I have RB1200 in a company connecting to another location via ipsec tunnel, working well. After the vpnfilter etc bugs, I decided to upgrade to last bugfix release 6.40.8, and it completely broke the tunnel - although I am pretty sure I saw something like "established" in ipsec - remote peers after the upgrade, but next morning, the company was totally offline. So I downgraded to 6.37.5, and voila - tunnel up again.
What the hell important has Mikrotik changed between 6.37.5<->6.40.8, that it breaks ipsec tunnels? All I get is
xx.xx.xx.xx peer sent packet for dead phase2 xx.xx.xx.xx failed to pre-process ph2 packet.
There was L2TP vpn server before so there are some older settings left, with no effect on the tunnel (at least in 6.37.5), all the tunnel settings are the newer ones under .
/ip ipsec policy print Flags: T - template, X - disabled, D - dynamic, I - inactive, * - default 0 T * group=default src-address=::/0 dst-address=::/0 protocol=all proposal=default template=yes 1 src-address=192.168.5.0/24 src-port=any dst-address=192.168.1.0/24 dst-port=any protocol=all action=encrypt level=require ipsec-protocols=ah-esp tunnel=yes sa-src-address=yy.yy.yy.yy sa-dst-address=xx.xx.xx.xx proposal=xxxxxx priority=0 /ip ipsec peer print Flags: X - disabled, D - dynamic 0 address=0.0.0.0/0 local-address=0.0.0.0 passive=no port=500 auth-method=pre-shared-key secret=xxxxxx generate-policy=port-strict policy-template-group=default exchange-mode=main-l2tp send-initial-contact=yes nat-traversal=yes hash-algorithm=sha1 enc-algorithm=3des dh-group=modp1024 lifetime=1d dpd-interval=2m dpd-maximum-failures=5 1 address=xx.xx.xx.xx/32 local-address=0.0.0.0 passive=no port=500 auth-method=pre-shared-key secret=xxxxxx generate-policy=no policy-template-group=default exchange-mode=main send-initial-contact=yes nat-traversal=no proposal-check=obey hash-algorithm=sha1 enc-algorithm=aes-256 dh-group=modp1024 lifetime=1d lifebytes=0 dpd-interval=2m dpd-maximum-failures=5 /ip ipsec remote-peers print 0 local-address=yy.yy.yy.yy remote-address=xx.xx.xx.xx state=established side=responder established=8h53m34s /ip ipsec proposal print Flags: X - disabled, * - default 0 * name="default" auth-algorithms=sha1 enc-algorithms=3des lifetime=30m pfs-group=none 1 name="xxxxxx" auth-algorithms=sha1 enc-algorithms=aes-256-cbc lifetime=30m pfs-group=modp1024