IPSec SA negotiation failures (RB2011UiAS-2HnD & ZYXEL VMG3313-B10A)

Hello everyone,

I’m having some issues related with IPSec SA negotiation failures. I’m trying to establish IPsec connection between RB2011UiAS-2HnD and a ZYXEL VMG3313-B10A modem.
Few weeks ago I’ve established a similar ipsec connection with another model of xyzel’s with the same ipsec settings with no problem.

I see “deleted the retransmission packet”, “phase1 negotiation failed due to time up”, “the packet is retransmitted by x.x.x.x to x.x.x.x” logs when i inspect detailed debug log.
The packages are being sent and received. And then being deleted. After a while phase 1 negotiation time’s up.

So, IPSec SA negotiation fails.

Any ideas?

[admin@MikroTik] > /ip ipsec peer print
Flags: X - disabled, D - dynamic, R - responder 
 0     name="usertest" address=178.146.56.52/32 local-address=98.66.240.48 profile=profile1 exchange-mode=main send-initial-contact=no 

NAT

 0    chain=srcnat action=accept src-address=98.66.240.48 dst-address=178.146.56.52 log=no log-prefix="" 

 1    chain=srcnat action=accept src-address=192.158.88.0/24 dst-address=192.168.2.0/24 log=no log-prefix="" 

 2    ;;; defconf: masquerade
      chain=srcnat action=masquerade out-interface-list=all log=no log-prefix="" 

 3    ;;; 17 udp 500 port 
      chain=srcnat action=accept protocol=udp src-port=500 log=no log-prefix="" 

 4    ;;; ipsec-esp
      chain=srcnat action=accept protocol=ipsec-esp log=no log-prefix="" 

 5 X  ;;; 4500
      chain=srcnat action=accept protocol=udp src-port=4500 log=no log-prefix="" 

 6    ;;; defconf: masquerade
      chain=srcnat action=masquerade out-interface-list=WAN log=no log-prefix="" 

[admin@MikroTik] > /ip ipsec profile print
Flags: * - default 
 0 * name=“profile1" hash-algorithm=md5 enc-algorithm=3des dh-group=modp1024 lifetime=30m proposal-check=obey nat-traversal=no dpd-interval=2m dpd-maximum-failures=5 

[admin@MikroTik] > /ip ipsec identity print
Flags: D - dynamic, X - disabled 
 0    peer=usertest auth-method=pre-shared-key secret="passwd123" generate-policy=port-strict 

 1 D  ;;; l2tp-in-server
      peer=l2tp-in-server auth-method=pre-shared-key remote-id=ignore secret="passwd123" generate-policy=port-strict 

[admin@MikroTik] > /ip ipsec proposal print
Flags: X - disabled, * - default 
 0  * name="default" auth-algorithms=md5 enc-algorithms=3des lifetime=30m pfs-group=modp1024 

[admin@MikroTik] > /ip ipsec identity print
Flags: D - dynamic, X - disabled 
 0    peer=usertest auth-method=pre-shared-key secret="passwd123" generate-policy=port-strict 

FIREWALL FILTER PRINT

chain=input connection-state=established 
chain=input connection-state=related 
chain=forward connection-state=established 
chain=forward connection-state=related 
chain=output connection-state=established 
chain=output connection-state=related 
chain=forward action=passthrough 
chain=forward action=accept log=no log-prefix="" ipsec-policy=in,ipsec 
chain=forward action=accept connection-state=established,related dst-address=178.146.56.52 log=no log-prefix="" 

chain=input action=accept protocol=udp dst-port=500 log=no log-prefix="" 
chain=input action=accept protocol=tcp port=500 log=no log-prefix="" 
chain=input action=accept protocol=udp dst-port=1701 log=no log-prefix="" 
chain=forward action=accept connection-state=established,related dst-address=178.146.56.52 log=no log-prefix="" 



[admin@MikroTik] > /ip address print 
Flags: X - disabled, I - invalid, D - dynamic 
 #   ADDRESS            NETWORK         INTERFACE                                                        
 0   ;;; defconf
     192.168.88.1/24    192.168.88.0    ether2                                                           


[admin@MikroTik] > /ip ipsec active-peers print
Flags: R - responder, N - natt-peer 
 #    ID                   STATE              UPTIME          PH2-TOTAL
 0                         message-3-sent

First, could it be that the packets from the two Zyxels arrive from the same public IP to the Mikrotik, because they are behind the same NAT? If so, only one at a time can work, due to the IPsec transport mode being used for L2TP encryption rather than tunnel one (but it should not look like this, normally phase1 of the newer connection would succeed and only phase2 would fail if that was the reason).

Second, packets may be lost in one direction due to fragmentation and failing reassembly; as you use pre-shared key authentication, this doesn’t sound very likely but cannot be excluded. Do you have a chance to sniff traffic at the Zyxel end?

I’d have to see the complete log and configuration export to say something less generic.

Thank you Sindy,

First, two Zyxels are not running at the same time at the same network.

Yes, maybe the answer lies under the second probability. I’m using pre-shared key authentication. I’ll try to sniff the traffic at the Zyxel end if I can.
Encryption, hashing etc are same at both sides. Packets are being sent and received as I see on logs in detail. But after a while there are being deleted.

I attached ipsec peers, ipsec profile, ipsec identity, ipsec proposal, firewall nat and firewall filter, I may also share ipsec logs in detail. Could you please write me which configurations and logs do you need more? I’d like to share them also.

By the way, I’m behind a NAT but the other side, zyxel is not behind a nat I think. Therefore NAT-T is not selected on both sides. And as I know, when NAT-T is selected IKE v2 should be selected also. And ports would be 4500 instead of 500. The problem is, I cannot select IKEv2 on Zyxel, there is only “Auto IKE” option exists.

I also tried selection AH instead of EPS. It didn’t work neither.

