IPsec site to site problem

RouterOS General
1

I cannot establish connection with 2 MK via ipsec, there is config from they. (MK 5.18)

1 PC

/ip ipsec policy>
src-address=192.168.3.0/24 src-port=any dst-address=192.168.2.0/24 dst-port=any protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=212.xx.xx.107 sa-dst-address=212.xx.xx.109 proposal=default
priority=0

/ip ipsec peer>
address=212.xx.xxx.109/32 port=500 auth-method=pre-shared-key secret=“123” generate-policy=no exchange-mode=main send-initial-contact=yes nat-traversal=no my-id-user-fqdn=“” proposal-check=obey hash-algorithm=sha1
enc-algorithm=3des dh-group=modp1024 lifetime=1d lifebytes=0 dpd-interval=disable-dpd dpd-maximum-failures=1

/ip ipsec proposal>
name=“default” auth-algorithms=sha1 enc-algorithms=3des lifetime=1d pfs-group=modp1024

/ip firewall nat

0 chain=srcnat action=accept src-address=192.168.3.0/24 dst-address=192.168.2.0/24

1 chain=srcnat action=masquerade out-interface=WAN

2PC
/ip ipsec policy>
src-address=192.168.2.0/24 src-port=any dst-address=192.168.3.0/24 dst-port=any protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=212.xx.xx.109 sa-dst-address=212.xx.xx.107 proposal=default
priority=0

/ip ipsec peer>
address=212.xx.xxx.107/32 port=500 auth-method=pre-shared-key secret=“123” generate-policy=no exchange-mode=main send-initial-contact=yes nat-traversal=no my-id-user-fqdn=“” proposal-check=obey hash-algorithm=sha1
enc-algorithm=3des dh-group=modp1024 lifetime=1d lifebytes=0 dpd-interval=disable-dpd dpd-maximum-failures=1

/ip ipsec proposal>
name=“default” auth-algorithms=sha1 enc-algorithms=3des lifetime=1d pfs-group=modp1024

/ip firewall nat

0 chain=srcnat action=accept src-address=192.168.2.0/24 dst-address=192.168.3.0/24

1 chain=srcnat action=masquerade out-interface=WAN



log:

ipsec,debug 212.xx.xxx.107[500] used as isakmp port (fd=14)
19:34:25 ipsec,debug 192.168.3.1[500] used as isakmp port (fd=17)
19:34:25 ipsec,debug fe80::a00:27ff:fe5d:4633[500] used as isakmp port (fd=18)
19:34:25 ipsec,debug fe80::a00:27ff:fe52:8baf[500] used as isakmp port (fd=19)
19:34:25 ipsec,debug,packet installing phase2 config: id=0


Can someone give me idea there is trouble ?

2

How do your firewall filter rules look?

Are you allowing UDP 500 and esp on input?