Hi everyone - new routeros user here! Hopefully this is an easy one that someone can help with...

I'm trying to set a VPN endpoint as my primary route (such that all outbound Eth1 traffic is encrypted - and ideally accelerated in the hardware of the RB750Gr3).
When I'm using just a straight L2TP client interface, using the username/password and pre-shared key in the IPSEC peer config everything connects fine.
When I check the 'use IPSEC' in the L2TP interface, it fails to connect.

Am I just misunderstanding the interface config? If I change the IPSEC/Peer config to an IKE exchange mode with the pre-shared key then I can see the remote peer is established on port 4500, which leads me to believe that everything is working as it should be, and I just dont need the IPSEC option at all in the L2TP interface?

Also - is there anyway I can prove that the traffic is being hardware accelerated from system performance stats etc?

So I've been doing some research and concluded that the 'use IPSEC' option in the L2TP client will try and automatically generate the IPSEC config, so I dont need this option if I'm configuring the policy manually (and the auto-option doesnt seen to work).
Ok , so onto the policy (obvious info obscured) - any suggestions welcomed;

[dickie@MikroTik] /ip ipsec> peer print
Flags: X - disabled, D - dynamic, R - responder
0 address=104.237.61.99/32 auth-method=pre-shared-key secret="mysecret" generate-policy=no policy-template-group=default exchange-mode=main mode-config=request-only
send-initial-contact=yes nat-traversal=no proposal-check=obey compatibility-options=skip-peer-id-validation hash-algorithm=sha1 enc-algorithm=aes-256,aes-192,aes-128
dh-group=modp1024 lifetime=1d dpd-interval=2m dpd-maximum-failures=5

dickie@MikroTik] /ip> ipsec policy print
Flags: T - template, X - disabled, D - dynamic, I - invalid, A - active, * - default
0 T * group=default src-address=::/0 dst-address=::/0 protocol=all proposal=default template=yes
1 src-address=70.95.93.199/32 src-port=any dst-address=104.237.61.99/32 dst-port=any protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=no proposal=HideIPvpn
ph2-count=0

[dickie@MikroTik] /ip ipsec proposal> print
Flags: X - disabled, * - default
0 * name="default" auth-algorithms=sha256,sha1 enc-algorithms=aes-256-cbc,aes-192-cbc,aes-128-cbc lifetime=30m pfs-group=modp1024
1 name="HideIPvpn" auth-algorithms=sha256,sha1 enc-algorithms=aes-256-cbc,aes-192-cbc,aes-128-cbc lifetime=30m pfs-group=modp1024


I see some dynamic states appear in the installed SA tab, but they all appear to be larval ESP but never anything that is actually encrypted.
Also I can see under the peer info for Phase2 that msg1 is sent, but it never progresses beyond that.

I'm more than open to the suggestion that this is a remote config issue (that I dont control) , but I wanted to eliminate the obvious noob config errors at this end first.

Thanks in advance!!

Solved - in case anyone else finds this with a search; So I managed to track this down with the additional logging;

/system logging
add prefix=ipsec topics=ipsec

And the key message in the log was 'NO-PROPOSAL-CHOSEN' , so after a bit of research I deduced that the default PFS (modp1024) is required to be enabled on both ends.
In my case connecting 'blind' to a VPN service providers, it clearly wasnt so by setting this the PFS group to 'NONE' it connected first time and I can see from the Installed SA's that the connection is up and that is is Hardware AEAD!

For clarity I ended up deleting the manual peer / policy configs and used the 'use IPSEC' setting in the L2TP client - the only thing I needed to change in the end was the PFS group to none.