i’m a new user of mikrotik router, and i try to create a ipsec tunnel between 2 mikrotik router, the tunnel don’t work.
The version of RouterOS 2.8.28

Please help me.

CONFIG OF ROUTER 1

/ ip address
add address=10.0.0.1/24 network=10.0.0.0 broadcast=10.0.0.255 interface=WAN
comment=“” disabled=no
add address=192.168.10.254/24 network=192.168.10.0 broadcast=192.168.10.255
interface=LAN comment=“” disabled=no

/ ip firewall
set input name=“input” policy=accept comment=“”
set forward name=“forward” policy=accept comment=“”
set output name=“output” policy=accept comment=“”
/ ip firewall service-port
set ftp ports=21 disabled=no
set pptp disabled=yes
set gre disabled=yes
set h323 disabled=yes
set mms disabled=no
set irc ports=6667 disabled=no
set quake3 disabled=no
set tftp ports=69 disabled=no
/ ip firewall src-nat
add out-interface=WAN action=masquerade comment=“” disabled=no
add src-address=192.168.10.0/24 dst-address=192.168.20.0/24 action=accept
comment=“” disabled=no
/ ip firewall connection tracking
set enabled=yes tcp-syn-sent-timeout=2m tcp-syn-received-timeout=1m
tcp-established-timeout=5d tcp-fin-wait-timeout=2m
tcp-close-wait-timeout=1m tcp-last-ack-timeout=30s
tcp-time-wait-timeout=2m tcp-close-timeout=10s udp-timeout=30s
udp-stream-timeout=3m icmp-timeout=30s generic-timeout=10m

/ ip ipsec policy
add src-address=192.168.10.0/24:any dst-address=192.168.20.0/24:any
protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes
sa-src-address=10.0.0.1 sa-dst-address=10.0.0.2 proposal=default
manual-sa=none dont-fragment=clear disabled=no
/ ip ipsec peer
add address=10.0.0.2/32:500 secret=“gvejimezyfopmekun” generate-policy=no
exchange-mode=main send-initial-contact=yes proposal-check=obey
hash-algorithm=sha1 enc-algorithm=3des dh-group=modp1024 lifetime=1d
lifebytes=0 disabled=no
/ ip ipsec proposal
add name=“default” auth-algorithms=sha1 enc-algorithms=3des lifetime=30m
lifebytes=0 pfs-group=modp1024 disabled=no


CONFIG OF ROUTER 2

/ ip address
add address=10.0.0.2/24 network=10.0.0.0 broadcast=10.0.0.255 interface=WAN
comment=“” disabled=no
add address=192.168.20.254/24 network=192.168.20.0 broadcast=192.168.20.255
interface=LAN comment=“” disabled=no


/ ip firewall
set input name=“input” policy=accept comment=“”
set forward name=“forward” policy=accept comment=“”
set output name=“output” policy=accept comment=“”
/ ip firewall service-port
set ftp ports=21 disabled=no
set pptp disabled=yes
set gre disabled=yes
set h323 disabled=yes
set mms disabled=no
set irc ports=6667 disabled=no
set quake3 disabled=no
set tftp ports=69 disabled=no
/ ip firewall src-nat
add out-interface=WAN action=masquerade comment=“” disabled=no
add src-address=192.168.20.0/24 dst-address=192.168.10.0/24 action=accept
comment=“” disabled=no
/ ip firewall connection tracking
set enabled=yes tcp-syn-sent-timeout=2m tcp-syn-received-timeout=1m
tcp-established-timeout=5d tcp-fin-wait-timeout=2m
tcp-close-wait-timeout=1m tcp-last-ack-timeout=30s
tcp-time-wait-timeout=2m tcp-close-timeout=10s udp-timeout=30s
udp-stream-timeout=3m icmp-timeout=30s generic-timeout=10m



/ ip ipsec policy
add src-address=192.168.20.0/24:any dst-address=192.168.10.0/24:any
protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes
sa-src-address=10.0.0.2 sa-dst-address=10.0.0.1 proposal=default
manual-sa=none dont-fragment=clear disabled=no
/ ip ipsec peer
add address=10.0.0.1/32:500 secret=“gvejimezyfopmekun” generate-policy=no
exchange-mode=main send-initial-contact=yes proposal-check=obey
hash-algorithm=sha1 enc-algorithm=3des dh-group=modp1024 lifetime=1d
lifebytes=0 disabled=no
/ ip ipsec proposal
add name=“default” auth-algorithms=sha1 enc-algorithms=3des lifetime=30m
lifebytes=0 pfs-group=modp1024 disabled=no

Masquerade in src-nat rules should be on the second place, accept rule should be the first.

thank you very much, the tunnel work very fine