Thanks

The general rule is “share the complete configuration except critical information like usernames, passwords/secrets, and public IP addresses.” A hint on anonymisation not breaking logical relationship between configuration items is in my automatic signature below.

In this case, I am only not sure whether the firewall rules you’ve posted are the complete list or just those you deemed relevant. It is also strange that the /ip ipsec peer print shows a dynamically created peer for the L2TP server, but there is no dynamically created item in /ip ipsec identity print.

All rows of the log whose topics matches ipsec from one failed connection attempt are necessary. I don’t remember the whole flow so I need to see the complete exchange.

At best, run /log print follow-only file=ipsec-start where topics~“ipsec”, let the Zyxel try to connect and fail, then stop the print, download the file, and eventually edit the IP addresses if you care.

It’s actually a bit different. NAT-T is an optional extension of IKE (v1), while the same mechanism is an intrinsic part of the IKEv2 standard. There is no automatic switchover from IKE (v1) to IKEv2. A switchover to use of port 4500 is not the same as a switchover to IKEv2 - the message format is still unique for each version of IKE.

It is also not important whether only one of the peers or both are behind NAT and whether it is a single or multiple NAT - the NAT traversal mode must be activated as soon as a single NAT at either end is present. Both peers must support NAT-T so that it would work with IKE (v1), not only the one on whose end the NAT is.

The standard specifying how to encrypt L2TP using IPsec is older than IKEv2 so it doesn’t mention it.

AH doesn’t work with NAT nor with tunnel mode (where the payload’s IP addresses differ from the transport’s ones). It is solely applicable for transport mode where communication between two IP addresses is being encrypted.

Here are some detailed information :

Log in detail :

