Hello everybody
You will think that this topic is repeated but I checked every related topic to solve my problem and no solution.

I have a mikrotik with os version 6.28 that has real IP configured on the gateway interface I configured the ipsec peer as below from the following link http://forum.mikrotik.com/viewtopic.php?f=2&t=67746: and here is the proposal configuration: it works well from my android device, still need to test it from ios device.
here is the log

08:58:25 ipsec,error authtype mismatched: my:hmac-sha1 peer:hmac-sha256
08:58:26 l2tp,info first L2TP UDP packet received from x.x.x.x
08:58:26 l2tp,ppp,info,account l2tp logged in, 10.50.50.4
08:58:26 l2tp,ppp,info <l2tp-l2tp>: authenticated
08:58:26 l2tp,ppp,info <l2tp-l2tp>: connected
the ipsec sa is working in both directions
i made the same configuration on another router that has virtual ip published using fortigate. it is accepting pptp tunnels with no problems.
it just gives the following log:
08:59:25 ipsec,error authtype mismatched: my:hmac-sha1 peer:hmac-sha256
08:59:26 l2tp,info first L2TP UDP packet received from x.x.x.x
08:59:47 l2tp,info first L2TP UDP packet received from x.x.x.x
09:00:09 l2tp,info first L2TP UDP packet received from x.x.x.x

and on my android device it gives unsuccessful
I tried to disable all firewall rules and keep only these: The ipsec sa is working in one direction only from my real ip connecting to mikrotik (172.16.16.1 is the virtual ip published on the fortigate that is working with no problems with pptp connections) Please help with detailed solution because I didn't leave any topic without reading and trying to understand what is happening.
Thanks

Hi,

I am not sure that the fortigate will "passtrough" the IPSEC-traffiic, maybe there is a special option for this. By the way. the Error in your log says that you device tries sha256, but you use sha1 in your config.

But the real problem could be that both devices are behind NAT. I dont know any way to make this work with mikrotik. I have read that there are some scripted solutions where you replace the Peer IPs of the IPSEC.

greets

I think when ipsec error is being shown in the log of the mikrotik then the ipsec traffic is be passing to it and no problem in Fortigate.

the error shown is bypassed and connection is being established with no problems on the 1st mikrotik router that has a real ip.

Today also I tested the ios 10 and it connected with no problems on the 1st router that is giving that ipsec error.

The problem is related to NAT but I am not sure how to fix it if you can help me.
Thanks.

This error appear because peer loops through all possible algorithm combinations advertised by remote peer until supported one is matched. We slightly changed logs in latest rc version, so that this error is not printed in cases when the tunnel is established.