I’ve had some trouble from time to time configuring IPSEC tunnels, usually because I get an IP address in the wrong spot or miss a /24 subnet or something so here’s my solution. It’s an AutoHotkey script that will create default config files in the same location on the first run which you can modify for your networks/VPN settings and will then build Mikrotik commands that can be copied and pasted in to each router. Requires AutoHotkey (I used Version 1.1) that can be downloaded here
https://autohotkey.com/download/
You can also compile the AHK file to an EXE so you don’t need to install AutoHotkey on each machine you want to use it on. Please note that some antivirus software will detect a virus/false positive in any compiled AHK no matter the contents of the script.
Let me know what you think. If you have thoughts on better default IPSEC encryption and authentication settings or MT commands/firewall rules, let me know. I also thought of a separate default config for IPSEC accelerated hardware and non accelerated hardware.
Please look over the generated config files carefully before dumping them into your routers. I’m not responsible for you downloading a config builder from some random guy on the internet and putting all of your trust in him. 
Save the following script and run it.
#NoEnv ; Recommended for performance and compatibility with future AutoHotkey releases.
; #Warn ; Enable warnings to assist with detecting common errors.
SendMode Input ; Recommended for new scripts due to its superior speed and reliability.
SetWorkingDir %A_ScriptDir% ; Ensures a consistent starting directory.
IfNotExist, DefaultConfig.ini
gosub CreateConfigFile
IfNotExist, IPSEC-ConfigTemplate.txt
gosub CreateIPSECConfigTemplate
IfEqual, vConfigsBuilt, 1
gosub ConfigsHadToBeCreated
FileRead, vMTConfigTemplate, IPSEC-ConfigTemplate.txt ;Read MTConfigTemplate
;Read DefaultConfig.ini file into variables
IniRead, vVPNSecretKey, DefaultConfig.ini, config, VPNSecretKey
IniRead, vPhase1Hash, DefaultConfig.ini, config, Phase1Hash
IniRead, vPhase1Enc, DefaultConfig.ini, config, Phase1Enc
IniRead, vPhase1DH, DefaultConfig.ini, config, Phase1DH
IniRead, vPhase2Auth, DefaultConfig.ini, config, Phase2Auth
IniRead, vPhase2Enc, DefaultConfig.ini, config, Phase2Enc
IniRead, vPhase2PFSGroup, DefaultConfig.ini, config, Phase2PFSGroup
IniRead, vSite1WANIP, DefaultConfig.ini, config, Site1WANIP
IniRead, vSite2WANIP, DefaultConfig.ini, config, Site2WANIP
IniRead, vSite1LANNetworkAndMask, DefaultConfig.ini, config, Site1LANNetworkAndMask
IniRead, vSite2LANNetworkAndMask, DefaultConfig.ini, config, Site2LANNetworkAndMask
;Build the config
StringReplace, vMTConfigTemplate, vMTConfigTemplate, , %vVPNSecretKey%, All
StringReplace, vMTConfigTemplate, vMTConfigTemplate, , %vPhase1Hash%, All
StringReplace, vMTConfigTemplate, vMTConfigTemplate, , %vPhase1Enc%, All
StringReplace, vMTConfigTemplate, vMTConfigTemplate, , %vPhase1DH%, All
StringReplace, vMTConfigTemplate, vMTConfigTemplate, , %vPhase2Auth%, All
StringReplace, vMTConfigTemplate, vMTConfigTemplate, , %vPhase2Enc%, All
StringReplace, vMTConfigTemplate, vMTConfigTemplate, , %vPhase2PFSGroup%, All
StringReplace, vMTConfigTemplate, vMTConfigTemplate, , %vSite1WANIP%, All
StringReplace, vMTConfigTemplate, vMTConfigTemplate, , %vSite2WANIP%, All
StringReplace, vMTConfigTemplate, vMTConfigTemplate, , %vSite1LANNetworkAndMask%, All
StringReplace, vMTConfigTemplate, vMTConfigTemplate, , %vSite2LANNetworkAndMask%, All
;Save the config to file
vFileName = CreatedConfig-%A_MM%-%A_DD%-%A_YYYY% %A_Hour%-%A_Min%-%A_Sec%.txt
FileAppend, %vMTConfigTemplate%, %vFileName%
ExitApp
CreateConfigFile:
FileAppend,
(
[config]
VPNSecretKey=123456789012345678901234567890
Phase1Hash=sha256
Phase1Enc=aes-256
Phase1DH=modp2048
Phase2Auth=sha512
Phase2Enc=aes-256-cbc
Phase2PFSGroup=modp2048
Site1WANIP=1.1.1.1
Site2WANIP=2.2.2.2
Site1LANNetworkAndMask=192.168.1.0/24
Site2LANNetworkAndMask=192.168.2.0/24
), DefaultConfig.ini
vConfigsBuilt = 1
return
CreateIPSECConfigTemplate:
FileAppend,
(
Site1
/ip firewall address-list
add address= list=VPNAddresses
/ip firewall filter
add action=accept chain=input place-before=0 comment=“VPN IPSEC-ESP” protocol=ipsec-esp src-address-list=VPNAddresses
add action=accept chain=input place-before=1 comment=“VPN UDP500, 1701, 4500” port=1701,500,4500 protocol=udp src-address-list=VPNAddresses
/ip firewall nat
add action=accept chain=srcnat place-before=0 dst-address= src-address=
/ip ipsec proposal
add auth-algorithms=sha512 enc-algorithms=aes-256-cbc name=S2SProposal pfs-group=
/ip ipsec peer
add address=/32 secret=
/ip ipsec policy
add dst-address= proposal=S2SProposal sa-dst-address= sa-src-address= src-address= tunnel=yes
/ip firewall raw
add action=notrack chain=prerouting src-address= dst-address=
add action=notrack chain=prerouting src-address= dst-address=
Site2
/ip firewall address-list
add address= list=VPNAddresses
/ip firewall filter
add action=accept chain=input place-before=0 comment=“VPN IPSEC-ESP” protocol=ipsec-esp src-address-list=VPNAddresses
add action=accept chain=input place-before=1 comment=“VPN UDP500, 1701, 4500” port=1701,500,4500 protocol=udp src-address-list=VPNAddresses
/ip firewall nat
add action=accept chain=srcnat place-before=0 dst-address= src-address=
/ip ipsec proposal
add auth-algorithms=sha512 enc-algorithms=aes-256-cbc name=S2SProposal pfs-group=
/ip ipsec peer
add address=/32 secret=
/ip ipsec policy
add dst-address= proposal=S2SProposal sa-dst-address= sa-src-address= src-address= tunnel=yes
/ip firewall raw
add action=notrack chain=prerouting src-address= dst-address=
add action=notrack chain=prerouting src-address= dst-address=
), IPSEC-ConfigTemplate.txt
vConfigsBuilt = 1
return
ConfigsHadToBeCreated:
MsgBox, Template and config files were created. Please modify files as needed and run again to build your config.
ExitApp
Updated 9/27/18 to add prerouting rules… didn’t really work before except on a few routers… not sure why. Tested on 2 Rb1100AHx4s and 1 RB962