hi everyone!
i need some help!
i try to set ipsec tunnel between cisco ASA 5520 (IOS 7.0) and MikroTik RB 1200 RouterOS 6.0

i don't have access to ASA, so i can't check settings, but i got settings from admin of ASA

tunnel-group xxx.xxx.xxx.xxx type ipsec-l2l
tunnel-group xxx.xxx.xxx.xxx ipsec-attributes
pre-shared-key super_secret_key
crypto map outside_map 40 match address outside_40_arcom_cryptomap
crypto map outside_map 40 set pfs group2
crypto map outside_map 40 set peer xxx.xxx.xxx.xxx
crypto map outside_map 40 set transform-set ESP-3DES-SHA
crypto map outside_map 40 set security-association lifetime seconds 3600

where xxx.xxx.xxx.xxx is our outside ip address
he sent me special file of parameters.

Encryption Mode=Tunnel
VPN Configuration
Phase 1
Authentication Method=Pre-Shared Key
Encryption Scheme=IKE
Diffie-Hellman Group=Group 2
Encryption Algorithm=3DES
Hashing Algorithm=SHA
Lifetime (for renegotiation)=86400s
Phase 2
Encapsulation (ESP or AH)=ESP
Encryption Algorithm=3DES
Authentication Algorithm=SHA
Perfect Forward Secrecy=Group 2
Lifetime (for renegotiation)=3600s

i configured our router
[admin@Router1] > interface ipip print
Flags: X - disabled, R - running, D - dynamic
# NAME MTU LOCAL-ADDRESS REMOTE-ADDRESS
0 R TJ2 1480 xxx.xxx.xxx.xxx yyy.yyy.yyy.yyy

[admin@Router1] > ip ipsec peer print
Flags: X - disabled
3 address=yyy.yyy.yyy.yyy/32 passive=no port=500 auth-method=pre-shared-key secret="super_secret_key" generate-policy=port-override exchange-mode=main
send-initial-contact=yes nat-traversal=no my-id-user-fqdn="xxx.xxx.xxx.xxx" proposal-check=obey hash-algorithm=sha1 enc-algorithm=3des dh-group=modp1024
lifetime=1d lifebytes=0 dpd-interval=2m dpd-maximum-failures=5

[admin@Router1] > ip ipsec proposal print
Flags: X - disabled, * - default
6 name="TJ10" auth-algorithms=sha1 enc-algorithms=3des lifetime=1h pfs-group=modp1024

[admin@Router1] > ip ipsec policy print
Flags: T - template, X - disabled, D - dynamic, I - inactive
8 src-address=10.92.2.128/25 src-port=any dst-address=192.168.001.100/32 dst-port=any protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes
sa-src-address=xxx.xxx.xxx.xxx sa-dst-address=yyy.yyy.yyy.yyy proposal=TJ10 priority=0

where yyy.yyy.yyy.yyy is outside ip address of cisco ASA 5520

chart of connections

destination host destination GW my router my network
192.168.1.100<---------------->192.168.1.1=yyy.yyy.yyy.yyy<===INET====>xxx.xxx.xxx.xxx=10.92.2.129/25<---------->10.92.2.128/25

when i try to send ICMP packet from 10.92.2.130 in my network to 192.168.1.100 started initiate IPSEC
i don't get ICMP answer from destination

SAs state in my router
[admin@Router1] > ip ipsec installed-sa print
Flags: A - AH, E - ESP, P - pfs
0 E spi=0 src-address=xxx.xxx.xxx.xxx dst-address=yyy.yyy.yyy.yyy auth-algorithm=none enc-algorithm=none replay=0 state=larval add-lifetime=0s/30s


