basic IPsec configuration not working in 2.9.10

RouterOS General
1

the IPsec VPN config from the manuals application example (http://www.mikrotik.com/docs/ros/2.9/ip/ipsec.content#5.44.8.2) is not working for me, the packets are discarded

scenario is very basic:

LAN - 10.10.1.1/24-(R1)-x.y.z.157 - DSL - x.y.z.160-(R2)-10.10.5.1/24 - LAN

config of router 1

/ ip firewall nat 
add chain=srcnat src-address=10.10.1.0/24 dst-address=10.10.5.0/24 action=accept comment="" disabled=no 
add chain=srcnat out-interface=t-dsl-business action=masquerade comment="" disabled=no 

/ ip ipsec policy 
add src-address=10.10.1.0/24:any dst-address=10.10.5.0/24:any protocol=all action=encrypt level=require \
    ipsec-protocols=esp tunnel=yes sa-src-address=x.y.z.157 sa-dst-address=x.y.z.160 proposal=default \
    manual-sa=none dont-fragment=clear disabled=no 

/ ip ipsec peer 
add address=x.y.z.160/32:500 secret="qwertzuiopasdfghjkl" generate-policy=no exchange-mode=aggressive \
    send-initial-contact=yes proposal-check=obey hash-algorithm=md5 enc-algorithm=3des dh-group=modp1024 \
    lifetime=1d lifebytes=0 disabled=no 

/ ip ipsec proposal 
add name="default" auth-algorithms=md5 enc-algorithms=3des lifetime=30m lifebytes=0 pfs-group=modp1024 \
    disabled=no

config of router 2

/ ip firewall nat 
add  chain=srcnat src-address=10.10.5.0/24 dst-address=10.10.1.0/24 action=accept 
add  chain=srcnat out-interface=t-dsl-business action=masquerade 

/ ip ipsec policy 
add src-address=10.10.5.0/24:any dst-address=10.10.1.0/24:any protocol=all action=encrypt level=require \
    ipsec-protocols=esp tunnel=yes sa-src-address=x.y.z.160 sa-dst-address=x.y.z.157 proposal=default \
    manual-sa=none dont-fragment=clear disabled=no 
/ ip ipsec peer 
add address=x.y.z.157/32:500 secret="qwertzuiopasdfghjkl" generate-policy=no exchange-mode=aggressive \
    send-initial-contact=yes proposal-check=obey hash-algorithm=md5 enc-algorithm=3des dh-group=modp1024 \
    lifetime=1d lifebytes=0 disabled=no 
/ ip ipsec proposal 
add name="default" auth-algorithms=md5 enc-algorithms=3des lifetime=30m lifebytes=0 pfs-group=modp1024 \
    disabled=no

tested with ping from both ends
router 1:

/ping 10.10.5.1 src-address=10.10.1.4

11:40:00 ipsec,ike,info initiating phase 2 (src x.y.z.157) (dst x.y.z.160) 
11:40:00 ipsec,info ipsec packet discarded: src=10.10.1.4 dst=10.10.5.1 
11:40:00 ipsec,ike,info received ISAKMP packet from x.y.z.160:500, phase 2, Quick 
11:40:01 ipsec,info ipsec packet discarded: src=10.10.1.4 dst=10.10.5.1 
11:40:02 ipsec,info ipsec packet discarded: src=10.10.1.4 dst=10.10.5.1 
11:40:03 ipsec,info ipsec packet discarded: src=10.10.1.4 dst=10.10.5.1

router2:

/ping 10.10.1.4 src-address=10.10.5.1

10:39:00 ipsec,ike,info initiating phase 2 (src x.y.z.160) (dst x.y.z.157) 
10:39:01 ipsec,ike,info received ISAKMP packet from x.y.z.157:500, phase 2, Quick 
10:39:01 ipsec,info ipsec packet discarded: src=10.10.5.1 dst=10.10.1.4 
10:39:02 ipsec,info ipsec packet discarded: src=10.10.5.1 dst=10.10.1.4

under ip ipsec installed-sa only the direction=in-SA is established on both routers.

anyone an idea? do i overlook somthing obvious?
TIA.

2

I have the same problem, I have already written to Mikrotik support…

3

hmm, i have a few mt’s running IPsec with 2.9.8. and the changelog contains nothing about IPsec!
i just wrote to support, too.

update: i switched back to 2.8.8 and IPsec is working again!

4

Support answered:
Thank you for the bug report. This problem has been confirmed and will be fixed in future releases.