Phase1 negotiation failed due to send error. xx.xx.xx.xx[500]<=>xx.xx.xx.xx[500]

Hi everybody,

I’m trying to establish the tunnel Mikrotik - Cisco but I can’t do that. In fact I read a lot articles about this but I still have some problems:

— Side Cisco —
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key password address 0.0.0.0 0.0.0.0
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
mode transport
crypto ipsec profile MyProfile
set transform-set ESP-3DES-SHA


— Side Mikrotik —
add payload of len 16, next type 13
add payload of len 16, next type 0
sendmsg (Invalid argument)
sendfromto failed
phase1 negotiation failed due to send error. xx.xx.xx.xx[500]<=>xx.xx.xx.xx[500] 48234ee72dbe88a3:0000000000000000
failed to begin ISAKMP SA negotiation for peer: gre-tunnel
KA: xx.xx.xx.xx[4500]->xx.xx.xx.xx[4500]
1 times of 1 bytes message will be sent to xx.xx.xx.xx[4500]


In the firewall rules the ports 500,4500,1701 has been permitted because I have L2TP running.

More config:

/ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; defconf: masquerade
chain=srcnat action=masquerade log=no log-prefix=“”

0 chain=srcnat action=accept log=no log-prefix=“” ipsec-policy=out,ipsec

/ip ipsec> proposal print
Flags: X - disabled, * - default
0 * name=“default” auth-algorithms=sha1
enc-algorithms=aes-256-cbc,aes-192-cbc,aes-128-cbc lifetime=30m
pfs-group=modp1024


Does someone know what’s wrong?

Thanks for your time.

John

Without seeing the complete configuration of the Mikrotik,

suggest that there is a routing issue, i.e. that the Mikrotik cannot find a route for the ISAKMP packet.

Can you ping the IP address of the Cisco from the Mikrotik? If yes, do you use any policy routing (routing marks etc.)?

Usually means that the local-address configured for the peer is not actually configured on the router, also this could be caused by firewall or NAT.