i configured destination host for syslogs of my router
there are one mistake

Jul 18 10:48:43 ipsec: ==========
Jul 18 10:48:43 ipsec: 84 bytes message received from yyy.yyy.yyy.yyy[500] to xxx.xxx.xxx.xxx[500]
Jul 18 10:48:43 ipsec: 56f87ff5 2bf0c35e 49115d06 5cc7002f 08100501 63f514ec 00000054 c88cc523
Jul 18 10:48:43 ipsec: 3cae0060 64b27da3 d0c88852 84656174 87b06afe 4af6fe29 ccaf2f0f fc821e3a
Jul 18 10:48:43 ipsec: 9f579872 d61d76cf 88747276 643153e3 8d5b0731
Jul 18 10:48:43 ipsec: receive Information.
Jul 18 10:48:43 ipsec: compute IV for phase2
Jul 18 10:48:43 ipsec: phase1 last IV:
Jul 18 10:48:43 ipsec: 2eba7090 f33fb6c4 63f514ec
Jul 18 10:48:43 ipsec: hash(sha1)
Jul 18 10:48:43 ipsec: encryption(3des)
Jul 18 10:48:43 ipsec: phase2 IV computed:
Jul 18 10:48:43 ipsec: ac0d7d1d b93b9324
Jul 18 10:48:43 ipsec: encryption(3des)
Jul 18 10:48:43 ipsec: IV was saved for next processing:
Jul 18 10:48:43 ipsec: 643153e3 8d5b0731
Jul 18 10:48:43 ipsec: encryption(3des)
Jul 18 10:48:43 ipsec: with key:
Jul 18 10:48:43 ipsec: 8846e981 e9419b39 0cba345b cfbaad47 0e5722d7 1c871534
Jul 18 10:48:43 ipsec: decrypted payload by IV:
Jul 18 10:48:43 ipsec: ac0d7d1d b93b9324
Jul 18 10:48:43 ipsec: decrypted payload, but not trimed.
Jul 18 10:48:43 ipsec: 0b000018 2bc07d5a 5c0396d5 081bfd93 046e998f c91358b6 00000020 00000001
Jul 18 10:48:43 ipsec: 0310000e 56f87ff5 2bf0c35e 49115d06 5cc7002f d3d5e9fa
Jul 18 10:48:43 ipsec: padding len=251
Jul 18 10:48:43 ipsec: skip to trim padding.
Jul 18 10:48:43 ipsec: decrypted.
Jul 18 10:48:43 ipsec: 56f87ff5 2bf0c35e 49115d06 5cc7002f 08100501 63f514ec 00000054 0b000018
Jul 18 10:48:43 ipsec: 2bc07d5a 5c0396d5 081bfd93 046e998f c91358b6 00000020 00000001 0310000e
Jul 18 10:48:43 ipsec: 56f87ff5 2bf0c35e 49115d06 5cc7002f d3d5e9fa
Jul 18 10:48:43 ipsec: HASH with:
Jul 18 10:48:43 ipsec: 63f514ec 00000020 00000001 0310000e 56f87ff5 2bf0c35e 49115d06 5cc7002f
Jul 18 10:48:43 ipsec: d3d5e9fa
Jul 18 10:48:43 ipsec: hmac(hmac_sha1)
Jul 18 10:48:43 ipsec: HASH computed:
Jul 18 10:48:43 ipsec: 2bc07d5a 5c0396d5 081bfd93 046e998f c91358b6
Jul 18 10:48:43 ipsec: hash validated.
Jul 18 10:48:43 ipsec: begin.
Jul 18 10:48:43 ipsec: seen nptype=8(hash)
Jul 18 10:48:43 ipsec: seen nptype=11(notify)
Jul 18 10:48:43 ipsec: succeed.
Jul 18 10:48:43 ipsec: fatal NO-PROPOSAL-CHOSEN notify messsage, phase1 should be deleted.
Jul 18 10:48:43 ipsec: notification message 14:NO-PROPOSAL-CHOSEN, doi=1 proto_id=3 spi=56f87ff52bf0c35e 49115d065cc7002f (size=16).
Jul 18 10:48:43 ipsec: Message: ''.

if i right understand - destination router say to our router what it coluldn't to do choise of encription proposal

i made tcpdump of ISAKMP packets between routers and i tryed do decrypt these packets, i used wireshark for them,
i wanted to know which proposals ASA suggest to our router
but i couldn't decript ISAKMP packets

help me please!
how can i find solution for my trouble?
i appologise for my bad english, i have learn yet.

I've got the same problem, and nobody seems to have a solution.

This is a very common problem with IPSec. No proposal chosen is caused because the 2 routers do not agree on the configured options for IPSec.

Try disabling DPD. Also very with the ASA administrator that the outside_40_arcom_cryptomap access list on the ASA is configured to tunnel source 192.168.001.100/32 to destination 10.92.2.128/25.