I'm new to IKE/IPSEC, finally giving up on PPTP (which made my life very simple). I have setup a Mikrotik router per some online posts. Upon connection by my client (testing with Android) Mikrotik shows:

I have already create an IPsec group, and set my identity's "Policy Template Group" to this group. What is missing?

You've shown neither the complete configuration nor the debug log from Mikrotik, so the only possible response is "something is wrong".
Add ipsec debug logging: /system logging add topics=ipsec,!packet
as the log will be quite verbose and might not fit to th ememory buffer, run
/log print follow-only file=ipsec-start where topics~"ipsec"
Then make one connection attempt from the phone, stop the /log print ..., download the log file and start reading.

Regarding the original topic you've removed or changed to this one, IKEv2 with username/password authentication with Windows 10 - the good news is that it almost works on RouterOS 7.2rc3, the bad news is that once the Windows 10 get a response to the DHCPINFORM, they send a DELETE but keep showing the connection as active, and that you need a RouterOS 7 version of User Manager (the RouterOS 6 version does not support EAP) or an external RADIUS server.

Plus you still need a certificate for the responder side and the signing CA of that certificate must be trusted by the Windows client, so unless you get it signed by one of the pre-installed trusted CAs, you have to import the CA certificate to every Windows client. The point is that you wouldn't send the credentials to a rogue responder.

Yes I modified my question as I started figuring things out

I didn't realize I could get more detailed logging on IPsec. With that advice I managed to figure out what was missing! THanks - solved

Regarding UN/PW for connection, I'm running routerOS 6.49, I think upgrading the OS is more than I can handle at this point. But I'll keep an eye on when that's working. I don't mind distributing my own CA cert to users, but creating a per user cert is painful. For now I think I'll create one cert for each group of users.

Regarding the original User/Password with IKEv2 question: it can be somewhat emulated via PSK and Remote ID (from RouterOS's perspective, Local ID from client's perspective), no certificates required (although can be optionally enabled):


Where you should replace <username> and <password> with desired values.

The above does work indeed, but not with the Windows native VPN client - unless authentication using machine certificate is chosen at Windows side, the embedded client always uses an IP address as the initiator ID, and you cannot specify ADDR4 as a remote ID type on an /ip ipsec identity row.

Leaving aside that the Windows native VPN client is unable to use the password field as the PSK, and that with the initiator address being often dynamic and/or private, the identity matching would be unreliable.

Ah, didn’t know about these limitations on Windows.

You say EAP is not supported on ROS v6, but I do see these options on 6.49.2 Do you mean they don’t function?

Regarding UN/PW for connection, I'm running routerOS 6.49, I think upgrading the OS is more than I can handle at this point. But I'll keep an eye on when that's working. I don't mind distributing my own CA cert to users, but creating a per user cert is painful. For now I think I'll create one cert for each group of users.

I've compared the DHCPACK response to the DHCPINFORM from a 6.47.10 responder identifying the initiator by certificate and the DHCPACK response to the DHCPINFORM from a 7.2rc3 responder identifyng the initiator by EAP. The initiator was the same Win10 PC with two different VPN profiles. The contents of the DHCPACK is the same except items that must differ due to the topology. So I suspect the Windows PC gets scared by some particular values, which may be related to the fact that the 7.2rc3 machine is a CHR running on Hyper-V on the PC itself. So there is a chance that in a real life setup, the connection will survive.

Regarding upgrade to 7.x, given the various issues it suffers from, it wouldn't be wise to use it for production as a whole. However, the only thing you need to be in 7.x is the User Manager, which is the RADIUS server. So if you don't mind running 7.x on something small and cheap (like mAP lite - it cannot be hAP mini because User Manager is not available for SMIPS) solely as the User Manager, this could be a way without kickstarting a 3rd party RADIUS server. The configuration of the user is dead simple:
/user-manager/user/add attributes=Framed-IP-Address:192.168.39.2,Framed-IP-Netmask:255.255.255.255 name=username password=somepassword

You say EAP is not supported on ROS v6, but I do see these options on 6.49.2 Do you mean they don’t function?

Are you talking about /ip ipsec identity (auth-mode=eap-radius, eap-methods) or about the User Manager? I had no need to run 6.49.2 yet, but I haven't noticed anything related to User Manager in the changelog since 6.39 until 7.1. And the User Manager of 6.x did not support EAP.

So you can use 6.49.2 as the IPsec responder, but you cannot 6.49.2's User Manager as the RADIUS server for it.

So there is a chance that in a real life setup, the connection will survive.

It indeed does. I've realized that an old Sextant was collecting dust in my attic, so I've made it a 7.1.2 User Manager, added a row with auth-mode=eap-radius to /ip ipsec identity at the same 6.47.10 responder to which the Windows 10 PC connects fine using machine certificate, and it works this way as well. And the Framed-IP-Netmask attribute is even not required.