May/10/2020 20:15:35 ipsec,debug ===
May/10/2020 20:15:35 ipsec,debug new cookie:
May/10/2020 20:15:35 ipsec,debug 4f89d9698f1667cc
May/10/2020 20:15:35 ipsec,debug add payload of len 48, next type 13
May/10/2020 20:15:35 ipsec,debug add payload of len 16, next type 13
May/10/2020 20:15:35 ipsec,debug add payload of len 16, next type 0
May/10/2020 20:15:35 ipsec,debug 120 bytes from 194.155.200.148[500] to 178.186.156.152[500]
May/10/2020 20:15:35 ipsec,debug 1 times of 120 bytes message will be sent to 178.186.156.152[500]
May/10/2020 20:15:35 ipsec,debug,packet 4f89d969 8f1667cc 00000000 00000000 01100200 00000000 00000078 0d000034
May/10/2020 20:15:35 ipsec,debug,packet 00000001 00000001 00000028 01010001 00000020 01010000 800b0001 800c0708
May/10/2020 20:15:35 ipsec,debug,packet 80010005 80030001 80020001 80040002 0d000014 12f5f28c 457168a9 702d9fe2
May/10/2020 20:15:35 ipsec,debug,packet 74cc0100 00000014 afcad713 68a1f1c9 6b8696fc 77570100
May/10/2020 20:15:35 ipsec,debug ===== received 100 bytes from 178.186.156.152[500] to 194.155.200.148[500]
May/10/2020 20:15:35 ipsec,debug,packet 4f89d969 8f1667cc c280a981 39457208 01100200 00000000 00000064 0d000034
May/10/2020 20:15:35 ipsec,debug,packet 00000001 00000001 00000028 01010001 00000020 01010000 800b0001 800c0708
May/10/2020 20:15:35 ipsec,debug,packet 80010005 80030001 80020001 80040002 00000014 afcad713 68a1f1c9 6b8696fc
May/10/2020 20:15:35 ipsec,debug,packet 77570100
May/10/2020 20:15:35 ipsec,debug begin.
May/10/2020 20:15:35 ipsec,debug seen nptype=1(sa) len=52
May/10/2020 20:15:35 ipsec,debug seen nptype=13(vid) len=20
May/10/2020 20:15:35 ipsec,debug succeed.
May/10/2020 20:15:35 ipsec,debug remote supports DPD
May/10/2020 20:15:35 ipsec,debug total SA len=48
May/10/2020 20:15:35 ipsec,debug 00000001 00000001 00000028 01010001 00000020 01010000 800b0001 800c0708
May/10/2020 20:15:35 ipsec,debug 80010005 80030001 80020001 80040002
May/10/2020 20:15:35 ipsec,debug begin.
May/10/2020 20:15:35 ipsec,debug seen nptype=2(prop) len=40
May/10/2020 20:15:35 ipsec,debug succeed.
May/10/2020 20:15:35 ipsec,debug proposal #1 len=40
May/10/2020 20:15:35 ipsec,debug begin.
May/10/2020 20:15:35 ipsec,debug seen nptype=3(trns) len=32
May/10/2020 20:15:35 ipsec,debug succeed.
May/10/2020 20:15:35 ipsec,debug transform #1 len=32
May/10/2020 20:15:35 ipsec,debug type=Life Type, flag=0x8000, lorv=seconds
May/10/2020 20:15:35 ipsec,debug type=Life Duration, flag=0x8000, lorv=1800
May/10/2020 20:15:35 ipsec,debug type=Encryption Algorithm, flag=0x8000, lorv=3DES-CBC
May/10/2020 20:15:35 ipsec,debug,packet encryption(3des)
May/10/2020 20:15:35 ipsec,debug type=Authentication Method, flag=0x8000, lorv=pre-shared key
May/10/2020 20:15:35 ipsec,debug type=Hash Algorithm, flag=0x8000, lorv=MD5
May/10/2020 20:15:35 ipsec,debug hash(md5)
May/10/2020 20:15:35 ipsec,debug type=Group Description, flag=0x8000, lorv=1024-bit MODP group
May/10/2020 20:15:35 ipsec,debug dh(modp1024)
May/10/2020 20:15:35 ipsec,debug pair 1:
May/10/2020 20:15:35 ipsec,debug  0x49b690: next=(nil) tnext=(nil)
May/10/2020 20:15:35 ipsec,debug proposal #1: 1 transform
May/10/2020 20:15:35 ipsec,debug -checking with pre-shared key auth-
May/10/2020 20:15:35 ipsec,debug prop#=1, prot-id=ISAKMP, spi-size=0, #trns=1
May/10/2020 20:15:35 ipsec,debug trns#=1, trns-id=IKE
May/10/2020 20:15:35 ipsec,debug type=Life Type, flag=0x8000, lorv=seconds
May/10/2020 20:15:35 ipsec,debug type=Life Duration, flag=0x8000, lorv=1800
May/10/2020 20:15:35 ipsec,debug type=Encryption Algorithm, flag=0x8000, lorv=3DES-CBC
May/10/2020 20:15:35 ipsec,debug type=Authentication Method, flag=0x8000, lorv=pre-shared key
May/10/2020 20:15:35 ipsec,debug type=Hash Algorithm, flag=0x8000, lorv=MD5
May/10/2020 20:15:35 ipsec,debug type=Group Description, flag=0x8000, lorv=1024-bit MODP group
May/10/2020 20:15:35 ipsec,debug -compare proposal #1: Local:Peer
May/10/2020 20:15:35 ipsec,debug (lifetime = 1800:1800)
May/10/2020 20:15:35 ipsec,debug (lifebyte = 0:0)
May/10/2020 20:15:35 ipsec,debug enctype = 3DES-CBC:3DES-CBC
May/10/2020 20:15:35 ipsec,debug (encklen = 0:0)
May/10/2020 20:15:35 ipsec,debug hashtype = MD5:MD5
May/10/2020 20:15:35 ipsec,debug authmethod = pre-shared key:pre-shared key
May/10/2020 20:15:35 ipsec,debug dh_group = 1024-bit MODP group:1024-bit MODP group
May/10/2020 20:15:35 ipsec,debug -an acceptable proposal found-
May/10/2020 20:15:35 ipsec,debug dh(modp1024)
May/10/2020 20:15:35 ipsec,debug -agreed on pre-shared key auth-
May/10/2020 20:15:35 ipsec,debug ===
May/10/2020 20:15:35 ipsec,debug dh(modp1024)
May/10/2020 20:15:35 ipsec,debug,packet compute DH's private.
May/10/2020 20:15:35 ipsec,debug,packet 7c81c189 2c2b4c7f f13392b5 fc91afd0 f16f9c76 0652d545 fde9f513 ffd82203
May/10/2020 20:15:35 ipsec,debug,packet 5b527e1c bb79d06e 3d40d090 58c13996 a4ab1b80 1c4ccf32 62a58ea7 eedc1fa2
May/10/2020 20:15:35 ipsec,debug,packet 4d0cc28f 9e2aa43b 0ea35ae9 62e6773e 6914af05 e7fd9e45 67bb1f5c abc44f23
May/10/2020 20:15:35 ipsec,debug,packet bac8ffd9 8a011a0d d81a6e5c 9571b2d8 8e0ff422 71a651c5 53733561 f6844bb4
May/10/2020 20:15:35 ipsec,debug,packet compute DH's public.
May/10/2020 20:15:35 ipsec,debug,packet ade76e1f fac2c655 0fbef3c5 012eeda6 6c0e85f6 d3723f60 b0592ede b219a5b2
May/10/2020 20:15:35 ipsec,debug,packet 7ed97d16 9e231e44 ce60ecd7 e2e347c1 9f270956 32af0eeb cca55a3b 4281da68
