i'm a new user of mikrotik router, and i try to create a ipsec tunnel between 2 mikrotik router, the tunnel don't work.
The version of RouterOS 2.8.28
Please help me.
CONFIG OF ROUTER 1
=================
/ ip address
add address=10.0.0.1/24 network=10.0.0.0 broadcast=10.0.0.255 interface=WAN \
comment="" disabled=no
add address=192.168.10.254/24 network=192.168.10.0 broadcast=192.168.10.255 \
interface=LAN comment="" disabled=no
/ ip firewall
set input name="input" policy=accept comment=""
set forward name="forward" policy=accept comment=""
set output name="output" policy=accept comment=""
/ ip firewall service-port
set ftp ports=21 disabled=no
set pptp disabled=yes
set gre disabled=yes
set h323 disabled=yes
set mms disabled=no
set irc ports=6667 disabled=no
set quake3 disabled=no
set tftp ports=69 disabled=no
/ ip firewall src-nat
add out-interface=WAN action=masquerade comment="" disabled=no
add src-address=192.168.10.0/24 dst-address=192.168.20.0/24 action=accept \
comment="" disabled=no
/ ip firewall connection tracking
set enabled=yes tcp-syn-sent-timeout=2m tcp-syn-received-timeout=1m \
tcp-established-timeout=5d tcp-fin-wait-timeout=2m \
tcp-close-wait-timeout=1m tcp-last-ack-timeout=30s \
tcp-time-wait-timeout=2m tcp-close-timeout=10s udp-timeout=30s \
udp-stream-timeout=3m icmp-timeout=30s generic-timeout=10m
/ ip ipsec policy
add src-address=192.168.10.0/24:any dst-address=192.168.20.0/24:any \
protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes \
sa-src-address=10.0.0.1 sa-dst-address=10.0.0.2 proposal=default \
manual-sa=none dont-fragment=clear disabled=no
/ ip ipsec peer
add address=10.0.0.2/32:500 secret="gvejimezyfopmekun" generate-policy=no \
exchange-mode=main send-initial-contact=yes proposal-check=obey \
hash-algorithm=sha1 enc-algorithm=3des dh-group=modp1024 lifetime=1d \
lifebytes=0 disabled=no
/ ip ipsec proposal
add name="default" auth-algorithms=sha1 enc-algorithms=3des lifetime=30m \
lifebytes=0 pfs-group=modp1024 disabled=no
CONFIG OF ROUTER 2
===================
/ ip address
add address=10.0.0.2/24 network=10.0.0.0 broadcast=10.0.0.255 interface=WAN \
comment="" disabled=no
add address=192.168.20.254/24 network=192.168.20.0 broadcast=192.168.20.255 \
interface=LAN comment="" disabled=no
/ ip firewall
set input name="input" policy=accept comment=""
set forward name="forward" policy=accept comment=""
set output name="output" policy=accept comment=""
/ ip firewall service-port
set ftp ports=21 disabled=no
set pptp disabled=yes
set gre disabled=yes
set h323 disabled=yes
set mms disabled=no
set irc ports=6667 disabled=no
set quake3 disabled=no
set tftp ports=69 disabled=no
/ ip firewall src-nat
add out-interface=WAN action=masquerade comment="" disabled=no
add src-address=192.168.20.0/24 dst-address=192.168.10.0/24 action=accept \
comment="" disabled=no
/ ip firewall connection tracking
set enabled=yes tcp-syn-sent-timeout=2m tcp-syn-received-timeout=1m \
tcp-established-timeout=5d tcp-fin-wait-timeout=2m \
tcp-close-wait-timeout=1m tcp-last-ack-timeout=30s \
tcp-time-wait-timeout=2m tcp-close-timeout=10s udp-timeout=30s \
udp-stream-timeout=3m icmp-timeout=30s generic-timeout=10m
/ ip ipsec policy
add src-address=192.168.20.0/24:any dst-address=192.168.10.0/24:any \
protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes \
sa-src-address=10.0.0.2 sa-dst-address=10.0.0.1 proposal=default \
manual-sa=none dont-fragment=clear disabled=no
/ ip ipsec peer
add address=10.0.0.1/32:500 secret="gvejimezyfopmekun" generate-policy=no \
exchange-mode=main send-initial-contact=yes proposal-check=obey \
hash-algorithm=sha1 enc-algorithm=3des dh-group=modp1024 lifetime=1d \
lifebytes=0 disabled=no
/ ip ipsec proposal
add name="default" auth-algorithms=sha1 enc-algorithms=3des lifetime=30m \
lifebytes=0 pfs-group=modp1024 disabled=no