Is there a way to get information about IPSec peers via SNMP? I'd like to monitor if VPNs are up based on remote-peer or installed-sa existing. If this is not possible any type of script that could run on the mikrotik and either log or email if a VPN were to go down would help.

Edit: my fallback plan would be to log to syslog and parse whatever entry shows it dropping, but direct SNMP polling is preferred.

"/ip ipsec installed-sa print oid" doesn't show anything. Glancing through a quick complete SNMP walk also does not seem to have any relevant entries. I'm going to guess no, though I might well be wrong.

You could definitely do a scheduled script that checks installed SAs and sends an email. But if you have an NMS to check SNMP with, maybe ICMP monitoring could work? You could bring up a loopback interface on the router (an empty bridge without ports in it, but an IP address assigned). That is software interface that always stays up. Then monitor its status via the IPSec tunnel, and make sure it isn't reachable via any other means. If that tracked IP address goes down, the tunnel is down.

Thanks for the response, I wasn't aware of the 'print oid' feature, good to know. This is a somewhat unique scenario, the VPNs and networks we're monitoring are customer networks where we've deployed Mikrotiks as CPEs and we don't directly have access to the inside of the network but do do the devices. We may install The Dude on it and have it do ping tests and syslog to a different server as a solution, or somehow interface with The Dude in another way.