May/10/2020 20:15:35 ipsec,debug,packet b84eda47 e0b8b1f3 e507ac48 1e3e5ac8 d2d77b1e ae16b45b 1105355b 64080723
May/10/2020 20:15:35 ipsec,debug,packet 72961315 ed94f3a0 14531e84 42c5975a 360d6ea3 a777053c 03f98e0b 05f0805e
May/10/2020 20:15:35 ipsec,debug add payload of len 128, next type 10
May/10/2020 20:15:35 ipsec,debug add payload of len 24, next type 0
May/10/2020 20:15:35 ipsec,debug 188 bytes from 194.155.200.148[500] to 178.186.156.152[500]
May/10/2020 20:15:35 ipsec,debug 1 times of 188 bytes message will be sent to 178.186.156.152[500]
May/10/2020 20:15:35 ipsec,debug,packet 4f89d969 8f1667cc c280a981 39457208 04100200 00000000 000000bc 0a000084
May/10/2020 20:15:35 ipsec,debug,packet ade76e1f fac2c655 0fbef3c5 012eeda6 6c0e85f6 d3723f60 b0592ede b219a5b2
May/10/2020 20:15:35 ipsec,debug,packet 7ed97d16 9e231e44 ce60ecd7 e2e347c1 9f270956 32af0eeb cca55a3b 4281da68
May/10/2020 20:15:35 ipsec,debug,packet b84eda47 e0b8b1f3 e507ac48 1e3e5ac8 d2d77b1e ae16b45b 1105355b 64080723
May/10/2020 20:15:35 ipsec,debug,packet 72961315 ed94f3a0 14531e84 42c5975a 360d6ea3 a777053c 03f98e0b 05f0805e
May/10/2020 20:15:35 ipsec,debug,packet 0000001c e2b0602d 624d61e9 1d59b054 37dcf6a6 545d7568 37f225d1
May/10/2020 20:15:36 ipsec,debug ===== received 180 bytes from 178.186.156.152[500] to 194.155.200.148[500]
May/10/2020 20:15:36 ipsec,debug,packet 4f89d969 8f1667cc c280a981 39457208 04100200 00000000 000000b4 0a000084
May/10/2020 20:15:36 ipsec,debug,packet 5b4798af bfa7f3ef 7c971a9e 0276aedd d4c3ce2d b0f50d79 73af5a5e 3cb18e9f
May/10/2020 20:15:36 ipsec,debug,packet f3da1e4e f4b28450 a99fc65f 19f25851 0bebede0 b142b301 40075b78 6cbb4748
May/10/2020 20:15:36 ipsec,debug,packet 889b7ad8 964c53f0 a9338c2a 2f2926ae c0fa2f43 aca6a2fd 2b7ddef9 df748532
May/10/2020 20:15:36 ipsec,debug,packet 0a6a7537 db6bff9b 75b07808 7ee5f2ba d3cb8627 361d1da7 04993c06 5e54a1cf
May/10/2020 20:15:36 ipsec,debug,packet 00000014 a8f63d3b e24a9834 75150393 791dbac5
May/10/2020 20:15:36 ipsec,debug begin.
May/10/2020 20:15:36 ipsec,debug seen nptype=4(ke) len=132
May/10/2020 20:15:36 ipsec,debug seen nptype=10(nonce) len=20
May/10/2020 20:15:36 ipsec,debug succeed.
May/10/2020 20:15:36 ipsec,debug ===
May/10/2020 20:15:36 ipsec,debug dh(modp1024)
May/10/2020 20:15:36 ipsec,debug,packet compute DH's shared.
May/10/2020 20:15:36 ipsec,debug,packet 
May/10/2020 20:15:36 ipsec,debug,packet 70826fa0 74c138c6 fa60b05b 0aad1159 c94ceab0 ead481a7 44c2cd1a e0f4bfbd
May/10/2020 20:15:36 ipsec,debug,packet 680d7225 bfb45cc5 4dd271af abf05a75 c2794153 a74aec60 2fbf87b1 aaa0127f
May/10/2020 20:15:36 ipsec,debug,packet fbda3bd7 830b68b7 478db8ec 45e0a5bd 671666a5 3e308adf 748b4f1b 239a7591
May/10/2020 20:15:36 ipsec,debug,packet 1d71839a bf9de325 37ef6562 2c5b7fdb f5fb411c fc179f9e 6cdfba5e 8251ef1f
May/10/2020 20:15:36 ipsec,debug nonce 1: 
May/10/2020 20:15:36 ipsec,debug e2b0602d 624d61e9 1d59b054 37dcf6a6 545d7568 37f225d1
May/10/2020 20:15:36 ipsec,debug nonce 2: 
May/10/2020 20:15:36 ipsec,debug a8f63d3b e24a9834 75150393 791dbac5
May/10/2020 20:15:36 ipsec,debug,packet hmac(hmac_md5)
May/10/2020 20:15:36 ipsec,debug SKEYID computed:
May/10/2020 20:15:36 ipsec,debug 11c315fa 2319c44f 4090ee73 4995764e
May/10/2020 20:15:36 ipsec,debug,packet hmac(hmac_md5)
May/10/2020 20:15:36 ipsec,debug SKEYID_d computed:
May/10/2020 20:15:36 ipsec,debug 820c8889 db94918e 1156367f 3bda91eb
May/10/2020 20:15:36 ipsec,debug,packet hmac(hmac_md5)
May/10/2020 20:15:36 ipsec,debug SKEYID_a computed:
May/10/2020 20:15:36 ipsec,debug 8d6f737a b8cedbf1 4e98309c bea75911
May/10/2020 20:15:36 ipsec,debug,packet hmac(hmac_md5)
May/10/2020 20:15:36 ipsec,debug SKEYID_e computed:
May/10/2020 20:15:36 ipsec,debug e242e822 e41f9b29 6c19838a 5c08bddd
May/10/2020 20:15:36 ipsec,debug,packet encryption(3des)
May/10/2020 20:15:36 ipsec,debug hash(md5)
May/10/2020 20:15:36 ipsec,debug len(SKEYID_e) < len(Ka) (16 < 24), generating long key (Ka = K1 | K2 | ...)
May/10/2020 20:15:36 ipsec,debug,packet hmac(hmac_md5)
May/10/2020 20:15:36 ipsec,debug compute intermediate encryption key K1
May/10/2020 20:15:36 ipsec,debug 00
May/10/2020 20:15:36 ipsec,debug 5aca160c ac016a4c 9a809506 5062a26f
May/10/2020 20:15:36 ipsec,debug,packet hmac(hmac_md5)
May/10/2020 20:15:36 ipsec,debug compute intermediate encryption key K2
May/10/2020 20:15:36 ipsec,debug 5aca160c ac016a4c 9a809506 5062a26f
May/10/2020 20:15:36 ipsec,debug cbc1ecfd 127f7308 e71841e3 74c75552
May/10/2020 20:15:36 ipsec,debug final encryption key computed:
May/10/2020 20:15:36 ipsec,debug 5aca160c ac016a4c 9a809506 5062a26f cbc1ecfd 127f7308
May/10/2020 20:15:36 ipsec,debug hash(md5)
May/10/2020 20:15:36 ipsec,debug,packet encryption(3des)
May/10/2020 20:15:36 ipsec,debug IV computed:
May/10/2020 20:15:36 ipsec,debug 84eec570 6aa30f57
May/10/2020 20:15:36 ipsec,debug use ID type of IPv4_address
May/10/2020 20:15:36 ipsec,debug,packet HASH with:
May/10/2020 20:15:36 ipsec,debug,packet ade76e1f fac2c655 0fbef3c5 012eeda6 6c0e85f6 d3723f60 b0592ede b219a5b2
May/10/2020 20:15:36 ipsec,debug,packet 7ed97d16 9e231e44 ce60ecd7 e2e347c1 9f270956 32af0eeb cca55a3b 4281da68
May/10/2020 20:15:36 ipsec,debug,packet b84eda47 e0b8b1f3 e507ac48 1e3e5ac8 d2d77b1e ae16b45b 1105355b 64080723
May/10/2020 20:15:36 ipsec,debug,packet 72961315 ed94f3a0 14531e84 42c5975a 360d6ea3 a777053c 03f98e0b 05f0805e
May/10/2020 20:15:36 ipsec,debug,packet 5b4798af bfa7f3ef 7c971a9e 0276aedd d4c3ce2d b0f50d79 73af5a5e 3cb18e9f
