http://wiki.mikrotik.com/wiki/Manual:IP/IPsec

http://wiki.mikrotik.com/wiki/MikroTik_router_to_CISCO_PIX_Firewall_IPSEC

Diagram: http://gregsowell.com/?p=787

Video for Diagram: http://gregsowell.com/wink/mtklan2lan/mtklan2lan.swf

From the Mikrotik Wiki: http://wiki.mikrotik.com/wiki/IPsec#Site_to_Site_IpSec_Tunnel

On each Mikrotik router:

• Peer Definition
  • Phase 1
• Policy Definition
  • Phase 2
• Proposal
  • Settings used in Phase 2
  • Cisco Transform Set
  • Default proposal already exists and works well with static IPs
• NAT Bypass Rule
  • S2S traffic won't pass until done

Modify these for your networks and paste them at the CLI of both routers:

Note that we use /32 instead of the actual subnet mask of the WAN interfaces for simplicity and security. Less exposure and we don't actually have to track down the real subnet mask. Use the proper subnet masks for the subnets behind the routers.

:global Router1WanAddr "192.168.90.1"
:global Router1WanCidr "192.168.90.1/32"

:global Router2WanAddr "192.168.80.1"
:global Router2WanCidr "192.168.80.1/32"

:global SubnetBehindRouter1 "10.1.202.0/24"
:global SubnetBehindRouter2 "10.1.101.0/24"

:global PreSharedKey "MyPreSharedKey"

Paste this into the CLI of router 1:

# Peer Definition
/ip ipsec peer
  add address=$Router2WanCidr port=500 auth-method=pre-shared-key secret="$PreSharedKey"

# Policy Definition
/ip ipsec policy
  add src-address=$SubnetBehindRouter1 src-port=any dst-address=$SubnetBehindRouter2 dst-port=any \
  sa-src-address=$Router1WanAddr sa-dst-address=$Router2WanAddr \
  tunnel=yes action=encrypt proposal=default

# NAT bypass rule
/ip firewall nat
  add chain=srcnat action=accept comment="NAT Bypass for VPN" place-before=0 \
  src-address=$SubnetBehindRouter1 dst-address=$SubnetBehindRouter2

# Cleanup
/system script environment
  remove Router1WanAddr
  remove Router1WanCidr
  remove Router2WanAddr
  remove Router2WanCidr
  remove SubnetBehindRouter1
  remove SubnetBehindRouter2
/

Paste this into the CLI of router 2:

# Peer Definition
/ip ipsec peer
  add address=$Router1WanCidr port=500 auth-method=pre-shared-key secret="$PreSharedKey"

# Policy Definition
/ip ipsec policy
  add src-address=$SubnetBehindRouter2 src-port=any dst-address=$SubnetBehindRouter1 dst-port=any \
  sa-src-address=$Router2WanAddr sa-dst-address=$Router1WanAddr \
  tunnel=yes action=encrypt proposal=default

# NAT bypass rule
/ip firewall nat
  add chain=srcnat action=accept comment="NAT Bypass for VPN" place-before=0 \
  src-address=$SubnetBehindRouter2 dst-address=$SubnetBehindRouter1

# Cleanup
/system script environment
  remove Router1WanAddr
  remove Router1WanCidr
  remove Router2WanAddr
  remove Router2WanCidr
  remove SubnetBehindRouter1
  remove SubnetBehindRouter2
/

Important note: While the router will properly route traffic between the LANs at this point, the router itself does not have a route to the remote subnet. If you need the router (i.e. netwatch, etc.) to be able to access the remote subnet, you will have to add a route:

/ip route add disabled=no dst-address=<CidrBehindRemoteRouter> gateway=<LocalLanIF>

# for example where the remote subnet is 192.168.0.0/24 and the local LAN interface is bridge1:
/ip route add disabled=no dst-address=192.168.0.0/24 gateway=bridge1

If you have more than one peer, especially if any other peers are statically addresses, change the [find] in the next commands to the number of the peer with the dynamic IP address.

On router with static address, adjust the peer definition from above:

/ip ipsec peer
  print
  set address=0.0.0.0/0 [find]
  set generate-policy=port-override [find]

and remove or disable any existing policies, possibly deleting all like:

/ip ipsec policy remove [find]

Check status:

/ip ipsec remote-peers print
/ip ipsec installed-sa print
/ip ipsec statistics print
/ip ipsec policy print stats

Add an additional policy for the additional subnet to both routers similar to the first.

/ip ipsec remote-peers kill-connections

The tunnel will not necessarily come up on its own. Traffic destined for the remote network will bring the tunnel up automatically.

System → Logginging → Add → Topics → IPSec → Memory

http://forum.mikrotik.com/viewtopic.php?f=2&t=79151

http://superuser.com/questions/679236/mikrotik-firewall-rule-block-all-connection-except-to-vpn-server

L2TP/IPSec uses:

• TCP port 1701
  • L2TP
• UDP port 500
  • Internet Security Association and Key Management Protocol (ISAKMP)
  • To negotiate security method (password, certificate, kerberos)
• AH (Protocol ID 50)
  • Authentication Header
• ESP (Protocol ID 51)
  • Encapsulated Secure Payload
• UDP Port 4500
  • NAT Traversal (NAT-T)

Accept L2TP/IPSec:

These rules could be further limited by interface and/or source address.

/ip firewall filter
  add chain=input action=accept in-interface=ether1 protocol=tcp dst-port=1701 \
    place-before=0 comment="Accept L2TP"
  add chain=input action=accept in-interface=ether1 protocol=udp dst-port=500 \
    place-before=0 comment="Accept IPSec (ISAKMP)"
  add chain=input action=accept in-interface=ether1 protocol=ipsec-ah \
    place-before=0 comment="Accept IPSec (AH)"
  add chain=input action=accept in-interface=ether1 protocol=ipsec-esp \
    place-before=0 comment="Accept IPSec (ESP)"