Sometimes , but more frequently, I find my Mikrotik to Mikrotik gre/ipsec tunnel down and it comes up again very hardly....

Both routerboard are behind ISP router NAT in what they called DMZ , or "exposed hosts" , prctically all public ip incoming traffic (ports and protocols) is forwarded to a single LAN ip address (the routerboard machine one).

The initiator RB says "phase1 negotiation failed due to time up <initiator_ip_address>[4500]<=><responder_ip_address>[4500]"
The responder RB says "the packet is retransmitted by <initiator_ip_address>[4500]"

Rebooting both RB doesn't help

ISP router issue ?

Question : on GRE tunnel config, what should I specify in "Local Address" ?? The RB "wan" address facing ISP router (actual working setting) or the public ISP router ip address facing internet ?

Thank you.

The unproperly configured local address could be also the main problem - local address should be the IPsec IP address of the server/client (depending on which device you're doing the configuration) and the remote address should be the IPsec IP address of the second device:

https://help.mikrotik.com/docs/display/ ... 2)usingDNS

Thank you for link.
However, in my (old and working) setup, I don't configure all those ipsec things..... just profile and proposal, then just add the IPsec secret on GRE interface to make it use IPsec (ike phase are completed, SA are installed etc.etc.)
The setup shown on mikrotik site seems to build a gre tunnel over an existing IPsec one ,in fact, GRE local and remote addresses are private ones (the ipsec tunnel) rather than public wan addresses.

Any difference (pros and cons) between these two setup ?

The problem of dead tunnel not becoming alive seems to reside in natted ISP router, I have to manually restart it to allow phase1 packet to reach counterpart.....generally known issue ?