May/10/2020 20:15:36 ipsec,debug,packet f3da1e4e f4b28450 a99fc65f 19f25851 0bebede0 b142b301 40075b78 6cbb4748
May/10/2020 20:15:36 ipsec,debug,packet 889b7ad8 964c53f0 a9338c2a 2f2926ae c0fa2f43 aca6a2fd 2b7ddef9 df748532
May/10/2020 20:15:36 ipsec,debug,packet 0a6a7537 db6bff9b 75b07808 7ee5f2ba d3cb8627 361d1da7 04993c06 5e54a1cf
May/10/2020 20:15:36 ipsec,debug,packet 4f89d969 8f1667cc c280a981 39457208 00000001 00000001 00000028 01010001
May/10/2020 20:15:36 ipsec,debug,packet 00000020 01010000 800b0001 800c0708 80010005 80030001 80020001 80040002
May/10/2020 20:15:36 ipsec,debug,packet 011101f4 5e37c830
May/10/2020 20:15:36 ipsec,debug,packet hmac(hmac_md5)
May/10/2020 20:15:36 ipsec,debug,packet HASH computed:
May/10/2020 20:15:36 ipsec,debug,packet 4479c4c9 0934cc7f f0ea3ad3 2a839a88
May/10/2020 20:15:36 ipsec,debug add payload of len 8, next type 8
May/10/2020 20:15:36 ipsec,debug add payload of len 16, next type 0
May/10/2020 20:15:36 ipsec,debug,packet begin encryption.
May/10/2020 20:15:36 ipsec,debug,packet encryption(3des)
May/10/2020 20:15:36 ipsec,debug,packet pad length = 8
May/10/2020 20:15:36 ipsec,debug,packet 0800000c 011101f4 5e37c830 00000014 4479c4c9 0934cc7f f0ea3ad3 2a839a88
May/10/2020 20:15:36 ipsec,debug,packet dca36447 057cbc07
May/10/2020 20:15:36 ipsec,debug,packet encryption(3des)
May/10/2020 20:15:36 ipsec,debug,packet with key:
May/10/2020 20:15:36 ipsec,debug,packet 5aca160c ac016a4c 9a809506 5062a26f cbc1ecfd 127f7308
May/10/2020 20:15:36 ipsec,debug,packet encrypted payload by IV:
May/10/2020 20:15:36 ipsec,debug,packet 84eec570 6aa30f57
May/10/2020 20:15:36 ipsec,debug,packet save IV for next:
May/10/2020 20:15:36 ipsec,debug,packet f1559046 289c5547
May/10/2020 20:15:36 ipsec,debug,packet encrypted.
May/10/2020 20:15:36 ipsec,debug 68 bytes from 194.155.200.148[500] to 178.186.156.152[500]
May/10/2020 20:15:36 ipsec,debug 1 times of 68 bytes message will be sent to 178.186.156.152[500]
May/10/2020 20:15:36 ipsec,debug,packet 4f89d969 8f1667cc c280a981 39457208 05100201 00000000 00000044 262aaa59
May/10/2020 20:15:36 ipsec,debug,packet 91985ab2 e0cdc069 296ff713 d0fbd8a6 9e638890 a650cb56 55951356 f1559046
May/10/2020 20:15:36 ipsec,debug,packet 289c5547
May/10/2020 20:15:46 ipsec,debug ===== received 180 bytes from 178.186.156.152[500] to 194.155.200.148[500]
May/10/2020 20:15:46 ipsec,debug,packet 4f89d969 8f1667cc c280a981 39457208 04100200 00000000 000000b4 0a000084
May/10/2020 20:15:46 ipsec,debug,packet 5b4798af bfa7f3ef 7c971a9e 0276aedd d4c3ce2d b0f50d79 73af5a5e 3cb18e9f
May/10/2020 20:15:46 ipsec,debug,packet f3da1e4e f4b28450 a99fc65f 19f25851 0bebede0 b142b301 40075b78 6cbb4748
May/10/2020 20:15:46 ipsec,debug,packet 889b7ad8 964c53f0 a9338c2a 2f2926ae c0fa2f43 aca6a2fd 2b7ddef9 df748532
May/10/2020 20:15:46 ipsec,debug,packet 0a6a7537 db6bff9b 75b07808 7ee5f2ba d3cb8627 361d1da7 04993c06 5e54a1cf
May/10/2020 20:15:46 ipsec,debug,packet 00000014 a8f63d3b e24a9834 75150393 791dbac5
May/10/2020 20:15:46 ipsec,debug 1 times of 68 bytes message will be sent to 178.186.156.152[500]
May/10/2020 20:15:46 ipsec,debug,packet 4f89d969 8f1667cc c280a981 39457208 05100201 00000000 00000044 262aaa59
May/10/2020 20:15:46 ipsec,debug,packet 91985ab2 e0cdc069 296ff713 d0fbd8a6 9e638890 a650cb56 55951356 f1559046
May/10/2020 20:15:46 ipsec,debug,packet 289c5547
May/10/2020 20:15:46 ipsec,debug 68 bytes from 194.155.200.148[500] to 178.186.156.152[500]
May/10/2020 20:15:46 ipsec,debug 1 times of 68 bytes message will be sent to 178.186.156.152[500]
May/10/2020 20:15:46 ipsec,debug,packet 4f89d969 8f1667cc c280a981 39457208 05100201 00000000 00000044 262aaa59
May/10/2020 20:15:46 ipsec,debug,packet 91985ab2 e0cdc069 296ff713 d0fbd8a6 9e638890 a650cb56 55951356 f1559046
May/10/2020 20:15:46 ipsec,debug,packet 289c5547
May/10/2020 20:15:56 ipsec,debug 68 bytes from 194.155.200.148[500] to 178.186.156.152[500]
May/10/2020 20:15:56 ipsec,debug 1 times of 68 bytes message will be sent to 178.186.156.152[500]
May/10/2020 20:15:56 ipsec,debug,packet 4f89d969 8f1667cc c280a981 39457208 05100201 00000000 00000044 262aaa59
May/10/2020 20:15:56 ipsec,debug,packet 91985ab2 e0cdc069 296ff713 d0fbd8a6 9e638890 a650cb56 55951356 f1559046
May/10/2020 20:15:56 ipsec,debug,packet 289c5547
May/10/2020 20:15:56 ipsec,debug ===== received 180 bytes from 178.186.156.152[500] to 194.155.200.148[500]
May/10/2020 20:15:56 ipsec,debug,packet 4f89d969 8f1667cc c280a981 39457208 04100200 00000000 000000b4 0a000084
May/10/2020 20:15:56 ipsec,debug,packet 5b4798af bfa7f3ef 7c971a9e 0276aedd d4c3ce2d b0f50d79 73af5a5e 3cb18e9f
May/10/2020 20:15:56 ipsec,debug,packet f3da1e4e f4b28450 a99fc65f 19f25851 0bebede0 b142b301 40075b78 6cbb4748
May/10/2020 20:15:56 ipsec,debug,packet 889b7ad8 964c53f0 a9338c2a 2f2926ae c0fa2f43 aca6a2fd 2b7ddef9 df748532
May/10/2020 20:15:56 ipsec,debug,packet 0a6a7537 db6bff9b 75b07808 7ee5f2ba d3cb8627 361d1da7 04993c06 5e54a1cf
May/10/2020 20:15:56 ipsec,debug,packet 00000014 a8f63d3b e24a9834 75150393 791dbac5
May/10/2020 20:15:56 ipsec,debug 1 times of 68 bytes message will be sent to 178.186.156.152[500]
May/10/2020 20:15:56 ipsec,debug,packet 4f89d969 8f1667cc c280a981 39457208 05100201 00000000 00000044 262aaa59
May/10/2020 20:15:56 ipsec,debug,packet 91985ab2 e0cdc069 296ff713 d0fbd8a6 9e638890 a650cb56 55951356 f1559046
May/10/2020 20:15:56 ipsec,debug,packet 289c5547

