IPsec Xauth allows a simple connection to be established using only username, password and pre-shared key and is supported directly on android devices. Since this does not use certificates or more secure encryption standards it should not be used for highly secured data.

Router IPsec Xauth Setup

First create an address pool for the clients.

/ip pool
add name=ipsec ranges=192.168.87.2-192.168.87.250

Next create a group for the clients.

/ip ipsec policy group
add name=rw

Setup the proposal with the allowed parameters for the phase 2 connection.

/ip ipsec proposal
add name=android auth-algorithms=sha256 enc-algorithms=aes-256-cbc,aes-192-cbc,aes-128-cbc \
    pfs-group=modp2048

Create a policy to bind proposals to a policy group which can then be tied to the identities. level=unique may be needed where multiple clients are connecting from behind the same NAT.

/ip ipsec policy
add group=rw template=yes proposal=android

From RouterOS v6.40 policies are evaluated in order so with overlapping policies the top one will be used.

Setup the profile with the allowed parameters for the phase 1 connection, dh-group=modp2048 is needed to allow MacOS to use this connection.

/ip ipsec profile
add name=android hash-algorithm=sha256 enc-algorithm=aes-256 \
    dh-group=modp1024,modp2048 dpd-interval=10s dpd-maximum-failures=3

Create the peer, passive and send-initial-contact are needed for IPsec servers.

/ip ipsec peer
add name=android-peer passive=yes profile=android send-initial-contact=no

Next set the subnets which clients will route over the VPN, this makes the router's LAN subnet available over the VPN.

/ip ipsec mode-config
add address-pool=ipsec name=roadwarrior split-include=192.168.88.0/24

Firewall rules need to be added to allow ipsec traffic into the router.

/ip firewall filter
add action=accept chain=input comment=IKE dst-port=500 protocol=udp
add action=accept chain=input comment=NAT-T dst-port=4500 protocol=udp
add action=accept chain=input protocol=ipsec-esp

Finally create the Xauth user, it is possible to have different PSKs for each user.

/ip ipsec identity
add auth-method=pre-shared-key-xauth generate-policy=port-strict \
    mode-config=roadwarrior peer=android-peer policy-template-group=rw \
    secret=YOUR-PSK-HERE username=YOUR-USERNAME password=YOUR-PASSWORD

Xauth Setup for Cisco Compatible Clients (vpnc)

To allow Linux clients to connect using the networkmanager-vpnc package an aggressive mode peer is needed along with some slightly less secure encryption and authentication options.

Aggressive mode can only have one dh group in the profile so a custom profile in needed, additionally SHA1 is used for hashing.

/ip ipsec profile
add name=linux-xauth hash-algorithm=sha1 enc-algorithm=aes-256 \
    dh-group=modp1024 dpd-interval=10s dpd-maximum-failures=3

Proposals are tied to groups not peers, however perfect forward secrecy and sha256 authentication is not supported by vpnc.

/ip ipsec proposal
add name=linux-xauth auth-algorithms=sha1 enc-algorithms=aes-256-cbc,aes-192-cbc,aes-128-cbc pfs-group=none

Setup a new policy to make use of the new proposal

/ip ipsec policy group
add name=rw-lin
/ip ipsec policy
add group=rw template=yes proposal=linux-xauth

Then create the aggressive mode peer.

/ip ipsec peer
add exchange-mode=aggressive name=linux-xauth passive=yes profile=linux-xauth send-initial-contact=no

Xauth users are tied to the peer so a new user is required

/ip ipsec identity
add auth-method=pre-shared-key-xauth generate-policy=port-strict \
    mode-config=roadwarrior peer=linux-xauth policy-template-group=rw-lin \
    secret=YOUR-PSK-HERE username=YOUR-USERNAME password=YOUR-PASSWORD

Allowing firewall access from IPSec connections

Since the IPSec connection doesn't create an interface it is not covered by the rules allowing access from LAN so special rules are needed.

These allow DNS, SSH, Winbox and web access.

/ip firewall filter
add action=accept chain=input dst-port=53,22,8291,80 ipsec-policy=in,ipsec protocol=tcp \
    comment="Allow IPsec clients to access TCP firewall services"
add action=accept chain=input dst-port=53 ipsec-policy=in,ipsec protocol=udp \
    comment="Allow IPSec clients to access UDP firewal services"