Why isn't this site to site IPsec coming up?

As an aside, this has been one of the more painful experiences in networking I have had, and I’ve worked with all manner of Cisco ISR/ASR/ASA/FTD, Fortigate, Juniper, Ubiquiti. etc…

Trying to stand up an IKEv1 site to site using certificates from a Mikrotik Hex S to a Cisco RV345P. The Cisco side thinks the tunnel is up but is reporting invalid hash payloads. The Mikrotik is giving no useful debug messages whatsoever, only that it keeps trying to establish the tunnel. I have imported the Cisco’s client cert into the Mikrotik, named TESTROUTERCERT

Mikrotik configs:

/ip ipsec profile
set [ find default=yes ] dh-group=modp2048 dpd-interval=5m enc-algorithm=aes-128 hash-algorithm=sha256 lifetime=8h
add dh-group=modp2048 dpd-interval=5m enc-algorithm=aes-128 hash-algorithm=sha256 lifetime=8h name=aes128sha256dh14 nat-traversal=no
/ip ipsec peer
add address=FQDN.TESTROUTER.site local-address=MIKROTIKWANIP name=TESTROUTER profile=aes128sha256dh14 send-initial-contact=no
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256 enc-algorithms=aes-128-cbc lifetime=1h pfs-group=modp2048
add auth-algorithms=sha256 enc-algorithms=aes-128-cbc lifetime=1h name=aes128sha256dh14 pfs-group=modp2048
/ip ipsec identity
add auth-method=digital-signature certificate=NewMikrotikFLA.pem_0 match-by=certificate peer=TESTROUTER remote-certificate=TESTROUTERCERT
/ip ipsec policy
set 0 disabled=yes
add dst-address=192.168.134.0/23 peer=TESTROUTER proposal=aes128sha256dh14 src-address=192.168.234.0/23 tunnel=yes

/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.134.0/23 src-address=192.168.234.0/23
add action=accept chain=srcnat dst-address=192.168.234.0/23 src-address=192.168.134.0/23
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN


/ip firewall filter
add action=accept chain=input in-interface-list=WAN ipsec-policy=in,ipsec src-address=192.168.134.0/23
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input dst-port=500 protocol=udp
add action=accept chain=input dst-port=4500 protocol=udp
add action=accept chain=input protocol=udp src-port=4500
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=input protocol=ipsec-esp
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN

Cisco config


So what’s wrong?

Start by setting /system logging add topics=ipsec,!packet. Then disable the peer (or identity), run /log print follow-only file=ipsec-start where topics~“ipsec”, and re-enable the peer (or identity). Give it a minute, then stop the /log print … (using Ctrl-C), download the file and see what is going on in more detail.