Hi,

here is my set up:


MT :
[admin@MikroTik] > /ip ipsec export
# jan/02/1970 00:48:44 by RouterOS 4.17
# software id = 3VTE-SEPW
#
/ip ipsec proposal
set default auth-algorithms=sha1 comment="" disabled=no enc-algorithms=des \
lifetime=1d name=default pfs-group=modp768
/ip ipsec peer
add address=10.200.0.1/32:500 auth-method=pre-shared-key comment="" dh-group=\
modp768 disabled=no dpd-interval=2m dpd-maximum-failures=5 enc-algorithm=\
3des exchange-mode=main generate-policy=no hash-algorithm=sha1 lifebytes=\
0 lifetime=1d nat-traversal=no proposal-check=obey secret=abc \
send-initial-contact=yes
/ip ipsec policy
add action=encrypt comment="" disabled=no dst-address=10.0.0.0/8:any \
ipsec-protocols=esp level=require priority=0 proposal=default protocol=\
all sa-dst-address=10.200.0.1 sa-src-address=10.200.29.3 src-address=\
192.168.30.0/24:any tunnel=yes

[admin@MikroTik] /ip address> print
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK BROADCAST INTERFACE
0 192.168.30.1/24 192.168.30.0 192.168.30.255 ether2
1 10.200.29.3/15 10.200.0.0 10.201.255.255 ether1

[admin@MikroTik] /ip> route pr
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 A S 0.0.0.0/0 10.200.0.1 1
1 ADC 10.200.0.0/15 10.200.29.3 ether1 0
2 ADC 192.168.30.0/24 192.168.30.1 ether2 0

no firewall rules.


Cisco :
crypto isakmp policy 1
authentication pre-share

crypto isakmp key abc address 10.200.29.3

crypto ipsec transform-set proposal1 esp-3des esp-sha-hmac
interface Loopback1029
ip address 10.3.0.1 255.255.255.252


crypto map omega-crypto 10 ipsec-isakmp
set peer 10.200.29.3
set transform-set proposal1
match address mikrotik

interface Vlan1029
ip address 10.200.0.1 255.254.0.0
crypto map omega-crypto



ip access-list extended mikrotik
permit ip 10.0.0.0 0.255.255.255 192.168.30.0 0.0.0.255

I can see requests coming from cisco via some various debug crypto and with WinBox IP-Firewall-Connections UDP 500 :

*Jul 5 16:02:28.337 TAH: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 10.200.0.1, remote= 10.200.29.3,
local_proxy= 10.0.0.0/255.0.0.0/0/0 (type=4),
remote_proxy= 192.168.30.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= NONE (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
*Jul 5 16:02:28.337 TAH: ISAKMP:(0): SA request profile is omega
*Jul 5 16:02:28.337 TAH: ISAKMP: Created a peer struct for 10.200.29.3, peer port 500
*Jul 5 16:02:28.337 TAH: ISAKMP: New peer created peer = 0x130EEF28 peer_handle = 0x80001FC7
*Jul 5 16:02:28.337 TAH: ISAKMP: Locking peer struct 0x130EEF28, refcount 1 for isakmp_initiator
*Jul 5 16:02:28.337 TAH: ISAKMP: local port 500, remote port 500
*Jul 5 16:02:28.337 TAH: ISAKMP: set new node 0 to QM_IDLE
*Jul 5 16:02:28.337 TAH: insert sa successfully sa = 1301FF0C
*Jul 5 16:02:28.337 TAH: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
*Jul 5 16:02:28.337 TAH: ISAKMP:(0):Found ADDRESS key in keyring key2
*Jul 5 16:02:28.337 TAH: ISAKMP:(0): constructed NAT-T vendor-07 ID
*Jul 5 16:02:28.337 TAH: ISAKMP:(0): constructed NAT-T vendor-03 ID
*Jul 5 16:02:28.337 TAH: ISAKMP:(0): constructed NAT-T vendor-02 ID
*Jul 5 16:02:28.337 TAH: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*Jul 5 16:02:28.337 TAH: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1

*Jul 5 16:02:28.337 TAH: ISAKMP:(0): beginning Main Mode exchange
*Jul 5 16:02:28.337 TAH: ISAKMP:(0): sending packet to 10.200.29.3 my_port 500 peer_port 500 (I) MM_NO_STATE
*Jul 5 16:02:38.337 TAH: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
*Jul 5 16:02:38.337 TAH: ISAKMP (0:0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
*Jul 5 16:02:38.337 TAH: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
*Jul 5 16:02:38.337 TAH: ISAKMP:(0): sending packet to 10.200.29.3 my_port 500 peer_port 500 (I) MM_NO_STATE
*Jul 5 16:02:48.337 TAH: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
*Jul 5 16:02:48.337 TAH: ISAKMP (0:0): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
*Jul 5 16:02:48.337 TAH: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
*Jul 5 16:02:48.337 TAH: ISAKMP:(0): sending packet to 10.200.29.3 my_port 500 peer_port 500 (I) MM_NO_STATE
*Jul 5 16:02:58.337 TAH: IPSEC(key_engine): request timer fired: count = 1,

Why MT is not replying ?

It works, I use IPSEC between Mikrotik and Cisco. You need to study this:

http://wiki.mikrotik.com/wiki/IPSec_VPN ... _and_Cisco

http://wiki.mikrotik.com/wiki/MikroTik_ ... wall_IPSEC

I've studied these links several times....

I am sure this will work.

I made this work, 3 days ago with a different cisco router with a different Ipsec settings : 3DES, DH2....

But with this new router and settings, it looks that mikrotik is not answering ip to ipsec requests, don't know why ?
There is a little parameter that is wrong or missing...

Where can I find detailed ipsec logs from my MT router ?

I've studied these links several times....

I am sure this will work.

I made this work, 3 days ago with a different cisco router with a different Ipsec settings : 3DES, DH2....

But with this new router and settings, it looks that mikrotik is not answering ip to ipsec requests, don't know why ?
There is a little parameter that is wrong or missing...

Where can I find detailed ipsec logs from my MT router ?

Go to logging, add topic "ipsec". Then, it will log every detail about ipsec.