Hello,
After upgrade to 6.38 ipsec tunnel dont work.
I downgrade to 6.37.3 and tunnel work again.
I have a config that works for many years on any version before 6.38It is almost impossible to guess what ipsec config you have and what might not work.
Something is wrong.# nov/22/2018 13:04:06 by RouterOS 6.43.4
# software id = 52XB-TREB
#
# model = RouterBOARD 3011UiAS
# serial number = xxxxxxxxx
/ip ipsec peer profile
set [ find default=yes ] dh-group=modp4096,modp2048 enc-algorithm=\
aes-256,aes-192,aes-128 hash-algorithm=sha256 nat-traversal=no
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256 enc-algorithms=aes-256-cbc \
pfs-group=modp2048
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc name=MyProposal \
pfs-group=modp2048
/ip pool
add name=dhcp ranges=192.168.5.101-192.168.5.254
add name=static_pool ranges=192.168.5.1-192.168.5.100
add name=vpn ranges=192.168.89.2-192.168.89.255
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge1 name=dhcp1
/ip address
add address=192.168.5.1/24 interface=bridge1 network=192.168.5.0
add address=12.34.56.122/30 interface=sw1-e1-WAN network=12.34.56.120
/ip cloud
set ddns-enabled=yes
/ip dhcp-server network
add address=192.168.5.0/24 gateway=192.168.5.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.4.4,8.8.8.8
/ip firewall filter
add action=accept chain=input connection-state=established,related
add action=accept chain=forward
add action=accept chain=forward
add action=accept chain=forward connection-state=established,related
add action=accept chain=input in-interface=bridge1
add action=accept chain=input comment=ipsec-ike-natt dst-port=4500 protocol=\
udp
add action=accept chain=forward comment=\
"Test: Regel zum Surfen, Hausnetz, tcp" in-interface=bridge1 protocol=tcp \
src-address=192.168.5.0/24
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=forward comment=vpn01 dst-address=192.168.5.0/24 \
in-interface=sw1-e1-WAN ipsec-policy=in,ipsec src-address=192.168.2.0/24
add action=accept chain=forward comment="Regel zum Surfen, vpn!" \
in-interface=bridge1 protocol=tcp src-address=192.168.89.0/24
add action=accept chain=forward comment=ipsec-ike-natt dst-port=4500 \
in-interface=sw1-e1-WAN protocol=udp
add action=accept chain=forward comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment=test connection-state="" protocol=\
ipsec-esp
add action=accept chain=forward comment=test connection-state="" protocol=\
ipsec-esp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=accept chain=input protocol=icmp
add action=accept chain=input dst-port=53 in-interface=bridge1 protocol=tcp
add action=accept chain=forward comment="Portforwarding pptp!" dst-port=1723 \
protocol=tcp
add action=accept chain=input src-address=192.168.89.0/24
add action=accept chain=forward dst-address=192.168.5.111
add action=accept chain=input dst-address=192.168.5.111
add action=drop chain=forward comment="Regel zum Surfen"
add action=drop chain=input log=yes log-prefix="Drop Input"
/ip firewall mangle
add action=mark-connection chain=forward comment="Mark IPsec" disabled=yes \
ipsec-policy=in,ipsec new-connection-mark=ipsec passthrough=yes
add action=mark-connection chain=forward comment="Mark IPsec" disabled=yes \
ipsec-policy=out,ipsec new-connection-mark=ipsec passthrough=yes
/ip firewall nat
add action=accept chain=srcnat comment=vpn01 dst-address=192.168.2.0/24 \
src-address=192.168.5.0/24
add action=masquerade chain=srcnat out-interface-list=WAN
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
192.168.89.0/24
add action=masquerade chain=srcnat comment="masq. vpn traffic" disabled=yes \
src-address=192.168.2.0/24
add action=accept chain=srcnat disabled=yes dst-address-list=192.168.2.0/24 \
out-interface=sw1-e1-WAN src-address-list=192.168.5.0/24
add action=masquerade chain=srcnat disabled=yes out-interface=sw1-e1-WAN
add action=accept chain=dstnat comment=vpn01 dst-address=192.168.5.0/24 \
src-address=192.168.2.0/24
/ip firewall raw
add action=notrack chain=prerouting dst-address=192.168.5.0/24 src-address=\
192.168.2.0/24
add action=notrack chain=prerouting dst-address=192.168.2.0/24 src-address=\
192.168.5.0/24
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip ipsec peer
add address=65.43.21.132/32 comment=vpn01 exchange-mode=ike2 secret=\
"geheim"
/ip ipsec policy
set 0 disabled=yes
add comment=vpn01 dst-address=192.168.2.0/24 proposal=MyProposal \
sa-dst-address=65.43.21.132 sa-src-address=12.34.56.122 src-address=\
192.168.5.0/24 tunnel=yes
/ip route
add distance=1 gateway=12.34.56.121
add comment=vpn01 distance=1 dst-address=192.168.2.0/24 gateway=bridge1
add comment=vpn01 distance=1 dst-address=192.168.5.0/24 gateway=bridge1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=192.168.5.0/24,192.168.89.0/24
set ssh address=192.168.5.0/24,192.168.2.0/24
set api disabled=yes
set winbox address=192.168.5.0/24,192.168.2.0/24
set api-ssl disabled=yes