CISCO – MIKROTIK | Stunell – ipsec | Phase 1 | Phase 2 |

Configure Mikrotik as described:

/interface ipip
add comment="" disabled=no local-address=221.221.XX.XX mtu=1460 name=ipip1 \
remote-address=24.19.XX.XX
/ip address
add address=169.254.255.9/30 broadcast=169.254.255.11 comment="" disabled=no \
interface=ipip1 network=169.254.255.10
/ip ipsec peer
add address=24.19.XX.XX/32:500 auth-method=pre-shared-key comment="" \
dh-group=modp1024 disabled=no dpd-interval=30s dpd-maximum-failures=5 \
enc-algorithm=aes-128 exchange-mode=main generate-policy=no \
hash-algorithm=sha1 lifebytes=0 lifetime=1d nat-traversal=no \
proposal-check=obey secret=SECRETKEY send-initial-contact=no
/ip ipsec policy
add action=encrypt comment="" disabled=no dst-address=24.19.XX.XX/32:any \
ipsec-protocols=esp level=require priority=0 proposal=default protocol=\
ip-encap sa-dst-address=24.19.XX.XX sa-src-address=221.221.XX.XX \
src-address=221.221.XX.XX/32:any tunnel=no
/ip ipsec proposal
set default auth-algorithms=sha1 comment="" disabled=no enc-algorithms=\
aes-128 lifetime=30m name=default pfs-group=modp1024

Configure Cisco as described:

crypto isakmp policy 200
encr aes
authentication pre-share
group 2
lifetime 28800

crypto keyring keyring-qin
pre-shared-key address 221.221.XX.XX key SECRETKEY

crypto isakmp profile isakmp-qin
keyring keyring-qin
match identity address 221.221.XX.XX 255.255.255.255

crypto ipsec transform-set ipsec-prop-qin esp-aes esp-sha-hmac
mode transport

crypto ipsec profile ipsec-qin
set transform-set ipsec-prop-qin
set pfs group2

interface Tunnel4
ip address 169.254.255.10 255.255.255.252
ip virtual-reassembly
tunnel source FastEthernet4
tunnel destination 221.221.XX.XX
tunnel mode ipip
tunnel protection ipsec profile ipsec-qin

Source: http://forum.mikrotik.com/viewtopic.php?t=48580#p247067