And here is the configuration :

# may/10/2020 20:12:32 by RouterOS 6.47beta60
# software id = 04AJ-1QPS
#
# model = 2011UiAS-2HnD
# serial number = 614A04950F47
/interface bridge
add admin-mac=4C:5E:0C:F3:7A:01 auto-mac=no comment=defconf name=bridge

/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN


/ip ipsec peer
add address=178.186.156.152/32 local-address=194.155.200.148 name=myoffice \
    send-initial-contact=no
/ip ipsec profile
set [ find default=yes ] dh-group=modp1024 enc-algorithm=3des hash-algorithm=\
    md5 lifetime=30m name=myoffice nat-traversal=no
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=md5 enc-algorithms=3des
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
add name=vpn ranges=192.168.89.2-192.168.89.255
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/ppp profile
set *0 use-encryption=no use-ipv6=default
add name=profile1 use-encryption=no
set *FFFFFFFE local-address=192.168.89.1 remote-address=vpn use-ipv6=default

/tool user-manager customer
set admin access=\
    own-routers,own-users,own-profiles,own-limits,config-payment-gw
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
    sword,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp1
add bridge=bridge comment=defconf interface=wlan1
/interface bridge settings
set use-ip-firewall=yes
/ip neighbor discovery-settings
set discover-interface-list=WAN
/ip settings
set rp-filter=strict
/interface l2tp-server server
set enabled=yes ipsec-secret=mypasswd use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface pptp-server server
set enabled=yes
/interface sstp-server server
set default-profile=default-encryption enabled=yes
/interface wireless access-list
add mac-address=40:9C:26:B4:DE:5E
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2 network=\
    192.168.88.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server lease
add address=192.168.88.88 client-id=1:0:1d:7d:8:c6:5f mac-address=\
    00:1D:7D:08:C6:5F server=defconf
add address=192.168.88.87 client-id=1:74:27:ea:f4:3c:31 comment="SC" \
    mac-address=74:27:EA:F4:3C:31 server=defconf
add address=192.168.88.98 client-id=1:0:11:32:8a:b1:b comment=Sno \
    mac-address=00:11:32:8A:B1:0B server=defconf
add address=192.168.88.91 client-id=1:98:ee:cb:75:df:64 comment=\
    "Ala" mac-address=98:EE:CB:75:DF:64 server=defconf
add address=192.168.88.94 client-id=1:d0:27:88:43:97:5 comment=Sn \
    mac-address=D0:27:88:43:97:05 server=defconf
add address=192.168.88.90 client-id=1:c0:3f:d5:45:9a:17 comment=Brlp \
    mac-address=C0:3F:D5:45:9A:17 server=defconf
add address=192.168.88.85 client-id=1:40:9C:26:B4:DE:5E comment=\
    "Selp" mac-address=40:9C:26:B4:DE:5E server=defconf
add address=192.168.88.92 client-id=1:c0:3f:d5:b:6a:49 mac-address=\
    C0:3F:D5:0B:6A:49 server=defconf
add address=192.168.88.84 client-id=1:40:8d:5c:7a:10:a7 mac-address=\
    40:8D:5C:7A:10:A7 server=defconf
add address=192.168.88.83 client-id=1:68:fe:f7:11:92:77 comment="SelMac" \
    mac-address=68:FE:F7:11:92:77 server=defconf
add address=192.168.88.82 client-id=1:9c:93:4e:36:17:27 comment=\
    "Ya20 " mac-address=9C:93:4E:36:17:27 server=defconf
add address=192.168.88.80 client-id=1:10:2:b5:26:a3:db comment=SE-Laptop \
    mac-address=10:02:B5:26:A3:DB server=defconf
add address=192.168.88.78 client-id=1:0:9:df:a6:e2:4a comment=\
    "Alpy" mac-address=00:09:DF:A6:E2:4A server=defconf
add address=192.168.88.224 client-id=1:48:5a:3f:12:2c:ae comment=\
    "Lima" mac-address=48:5A:3F:12:2C:AE server=defconf
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes

