWarrior src-address=172.23.3.0/24 template=yes
add dst-address=172.23.200.0/24 group=Routers src-address=0.0.0.0/0 template=yes
add dst-address=172.23.222.0/24 group=Routers src-address=172.23.222.0/24 template=yes
add dst-address=172.23.3.0/24 group=Routers src-address=0.0.0.0/0 template=yes
add dst-address=192.168.100.0/24 group=Routers src-address=0.0.0.0/0 template=yes
add dst-address=192.168.3.0/24 group=Routers src-address=0.0.0.0/0 template=yes
/ip ipsec user
add address=172.23.254.2 name=user8
Certificates on the main router:
Flags: K - private-key, D - dsa, L - crl, C - smart-card-key, A - authority, I - issued, R - revoked, E - expired, T - trusted
0 name="client2" common-name="client2" key-size=2048 days-valid=365 key-usage=tls-client
fingerprint="e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"
1 K L A T name="512.ca" common-name="512.ca" key-size=2048 days-valid=3650 trusted=yes
key-usage=digital-signature,key-encipherment,data-encipherment,key-cert-sign,crl-sign ca-crl-host="1.1.1.1" serial-number="02D9B940277173D4"
fingerprint="302bf9b2971a3a6196f32b034594300feb34c5157a46bff2e16a641ba60181a0" invalid-before=may/12/2017 20:55:25 invalid-after=may/10/2027 20:55:25
expires-after=432w6d22h32m9s
2 K I T name="512.srv" common-name="512.srv" key-size=2048 days-valid=3650 trusted=yes key-usage=tls-server,tls-client ca=512.ca serial-number="3BFBF1BBE96C9D6F"
fingerprint="bc56829e6db31e3f7fbcf6180658432a106c40219fc2f937e6fac601ee2e4367" invalid-before=may/12/2017 20:55:41 invalid-after=may/10/2027 20:55:41
expires-after=432w6d22h32m25s
3 K I name="512.client8" common-name="512.client8" key-size=2048 days-valid=3650 trusted=no key-usage=tls-client ca=512.ca serial-number="2C0C27BB1ADFAD30"
fingerprint="d1f026111c61b05b43b1b9cf4fc794cb64007ee62131bdf546067503afffb402" invalid-before=may/12/2017 20:56:02 invalid-after=may/10/2027 20:56:02
expires-after=432w6d22h32m46s
4 K I name="512.client2" common-name="512.client2" key-size=4096 days-valid=3650 trusted=no key-usage=tls-client ca=512.ca serial-number="2DC5F644632278A0"
fingerprint="203da662b9ff643b88c66f7f706e7459368db6abdfdafade994484bd0b6d71a0" invalid-before=may/12/2017 22:09:00 invalid-after=may/10/2027 22:09:00
expires-after=432w6d23h45m44s
5 K L A T name="ca-2019" common-name="ca-2019" key-size=2048 days-valid=365 trusted=yes
key-usage=digital-signature,key-encipherment,data-encipherment,key-cert-sign,crl-sign,tls-server,tls-client ca-crl-host="1.1.1.1"
serial-number="6462BB2869AABE17" fingerprint="f66dcc73d9d0a346518a7b369d15713b2f0474a4d78c0804eb29576f051d3094" invalid-before=jan/18/2019 10:56:40
invalid-after=jan/18/2020 10:56:40 expires-after=51w4d12h33m24s
6 K I T name="server-2019" common-name="1.1.1.1" key-size=2048 subject-alt-name=IP:1.1.1.1 days-valid=365 trusted=yes key-usage=tls-server ca=ca-2019
serial-number="21CDE79657E0DB1E" fingerprint="f703e33ff5b53e52aebcf19ed513d67c72b976a4f87229e8d9d96d93b67c66bf" invalid-before=jan/18/2019 11:01:15
invalid-after=jan/18/2020 11:01:15 expires-after=51w4d12h37m59s
7 K I T name="client-2019" common-name="client-2019" key-size=2048 days-valid=365 trusted=yes key-usage=tls-client ca=ca-2019 serial-number="33370C811C7C16C4"
fingerprint="9cd78bea875e4a471d63d05cf4e0c3eb02dcbcfb87258241650ed0eb00b281aa" invalid-before=jan/18/2019 11:07:42 invalid-after=jan/18/2020 11:07:42
expires-after=51w4d12h44m26s
8 K L A T name="ca2019" common-name="ca2019" key-size=4096 days-valid=3650 trusted=yes
key-usage=digital-signature,key-encipherment,data-encipherment,key-cert-sign,crl-sign,tls-server,tls-client ca-crl-host="cert.domain.com"
serial-number="65DE1F871A0F160B" fingerprint="d5f248396a3965f9480b3e5163a0129a8ba10ea4e63fe4b6abb284de84a2d825" invalid-before=jan/20/2019 00:41:47
invalid-after=jan/17/2029 00:41:47 expires-after=521w1d2h18m31s
9 K I name="server" common-name="cert.domain.com" key-size=4096 subject-alt-name=DNS:cert.domain.com days-valid=3650 trusted=no key-usage=tls-server ca=ca201>
