I can make the ipsec work in (site to site) between the mikrotik and the sonicwall just fine. What we are trying to do is remove the routing from the policy and so we can test with static routes and then on to ospf.
I have switched the sonicwall to tunnel mode and now I have a interface to route over, the tunnel establishes and with static routes but I can’t pass any trafic in either direction. I’m testing on 6.32rc6.
Here is the config
/interface bridge
add name=bridge1
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=md5 enc-algorithms=3des pfs-group=
modp768
/ip pool
add name=dhcp_pool1 ranges=192.168.89.2-192.168.89.254
/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface=bridge1 name=dhcp1
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
/ip address
add address=66.187.165.134/27 interface=ether1 network=66.187.165.128
add address=192.168.89.1/24 interface=bridge1 network=192.168.89.0
/ip dhcp-server network
add address=192.168.89.0/24 gateway=192.168.89.1
/ip dns
set servers=8.8.8.8
/ip firewall filter
add action=drop chain=input comment=“drop ftp brute forcers” dst-port=21
protocol=tcp src-address-list=ftp_blacklist
add chain=output content=“530 Login incorrect” dst-limit=
1/1m,9,dst-address/1m protocol=tcp
add action=add-dst-to-address-list address-list=ftp_blacklist
address-list-timeout=3h chain=output content=“530 Login incorrect”
protocol=tcp
add action=drop chain=input comment=“drop ssh brute forcers” dst-port=22
protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist
address-list-timeout=1w3d chain=input connection-state=new dst-port=22
protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3
address-list-timeout=1m chain=input connection-state=new dst-port=22
protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2
address-list-timeout=1m chain=input connection-state=new dst-port=22
protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1
address-list-timeout=1m chain=input connection-state=new dst-port=22
protocol=tcp
add action=drop chain=input comment=“drop telnet brute forcers” dst-port=23
protocol=tcp src-address-list=black_list
add action=add-src-to-address-list address-list=black_list
address-list-timeout=1d chain=input connection-state=new dst-port=23
protocol=tcp src-address-list=telnet_stage3
add action=add-src-to-address-list address-list=telnet_stage3
address-list-timeout=1m chain=input connection-state=new dst-port=23
protocol=tcp src-address-list=telnet_stage2
add action=add-src-to-address-list address-list=telnet_stage2
address-list-timeout=1m chain=input connection-state=new dst-port=23
protocol=tcp src-address-list=telnet_stage1
add action=add-src-to-address-list address-list=telnet_stage1
address-list-timeout=1m chain=input connection-state=new dst-port=23
protocol=tcp
add chain=forward
/ip firewall nat
add chain=srcnat dst-address=192.168.101.0/24 src-address=192.168.89.0/24
add chain=srcnat disabled=yes dst-address=172.26.0.0/28 src-address=
192.168.89.0/24
add action=masquerade chain=srcnat out-interface=ether1 src-address=
192.168.89.0/24
/ip ipsec peer
add address=1.1.1.1.1/32 dh-group=modp768 dpd-interval=30s enc-algorithm=
3des hash-algorithm=md5 lifetime=8h local-address=0.0.0.0/32 secret=testvpn
add address=2.2.2.2.2/32 dh-group=modp768 disabled=yes dpd-interval=30s
enc-algorithm=3des hash-algorithm=md5 lifetime=8h local-address=0.0.0.0
secret=testvpn
/ip ipsec policy
add dst-address=0.0.0.0/32 priority=1 sa-dst-address=1.1.1.1
sa-src-address=3.3.3.3 src-address=0.0.0.0/32 tunnel=yes
add disabled=yes dst-address=172.26.0.0/28 priority=1 sa-dst-address=
2.2.2.2.2 sa-src-address=3.3.3.3 src-address=192.168.89.0/24
tunnel=yes
/ip route
add distance=1 gateway=3.3.3.1
add check-gateway=ping disabled=yes distance=1 dst-address=172.26.0.0/28
gateway=bridge1
add check-gateway=ping distance=1 dst-address=192.168.101.0/24 gateway=
bridge1