I'm searching the whole internet for 2 days now to find the answer, but I'm failing... I can't say either it is possible or it isn't possible with Mikrotik RouterOS.
The problem I try to solve: I'd like to replace OpenVPN road warrior setup with an IPsec IKEv2 based solution. The main reason is that OpenVPN is slow on connection and on throughput, too.
I know there are L2TP/IPsec and Wireguard in the arsenal for this, but I'd like to have a robust, secure VPN for server/network administration.
I like OpenVPN's ability to use server and user certificates AND user/password pairs at the same time to secure the connection.
With only user/pass, one can guess, steal or otherwise get the user/pass and use it. I only user this for security insensitive tasks.
With only certificates, if the device is stolen/lost, an attacker can easily connect with the certificate. I only use this on site-to-site tunnels, where device can't be accessed physically.
If both are used at the same time, the certificate can't be guessed and can be revoked, and a stolen/lost device cannot connect without the user/pass knowledge.
But I can't find if the IKEv2 mutual RSA with user/pass (as strongSwan calls this) is possible somehow or not in RouterOS (as a server, with for example Windows or Android client).
I already found that this is possible somehow with IKEv1 (in general, I don't know RouterOS does this ot not), but IKEv2 doesen't support Xauth at all.