serial-number="3205909231FD7841" fingerprint="3e4dc179b75c3c8b2bb69496a5265851bf5c22592f507c483142fb8761026de7" invalid-before=jan/20/2019 00:48:19
invalid-after=jan/17/2029 00:48:19 expires-after=521w1d2h25m3s
10 K I name="client" common-name="client" key-size=4096 days-valid=365 trusted=no key-usage=tls-client ca=ca2019 serial-number="58B093A2CAC7A0F6"
fingerprint="836d1f5430a7736051ff1f162313b2023cfe62313c3c35896aaecb9cf51d9326" invalid-before=jan/21/2019 10:31:44 invalid-after=jan/21/2020 10:31:44
expires-after=52w12h8m28s
Remote router:
/ip ipsec peer profile
add dh-group=modp1024 name=profile_1
add dh-group=modp1024 name=profile_2
/ip ipsec proposal
set [ find default=yes ] pfs-group=none
/ip ipsec peer
add address=1.1.1.1/32 auth-method=rsa-signature certificate=client-2019 profile=profile_2
/ip ipsec policy
add dst-address=172.23.200.221/32 level=unique sa-dst-address=1.1.1.1 sa-src-address=0.0.0.0 src-address=172.23.200.222/32 tunnel=yes
Remote certificates:
Flags: K - private-key, D - dsa, L - crl, C - smart-card-key, A - authority, I - issued, R - revoked, E - expired, T - trusted
0 L A ET name="ca" issuer=CN=ca common-name="ca" key-size=2048 days-valid=365 trusted=yes
key-usage=digital-signature,key-encipherment,data-encipherment,key-cert-sign,crl-sign,tls-server,tls-client
serial-number="663F9F1BCE891A9A" fingerprint="f62aaa69e6d3e6c427dea315bd5ea84932235bf4cc53bad4d6289ed98e403fab"
invalid-before=mar/15/2017 20:53:31 invalid-after=mar/15/2018 20:53:31
1 K ET name="server-2018" issuer=CN=ca-2018 common-name="domain.com" key-size=2048 subject-alt-name=DNS:domain.com days-valid=365
trusted=yes key-usage=tls-server serial-number="6F2A7F0BC1013FB9"
fingerprint="2788f42e52ff4e25333ccd389959af117d5aabdc919535c1dbc7ae0b99281325" invalid-before=jan/18/2018 04:37:37
invalid-after=jan/18/2019 04:37:37
2 L A ET name="cert_export_server-2018.p12_1" issuer=CN=ca-2018 common-name="ca-2018" key-size=2048 days-valid=365 trusted=yes
key-usage=digital-signature,key-encipherment,data-encipherment,key-cert-sign,crl-sign,tls-server,tls-client
serial-number="6250493B594322E0" fingerprint="68c90ba269ed05d469f6ec7293a532851a556fae1a30892253623d6da636101e"
invalid-before=jan/18/2018 04:35:45 invalid-after=jan/18/2019 04:35:45
3 K ET name="client1-2018" issuer=CN=ca-2018 common-name="client1-2018" key-size=2048 days-valid=365 trusted=yes key-usage=tls-client
serial-number="60B978B0BDF00A68" fingerprint="be6f39e5fffad078cd9b36b2b78fe413385c4b9abe87e772d5b247f3553e241c"
invalid-before=jan/18/2018 04:38:51 invalid-after=jan/18/2019 04:38:51
4 K T name="client-2019" issuer=CN=ca-2019 common-name="client-2019" key-size=2048 days-valid=365 trusted=yes key-usage=tls-client
serial-number="33370C811C7C16C4" fingerprint="9cd78bea875e4a471d63d05cf4e0c3eb02dcbcfb87258241650ed0eb00b281aa"
invalid-before=jan/18/2019 15:07:42 invalid-after=jan/18/2020 15:07:42 expires-after=51w4d12h49m31s
5 L A T name="ca-2019" issuer=CN=ca-2019 common-name="ca-2019" key-size=2048 days-valid=365 trusted=yes
key-usage=digital-signature,key-encipherment,data-encipherment,key-cert-sign,crl-sign,tls-server,tls-client
serial-number="6462BB2869AABE17" fingerprint="f66dcc73d9d0a346518a7b369d15713b2f0474a4d78c0804eb29576f051d3094"
invalid-before=jan/18/2019 14:56:40 invalid-after=jan/18/2020 14:56:40 expires-after=51w4d12h38m29s
6 K T name="client" issuer=CN=ca2019 common-name="client" key-size=4096 days-valid=365 trusted=yes key-usage=tls-client
serial-number="58B093A2CAC7A0F6" fingerprint="836d1f5430a7736051ff1f162313b2023cfe62313c3c35896aaecb9cf51d9326"
invalid-before=jan/21/2019 14:31:44 invalid-after=jan/21/2020 14:31:44 expires-after=52w12h13m33s
7 L A T name="ca2019" issuer=CN=ca2019 common-name="ca2019" key-size=4096 days-valid=3650 trusted=yes
key-usage=digital-signature,key-encipherment,data-encipherment,key-cert-sign,crl-sign,tls-server,tls-client
serial-number="65DE1F871A0F160B" fingerprint="d5f248396a3965f9480b3e5163a0129a8ba10ea4e63fe4b6abb284de84a2d825"
invalid-before=jan/20/2019 04:41:47 invalid-after=jan/17/2029 04:41:47 expires-after=521w1d2h23m36s