<t>Hi folks!</t>
This post is about ipsec in ac2 lite. Completely not work.
I compare ac2 lite hardware & chr-6.45.1 same version image.

Step to reproduce.
1. Take of money and receive hap ac2 lite.
2. Unpack, powerON, login, set up ip.
3. Login via winbox & update to latest "stable" version.
3. Simple easy config as home router with static/dhcp ip. on ether1 (wan)
4. other home/bridge part not need to change. I mean ether2.....5, wifi1...2, bribge.... etc. This is default, exept internal network. I change from *.88 to 89. I mean 192.168.89.0/24 bridge 192.168.89.1
5. Install root & intermediate certs. Install user *.p12 with private key. all done via /certificate. All certs exported from own software. We are use XCA (qt required).
6. Import client config.

Where r.r.r.r - real ip address of strongswan server.

/ip ipsec mode-config
add name=ike2-rw responder=no
/ip ipsec policy group
add name=ike2-rw
/ip ipsec profile
add dh-group=modp4096 enc-algorithm=aes-256 hash-algorithm=sha512 name=ike2-rw
/ip ipsec peer
add address=r.r.r.r/32 exchange-mode=ike2 name=ike2-rw-client profile=ike2-rw
/ip ipsec proposal
add auth-algorithms=sha256 enc-algorithms=aes-256-gcm name=ike2-rw pfs-group=none
/ip ipsec identity
add auth-method=digital-signature certificate=mkt_tropo.p12_0 mode-config=ike2-rw peer=ike2-rw-client policy-template-group=
ike2-rw
/ip ipsec policy
add dst-address=10.3.0.0/16 level=unique peer=ike2-rw-client proposal=ike2-rw sa-dst-address=r.r.r.r sa-src-address=
0.0.0.0 src-address=192.168.89.0/24 tunnel=yes
add dst-address=192.168.88.0/24 level=unique peer=ike2-rw-client proposal=ike2-rw sa-dst-address=r.r.r.r \
sa-src-address=0.0.0.0 src-address=192.168.89.0/24 tunnel=yes
add dst-address=192.168.90.0/24 level=unique peer=ike2-rw-client proposal=ike2-rw sa-dst-address=r.r.r.r \
sa-src-address=0.0.0.0 src-address=192.168.89.0/24 tunnel=yes
add dst-address=192.168.91.0/24 level=unique peer=ike2-rw-client proposal=ike2-rw sa-dst-address=r.r.r.r \
sa-src-address=0.0.0.0 src-address=192.168.89.0/24 tunnel=yes
add dst-address=192.168.170.0/24 level=unique peer=ike2-rw-client proposal=ike2-rw sa-dst-address=r.r.r.r \
sa-src-address=0.0.0.0 src-address=192.168.89.0/24 tunnel=yes
================================================================================================


This configuration completely NOT work in Lite.
But work with AC2.
how it work......
1. /ip ipsec peer set local-address=0.0.0.0 numbers=0
wait 10-15 sec ...then do
/ip ipsec peer set local-address=192.168.89.1 numbers=0
wait 10-15 sec ...then do
/ip ipsec peer set local-address=0.0.0.0 numbers=0

NICE !!!!!! IPSEC working....

This is stupid hack!!!! add/remove local address.

===============================================================================


Virtual machine.
1. unzip image, dd if=unzipped of=/dev/vg27/mkt
2. startup && configure SAME (1:1) AS hardware mikrotik.
3. Working nice without hack.


======================
Strongswan server part.
conn mkt_tropo
ike=aes256-sha512-modp4096!
esp=aes256gcm16!
rightid="mkt_tropo"
rightsourceip=193.169.170.0/24
leftsubnet=10.3.0.0/16, 192.168.88.0/24, ..... subnets, as policy writed above.
rightsubnet=192.168.89.0/24
auto=add

all important things here.....


With best wishes)))