Here is the IPSec config on a huawei AR1200. Please translate this to RouterOS settings!
#
sysname RouterA
#
acl number 3000 //Configure an ACL.
rule 0 permit ip source 1.2.1.1 0 destination 1.2.2.1 0
#
ipsec proposal rtb //Configure an IPSec proposal.
encapsulation-mode transport //Set the encapsulation mode to transport.
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-192
#
ike proposal 1 //Configure an IKE proposal.
encryption-algorithm aes-cbc-128 //In V200R008 and later versions, the aes-cbc-128 parameter is changed to aes-128.
dh group14
authentication-algorithm sha2-256
#
ike peer rtb v1 //The commands used to configure IKE peers and the IKE protocol differ depending on the software version. In earlier versions of V200R008, the command is ike peer peer-name [ v1 | v2 ]. In V200R008 and later versions, the command is ike peer peer-name and version { 1 | 2 }. By default, IKEv1 and IKEv2 are enabled simultaneously. An initiator uses IKEv2 to initiate a negotiation request, while a responder uses IKEv1 or IKEv2 to respond. To initiate a negotiation request using IKEv1, run the undo version 2 command.
ike-proposal 1
pre-shared-key cipher %^%#JvZxR2g8c;a9~FPN~n'$7`DEV&=G(=Et02P/%\*!%^%# //Configure the authentication password in the pre-shared key to huawei, in cipher text. This command in V2R3C00 and earlier versions is pre-shared-key huawei, and the password is displayed in plain text.
remote-address 1.2.2.1
#
ipsec policy rtb 1 isakmp //Configure an IPSec policy and define IKE negotiation.
security acl 3000 //Specify the ACL.
ike-peer rtb //Specify the IKE peer.
proposal rtb //Specify the IPSec proposal.
#
interface Ethernet1/0/1
ip address 1.2.1.1 255.255.255.252
ipsec policy rtb //Bind the IPSec policy to the interface.
#
interface GigabitEthernet0/0/1
ip address 10.1.0.1 255.255.255.0
#
interface Tunnel0/0/1 //Configure a tunnel interface.
ip address 1.3.1.1 255.255.255.252
tunnel-protocol gre
source 1.2.1.1 //Specify the source address of the tunnel interface.
destination 1.2.2.1 //Specify the destination address of the tunnel interface.
#
ip route-static 10.2.0.0 255.255.255.0 Tunnel0/0/1 //Configure a static route.
ip route-static 0.0.0.0 0.0.0.0 1.2.1.2
#
return