/ip firewall address-list
add address=0.0.0.0/8 comment="Self-Identification [RFC 3330]" list=Bogons
add address=10.0.0.0/8 comment="Private[RFC 1918] - CLASS A # Check if you nee\
    d this subnet before enable it" list=Bogons
add address=127.0.0.0/8 comment="Loopback [RFC 3330]" list=Bogons
add address=169.254.0.0/16 comment="Link Local [RFC 3330]" list=Bogons
add address=172.16.0.0/12 comment="Private[RFC 1918] - CLASS B # Check if you \
    need this subnet before enable it" list=Bogons
add address=198.18.0.0/15 comment="NIDB Testing" list=Bogons
add address=198.51.100.0/24 comment="Reserved - IANA - TestNet2" list=Bogons
add address=203.0.113.0/24 comment="Reserved - IANA - TestNet3" list=Bogons
add address=224.0.0.0/4 comment=\
    "MC, Class D, IANA # Check if you need this subnet before enable it" \
    list=Bogons
add address=192.0.2.0/24 comment="Reserved - IANA - TestNet1" list=Bogons
add address=192.88.99.0/24 comment="6to4 Relay Anycast [RFC 3068]" list=\
    Bogons
add address=192.168.88.10-192.168.0.254 list=clients
add address=176.221.116.10 comment=blacklist list=blacklist
/ip firewall filter
add chain=input comment="Handle already established connections 1" \
    connection-state=established
add chain=input comment="Handle already established connections 2" \
    connection-state=related
add chain=forward comment="Handle already established connections 3" \
    connection-state=established
add chain=forward comment="Handle already established connections 4" \
    connection-state=related
add chain=output comment="Handle already established connections 5" \
    connection-state=established
add chain=output comment="Handle already established connections 6" \
    connection-state=related
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward connection-state=established,related \
    disabled=yes dst-address=192.168.2.0/24 src-address=192.168.88.0/24
add action=accept chain=forward comment="Access to branch office" \
    connection-state=established,related dst-address=178.186.156.152
add action=accept chain=forward connection-state=established,related \
    disabled=yes dst-address=192.168.88.0/24 src-address=192.168.2.0/24
add action=accept chain=input comment="allow L2TP VPN (500/udp)" dst-port=500 \
    protocol=udp
add action=accept chain=input comment="IPSec ports from the WAN (Se) 500" \
    port=500 protocol=tcp
add action=accept chain=input comment="allow L2TP VPN (1701/udp)" disabled=\
    yes dst-port=1701 protocol=udp
add action=accept chain=input comment="allow L2TP VPN (4500/udp)" disabled=\
    yes dst-port=4500 protocol=udp
add action=accept chain=input comment="IPSec ports from the WAN (Se) 1701" \
    disabled=yes port=1701 protocol=tcp
add action=accept chain=input comment="IPSec ports from the WAN (Se) 4500" \
    disabled=yes port=4500 protocol=tcp
add action=accept chain=input comment="IPSec ports from the WAN (SE)" \
    protocol=ipencap
add action=accept chain=output comment="IPSec ports from the WAN (SE)" \
    protocol=ipsec-esp
add action=accept chain=input comment="IPSec ports from the WAN (SE)" \
    ipsec-policy=in,ipsec protocol=l2tp
add action=accept chain=input comment="IPSec ports from the WAN (SE)" \
    disabled=yes protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=accept chain=output comment="Allow IKE/NAT-T for IPSec 500" \
    log-prefix=IKE/NAT-T protocol=udp src-port=500
add action=accept chain=output comment="Allow IKE/NAT-T for IPSec 4500" \
    disabled=yes log-prefix=IKE/NAT-T protocol=udp src-port=4500
add action=accept chain=input disabled=yes protocol=ipsec-ah
add action=accept chain=input connection-state=established,related
add action=drop chain=input comment="Blacklist Drop" connection-state=new \
    src-address-list=blacklist
add action=drop chain=forward comment="Bloked Sites" dst-address-list=\
    bloke_siteler
add action=drop chain=forward comment="Bittorent Blcok" \
    layer7-protocol=Bittorent

