mikrotik +cisco ipsec при двух шлюзах

Доброго времени суток.
Прежде чем перейти к проблеме распишу схему работы.
Есть два провайдера. Оба подключены по pppoe.
Соответственно трафик маркируется и пускается через nat.

Вот настройки firewall mangle, nat и /ip route
/ip firewall mangle
add action=mark-connection chain=input in-interface=rtk new-connection-mark=input-RTK-conn passthrough=yes
add action=mark-routing chain=output connection-mark=input-RTK-conn new-routing-mark=RTK-route passthrough=no
add action=mark-connection chain=forward in-interface=rtk new-connection-mark=fw-RTK-conn passthrough=no
add action=mark-routing chain=prerouting connection-mark=fw-RTK-conn in-interface=ether5-lan new-routing-mark=RTK-route passthrough=yes
add action=mark-connection chain=input in-interface=mts new-connection-mark=input-MTS-conn passthrough=yes
add action=mark-routing chain=output connection-mark=input-MTS-conn new-routing-mark=MTS-route passthrough=no
add action=mark-connection chain=forward in-interface=mts new-connection-mark=fw-MTS-conn passthrough=no
add action=mark-routing chain=prerouting connection-mark=fw-MTS-conn in-interface=ether5-lan new-routing-mark=MTS-route passthrough=yes

/ip firewall nat
add action=src-nat chain=srcnat comment="SRC NAT to RTK" dst-address-list=!worknet out-interface=rtk src-address-list=worknet to-addresses=77.39.16.140
add action=src-nat chain=srcnat dst-address-list=!worknet ipsec-policy=out,none out-interface=mts src-address-list=worknet to-addresses=213.27.32.36
add action=netmap chain=dstnat dst-port=6000 in-interface=rtk log-prefix=RDP protocol=tcp src-address-list=mother to-addresses=172.31.10.10 to-ports=3389
add action=netmap chain=dstnat dst-port=6000 in-interface=mts log-prefix=RDP protocol=tcp src-address-list=mother to-addresses=172.31.10.10 to-ports=3389

/ip firewall filter
add action=drop chain=input comment="No windows update" disabled=yes dst-address-list=noupdate protocol=tcp
add action=drop chain=input comment="No windows update" disabled=yes protocol=tcp src-address-list=noupdate
add action=accept chain=input comment="Accept WinBox" connection-state=new dst-port=8291 protocol=tcp
add action=drop chain=forward comment="Drop invalid connection packets" connection-state=invalid disabled=yes
add action=accept chain=input comment="Accept established connections" connection-state=established,related
add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m chain=input connection-state=new dst-port=2222 protocol=tcp
add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m chain=input connection-state=new dst-port=2222 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=1m chain=input connection-state=new dst-port=2222 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=blacklist address-list-timeout=3h chain=input comment="drop ssh 3 stage" connection-state=new dst-port=2222 protocol=tcp src-address-list=ssh_stage3
add action=drop chain=input comment="drop ssh brute forcers" src-address-list=blacklist
add action=drop chain=input in-interface-list=inet protocol=tcp src-port=3128
add action=drop chain=input comment="drop incomming DNS" dst-port=53 in-interface-list=inet protocol=udp

/ip route
add distance=2 gateway=rtk routing-mark=RTK-route
add distance=1 gateway=mts routing-mark=MTS-route
add disabled=yes distance=1 gateway=mts
add distance=1 dst-address=10.9.0.0/16 gateway=ipip-mother-mts
add distance=1 dst-address=161.8.0.0/16 gateway=ipip-mother-mts
add disabled=yes distance=1 dst-address=193.16.208.74/32 gateway=mts

А теперь собственно проблема. По определенным причинам нужно сделать ipsec tunel с материнской организацией. Mikrotik'ов они не знают, знать не хотят, все у них крутится на cisco.
Прислали письмо со следующими параметрами:
encryption 3des
hash sha
group 5 2
lifetime 86400
DH - esp-3des esp-sha-hmac
peer 193.16.208.74
PSK, думаю, нужно согласовать отдельно.
Локальная сеть 172.31.10.0/23, сети * - 10.9.0.0/16, 161.8.0.0/16
делаю:
/interface ipip
add allow-fast-path=no clamp-tcp-mss=no disabled=yes ipsec-secret=secret local-address=213.27.32.36 name=ipip-mother-mts remote-address=193.16.208.7
/ip firewall filter
add action=accept chain=forward dst-port=500,4500 log=yes log-prefix="IPSEC FW" protocol=udp src-port=500,4500
/ip ipsec mode-config
set [ find default=yes ] name=request-only responder=no use-responder-dns=exclusively
/ip ipsec policy group
set [ find default=yes ] name=default
/ip ipsec profile
set [ find default=yes ] dh-group=modp1536,modp1024 dpd-interval=2m dpd-maximum-failures=5 enc-algorithm=3des hash-algorithm=sha1 lifetime=1d name=default nat-traversal=yes proposal-check=obey
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha1 disabled=no enc-algorithms=3des lifetime=30m name=default pfs-group=modp1024
/ip ipsec policy
set 0 disabled=no dst-address=::/0 group=default proposal=default protocol=all src-address=::/0 template=yes
/ip ipsec settings
set accounting=yes interim-update=0s xauth-use-radius=no

