Hi!
Here's the IPSec config for the local router:
/ip ipsec proposal
set default auth-algorithms=sha1 comment="" disabled=no enc-algorithms=3des \
lifetime=30m name=default pfs-group=modp1024
/ip ipsec peer
add address=2.2.2.2/32:500 auth-method=pre-shared-key comment="" \
dh-group=modp1024 disabled=no dpd-interval=disable-dpd \
dpd-maximum-failures=1 enc-algorithm=3des exchange-mode=main \
generate-policy=no hash-algorithm=md5 lifebytes=0 lifetime=1d \
nat-traversal=no proposal-check=obey secret=PASSWORD send-initial-contact=\
yes
/ip ipsec policy
add action=encrypt comment="" disabled=no dst-address=10.2.2.2/23:any \
ipsec-protocols=esp level=require priority=0 proposal=default protocol=\
all sa-dst-address=2.2.2.2 sa-src-address=1.1.1.1 src-address=\
10.1.1.1/32:any tunnel=yes
And this is the remote router:
/ip ipsec proposal
set default auth-algorithms=sha1 comment="" disabled=no enc-algorithms=3des \
lifetime=30m name=default pfs-group=modp1024
/ip ipsec peer
add address=1.1.1.1/32:500 auth-method=pre-shared-key comment="" \
dh-group=modp1024 disabled=no dpd-interval=disable-dpd \
dpd-maximum-failures=1 enc-algorithm=3des exchange-mode=main \
generate-policy=no hash-algorithm=md5 lifebytes=0 lifetime=1d \
nat-traversal=no proposal-check=obey secret=PASSWORD send-initial-contact=\
yes
/ip ipsec policy
add action=encrypt comment="" disabled=no dst-address=10.1.1.1/32:any \
ipsec-protocols=esp level=require priority=0 proposal=default protocol=\
all sa-dst-address=1.1.1.1 sa-src-address=2.2.2.2 src-address=\
10.2.2.2/23:any tunnel=yes
The local site firewall (1.1.1.1) has nearly 150 rules right now, too much to post. I have open everything coming from 2.2.2.2 at input chain and everything going to 2.2.2.2 at output rule. I have nothing at forward related to IPSec because as far as I know that chaing won't be used for that traffic.
EDIT: forgot to remark that the remote firewall has currently no rules, so all traffic should flow freely.
Thank you!