add action=reject chain=forward comment="Client Isolation" dst-address-list=\
    clients reject-with=icmp-network-unreachable src-address-list=clients
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface=ether1
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=fasttrack-connection chain=forward comment="Fasttrack DNS (se) " \
    dst-port=53 protocol=tcp
add action=fasttrack-connection chain=forward comment=\
    "Fasttrack DNS (se) udp" dst-port=53 protocol=udp
add action=accept chain=input protocol=icmp
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=drop chain=input in-interface=ether1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=accept chain=forward comment="defconf: accept established,related" \
    connection-state=established,related
add action=accept chain=input port=69 protocol=udp
add action=accept chain=forward port=69 protocol=udp
/ip firewall mangle
add action=mark-connection chain=output connection-mark=no-mark \
    new-connection-mark=ipsec passthrough=yes src-address=194.155.200.148
add action=mark-connection chain=output connection-mark=no-mark dst-address=\
    178.186.156.152 dst-port=500,4500 new-connection-mark=ipsec passthrough=yes \
    protocol=udp
add action=mark-connection chain=output connection-mark=no-mark dst-address=\
    178.186.156.152 new-connection-mark=ipsec passthrough=yes protocol=ipsec-esp
add action=mark-routing chain=output connection-mark=ipsec new-routing-mark=\
    backup passthrough=no
add action=mark-connection chain=output connection-mark=no-mark dst-port=\
    500,4500 new-connection-mark=ipsec passthrough=yes protocol=udp \
    src-address=194.155.200.148
/ip firewall nat
add action=accept chain=srcnat dst-address=178.186.156.152 src-address=\
    194.155.200.148
add action=accept chain=srcnat dst-address=192.168.2.0/24 src-address=\
    192.158.88.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    out-interface-list=all
add action=accept chain=srcnat comment="17 udp 500 port " protocol=udp \
    src-port=500
add action=accept chain=srcnat comment=ipsec-esp protocol=ipsec-esp
add action=accept chain=srcnat comment=4500 disabled=yes protocol=udp \
    src-port=4500
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    out-interface-list=WAN
add action=dst-nat chain=dstnat comment="Yandex DNS" disabled=yes dst-port=53 \
    protocol=udp to-addresses=77.88.8.7 to-ports=53
add action=dst-nat chain=dstnat comment="Yandex DNS" disabled=yes dst-port=53 \
    protocol=tcp to-addresses=77.88.8.7 to-ports=53
add action=dst-nat chain=dstnat comment=CCTV dst-port=34567 port=34567 \
    protocol=tcp to-addresses=192.168.88.79 to-ports=34567
/ip firewall raw
add action=notrack chain=prerouting disabled=yes dst-address=192.168.88.0/24 \
    src-address=192.168.2.0/24
add action=notrack chain=prerouting disabled=yes dst-address=192.168.2.0/24 \
    src-address=192.168.88.0/24
/ip ipsec identity
add generate-policy=port-strict peer=myoffice secret=mypasswd
/ip ipsec policy
set 0 dst-address=0.0.0.0/0 src-address=0.0.0.0/0
add dst-address=178.186.156.152/32 src-address=194.155.200.148/32
/ip ssh
set strong-crypto=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
add address=::224.0.0.0/100 comment="defconf: other" list=bad_ipv6
add address=::127.0.0.0/104 comment="defconf: other" list=bad_ipv6
add address=::/104 comment="defconf: other" list=bad_ipv6
add address=::255.0.0.0/104 comment="defconf: other" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/ipv6 nd
set [ find default=yes ] advertise-dns=no disabled=yes

/ppp l2tp-secret
add address=192.168.2.0/24 secret=mypasswd

/ppp secret
add name=myoffice password=mypasswd profile=profile1
add name=vpn password=mypasswd

/system logging
add action=remote topics=dns
add topics=ipsec,debug
add disabled=yes prefix="L2TPDBG===>" topics=l2tp
add disabled=yes prefix="IPSECDBG===>" topics=ipsec
add topics=firewall
add topics=firewall,info,debug
add topics=l2tp,info,!debug
add topics=ppp,info,!debug
add topics=pptp,info,!debug
add topics=ipsec,error
add topics=ipsec,event

/system ntp client
set enabled=yes primary-ntp=128.105.39.11 secondary-ntp=194.58.203.20

/system package update
set channel=testing

/tool mac-server
set allowed-interface-list=LAN

/tool mac-server mac-winbox
set allowed-interface-list=LAN

/tool mac-server ping
set enabled=no

IPsec in 6.47beta60 seems to be broken, multiple users report this - http://forum.mikrotik.com/t/v6-47beta-testing-is-released/135326/1
In your log in particular, I can see the IPsec stack has received a packet from the remote peer but didn’t bother to parse it.

What feature in 6.47beta60 is so important for you that you’ve chosen it?

Did the previous Zyxel work against this ROS version or some other one?

Thank you. I’ve changed the version to 6.46.6
Yesterday, I tried my chance with it

Yes, previous Zyxel was working successfully.

Maybe the reason for ignoring the packet is that it has not being sent in a correct form by Zyxel. Is it possible?

BTW, Today I tried with NAT-T options enabled on both sides, but it didn’t work neither. Zyxel does not support any NAT rules except port forwarding as I see. It has a very limited (basic) administration options. Interface is user friendly. That’s the only part which I like on Zyxel.

Should I try with different encapsulation or hashing options. Does it make sense?

It is, although I’d expect some comment on that in the log.

Wait, it sounds to me as if you confuse NAT and NAT-T. NAT is the address translation itself, which is not necessary at Zyxel side as it has a public address on itself (if I got you right).
NAT-T is NAT-Traversal, a mechanism specific to IPsec which detects the existence of NAT on the path between the peers and modifies the way the transport packets are formed. I can see in the log from a few days ago that the IKE exchange was on port 500 all the time; I don’t remember the initial exchange from the top of my head to be able to say whether the NAT detection phase should have already been done when it failed or whether it did not reach the NAT detection phase, but in your last configuration export, NAT-T was disabled in the peer profile.

So have you set nat-traversal to yes in the /ip ipsec profile row to which the /ip ipsec peer row representing the Zyxel refers? If not, do that, and if the connection still doesn’t come up, take the log again (from the very beginning, the start part is missing in the one you’ve posted) and post it.

I’d say not at this stage as the log says that the encryption and authentication negotiation has succeeded.

My experience with “being behind a NAT” is that for symmetric connections (IPsec tunnel, GRE/IPsec tunnel etc) it only works reliably when you make a static port forward in the NAT router.
This is less of a problem for asymmetric connections (like L2TP/IPsec) but there still can be issues e.g. when the NAT router is rebooted while the session is established.

The issue is that without such port forwards, the NAT router can sometimes translate port numbers. E.g. the session is sometimes put in the router as UDP port 500->500 (on the other side you see source port 500) but sometimes the source port is mapped to a different port (you send 500->500 but the other side sees 32000->500 for example).
This mapping is reversed for traffic in the other direction. But IPsec does not see that traffic as matching and the connection fails to establish with messages like “packet re-sent” all the time.

This can happen when the NAT router believes there is some new session and the existing entry for 500->500 is still in place (not timed out), so it generates a new entry and is forced to do this port translation.