Ok, I’ve done some searching, and som experimenting, and not really getting anywhere.
I have attached a quick sketch, and screenshots of pfSense. The machines on both sides have “internet access” via the FW on each side, so routing/nat seem ok. I realize that right now i am using static config in mikrotik. But i figured i would fix a ip-updater once i got something working.

I seem to have something up:
[admin@MikroTik] /ip ipsec remote-peers> print
0 local-address=213.114.164.202 remote-address=46.22.120.139 state=established side=initiator established=43m32s

But, log on mikrotik gives
22:44:38 ipsec,error failed to pre-process ph2 packet.
22:45:07 ipsec,error failed to pre-process ph2 packet.
22:45:17 ipsec,error failed to pre-process ph2 packet.
22:45:27 ipsec,error failed to pre-process ph2 packet.
22:45:56 ipsec,error failed to pre-process ph2 packet.



Partial Config of CRS125

[admin@MikroTik] /ip ipsec> /ip ipsec export

aug/25/2014 23:18:07 by RouterOS 6.18

software id = 2BVE-7BGB

/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des pfs-group=none
/ip ipsec peer

Unsafe configuration, suggestion to use certificates

add address=46.22.120.139/32 dpd-interval=disable-dpd enc-algorithm=aes-128 exchange-mode=aggressive lifetime=1h nat-traversal=no secret=hiddenfromforum
/ip ipsec policy
set (unknown) dst-address=192.168.41.0/24 src-address=172.25.74.0/24
[admin@MikroTik] /ip ipsec>

[admin@MikroTik] /ip ipsec> /ip firewall export

aug/25/2014 23:19:11 by RouterOS 6.18

software id = 2BVE-7BGB

/ip firewall address-list
add address=172.25.75.0/24 list=Verisure-address-list
add address=172.25.74.0/24 list=Krokolan-address-list
add address=172.25.0.0/16 list=Internal-address-list
/ip firewall filter
add chain=input comment=IPsec dst-port=500 protocol=udp
add chain=input protocol=ipsec-esp
add chain=input dst-port=4500 protocol=udp
add chain=input comment=“Allow winbox” dst-port=8291 in-interface=ether1-gateway-bredbandsbolaget protocol=tcp
add chain=input comment=“Allow Winbox” dst-port=8291 in-interface=ether1-gateway-bredbandsbolaget protocol=udp
add chain=input comment=“Allow SNMP from na01” dst-port=161 in-interface=ether1-gateway-bredbandsbolaget protocol=udp src-address=46.22.120.
add chain=input comment=“Allow ICMP” protocol=icmp
add chain=input comment=“Allow DNS from Internal nets to FW” dst-address=172.25.74.1 dst-port=53 protocol=udp src-address-list=Internal-addr
add chain=input comment=“Allow DNS from Internal nets to FW” dst-port=53 protocol=tcp src-address-list=Internal-address-list
add chain=input comment=“Allow Established Input” connection-state=established
add chain=input comment=“Allow related input” connection-state=related
add chain=input comment=“Allow krokolan to mikrotik” dst-address=172.25.74.1 src-address=172.25.74.0/24
add chain=forward comment=“Allow DNS from Internal nets to FW” dst-address=172.25.74.1 dst-port=53 protocol=udp src-address-list=Internal-ad
add chain=forward comment=“Allow DNS from Internal nets to FW” dst-address=172.25.74.1 dst-port=53 protocol=tcp src-address-list=Internal-ad
add action=reject chain=forward comment=“Disallow verisure->local” dst-address-list=Internal-address-list src-address-list=Verisure-address-
add chain=forward comment=“Allow Established Forward” connection-state=established
add chain=forward comment=“Allow Related Forward” connection-state=related
add chain=forward src-address=46.22.120.140
add action=drop chain=forward comment=“Drop invalid forward” connection-state=invalid
add action=drop chain=input comment=“Drop input fr\E5n BBB” in-interface=ether1-gateway-bredbandsbolaget
add action=drop chain=input comment=“Drop all remaining”
/ip firewall nat
add chain=srcnat dst-address=192.168.41.0/24 src-address=172.25.74.0/24
add action=masquerade chain=srcnat comment=“Default Masq” out-interface=ether1-gateway-bredbandsbolaget
add action=dst-nat chain=dstnat comment=“NAT for na01 → krokopool” dst-port=6556 in-interface=ether1-gateway-bredbandsbolaget protocol=tcp
46.22.120.140 to-addresses=172.25.74.100 to-ports=6557
add action=dst-nat chain=dstnat comment=na01->Krokopool/Http dst-port=10080 in-interface=ether1-gateway-bredbandsbolaget protocol=tcp src-ad
46.22.120.140 to-addresses=172.25.74.100 to-ports=80
add action=dst-nat chain=dstnat comment=“na01 → fibaro 80” dst-port=10580 in-interface=ether1-gateway-bredbandsbolaget protocol=tcp src-add
to-addresses=172.25.74.5 to-ports=80
add action=dst-nat chain=dstnat dst-port=31194 in-interface=ether1-gateway-bredbandsbolaget protocol=udp src-address=46.22.120.140 to-addres
to-ports=31194
[admin@MikroTik] /ip ipsec>

Tl;DR: Sitetosite IPSec between Pfsense and Mikrotik, howto?

Phase2 settings differ. On ROS you have 3des in Phase2 (default proposal), in pfSense is aes-128 chosen.

Good catch, i suppose thats what happens when you stare at a problem for too long
But, changing that did not make much difference.

Maybe i should just start over from scratch.

suggestion: try exchange-mode=main

i was receiving this same error after updating form 5.x to 6.18. I was trying to set up l2tp for “road warriors” as that is the “recommended” way to allow people into your network according to a few people.

After wasting 3-4 hours on this same error, I wiped the configuration and the unit started to build the SAs and add peers and not give this error any longer. It still would not complete, but the IPSec portion seemed to be working.

I have given up on Microtik. After about 9 hours, I need to go to bed and toss this piece of crap out the window. (currently on 6.19)

According to the Wiki.. it’s only 2 simple commands to enable l2tp server! (BS!)