VPN

How to set up Ike2+ipsec on Mikrotik with PSK authorization?

Hey!

Maybe I don’t know how to search, but I just can’t find a single description on setting up Mikrotik as an IKEv2 + IPSEC server, with password authorization.
It's the password.
Not authorization by certificates, which is described in all the articles that I found.

At the moment, I have implemented a Mikrotik VPN server based on L2TP + IPSEC, but I need to organize the routing of VPN users to certain subnets of the working locale, including from other cities, without creating a default route through the VPN server on the client side in order to access the Internet users went through their router, and not through the VPN server, and without issuing users any BAT files with manually prescribing routes.

Having studied different types of VPN, the choice fell on IKEv2 + IPSEC due to:
1) Support for multiple simultaneous VPN connections behind one NAT
2) Native support for built-in clients on all devices and operating systems, without the need to install third-party software.
3) Ability to deliver routes to the user.

Authorization by password, and a categorical refusal of authorization by certificates:
1) The user should not bother with downloading and installing certificates at all. He must enter his login and password from the corporate Windows account, and that's it. (well, plus the IPSEC password). At the moment, my users are authorized in this way through RADIUS+AD
.
2) Establishing a connection should be simple, understandable for ordinary users, so much so that when connecting to the VPN of the next device, the user could repeat the connection himself, without delving into the details of where to put the certificate, and why it is needed at all.

The only manuals and descriptions that I found in this bundle is a server based on PFSense, but I think it’s not very ethical to use it in my situation, since, firstly, we don’t have a single Linux machine in the server park, except for the asterisk and is not planned. Of course, I'm trying to build something similar to Mikrotik based on the PFSense settings, but it's not so easy. Yes, and Mikrotik, which looks at the Internet and distributes L2TP, supports hardware encryption for VPN, and in general it is loaded at 0%, at the peak of the working day by 1%.

In general, even on the official website, the guide for setting up the server is written with a certificate. https://wiki.mikrotik.com/wiki/Manual:IP/IPsec#Tra... Am I the only one interested in password authorization?)

I think this is still possible, since the wiki at the link above has a
Simple mutual PSK section XAuth configuration , which I understand is exactly what I need.

I would be grateful for all the feedback, advice, and maybe someone will share their experience in setting up the same configuration.