Включаю тунель - пир создается, но не поднимается.
/ip ipsec peer> print
Flags: X - disabled, D - dynamic, R - responder
0 D name="ipip-mmk-mts" address=193.16.208.74/32 local-address=213.27.32.36 profile=default exchange-mode=main send-initial-contact=yes
/ip ipsec active-peers> print
Flags: R - responder, N - natt-peer
# ID STATE UPTIME PH2-TOTAL REMOTE-ADDRESS DYNAMIC-ADDRESS
[mikrotik@MikroTik] /ip ipsec active-peers>
Подцепляется политика
/ip ipsec policy> print
Flags: T - template, B - backup, X - disabled, D - dynamic, I - invalid, A - active, * - default
# PEER TUNNEL SRC-ADDRESS DST-ADDRESS PROTOCOL ACTION LEVEL PH2-COUNT
0 T * ::/0 ::/0 all
1 D ipip-mmk-mts no 213.27.32.36/32 193.16.208.74/32 ipencap encrypt require 0

есть SA c моего внешнего адреса:
/ip ipsec installed-sa> print
Flags: H - hw-aead, A - AH, E - ESP
0 E spi=0x56841A0 src-address=193.16.208.74 dst-address=213.27.32.36 state=larval add-lifetime=0s/30s replay=0
1 E spi=0xE5F933B src-address=193.16.208.74 dst-address=213.27.32.36 state=larval add-lifetime=0s/30s replay=0
2 E spi=0 src-address=213.27.32.36 dst-address=193.16.208.74 state=larval add-lifetime=0s/30s replay=0
3 E spi=0x4724F36 src-address=193.16.208.74 dst-address=213.27.32.36 state=larval add-lifetime=0s/30s replay=0
4 E spi=0xEBACB6D src-address=193.16.208.74 dst-address=213.27.32.36 state=larval add-lifetime=0s/30s replay=0
А вот обратные протухают и сбрасываются.


Подозреваю, что чтото не так в файрволе - нехватает какого-то правила, а вот какого, не могу понять

 

Как обстоят дела здесь?
[admin@MikroTik] /log> print

 

16:36:42 system,info log rule changed by mikrotik
16:36:50 ipsec,info initiate new phase 1 (Identity Protection): 213.27.32.36[500]<=>193.16.208.74[500]
16:36:50 ipsec,info ISAKMP-SA established 213.27.32.36[500]-193.16.208.74[500] spi:fa26cab8e033fdcc:0dcf315d6e03d5f8
16:36:50 ipsec,info purging ISAKMP-SA 213.27.32.36[500]<=>193.16.208.74[500] spi=fa26cab8e033fdcc:0dcf315d6e03d5f8.
16:36:50 ipsec,info ISAKMP-SA deleted 213.27.32.36[500]-193.16.208.74[500] spi:fa26cab8e033fdcc:0dcf315d6e03d5f8 rekey:1
16:37:00 ipsec,info initiate new phase 1 (Identity Protection): 213.27.32.36[500]<=>193.16.208.74[500]
16:37:00 ipsec,info ISAKMP-SA established 213.27.32.36[500]-193.16.208.74[500] spi:bfee288de577a3dc:6bf6589910e5a054
16:37:00 ipsec,info purging ISAKMP-SA 213.27.32.36[500]<=>193.16.208.74[500] spi=bfee288de577a3dc:6bf6589910e5a054.
16:37:00 ipsec,info ISAKMP-SA deleted 213.27.32.36[500]-193.16.208.74[500] spi:bfee288de577a3dc:6bf6589910e5a054 rekey:1

 

И так по кругу?

 

Да.

 

До тех пор, пока не поднимется, рано настраивать файрволл

 

>До тех пор, пока не поднимется, рано настраивать файрволл
Да уже настроен. И выключать - значит лишить инета предприятие - значит лишние вопли.
Кроме того - все равно разбираться, почему именно в такой конфигурации не работает.
Завтра попробую отключить цепочки mangle и включить тунель.