mikrotik
address=46.28.xxx.xxx local-address=31.134.xxx.xxx passive=no port=500
auth-method=pre-shared-key
secret="xxxxxxxxxxxxxxxxxxxxxxxx" generate-policy=no
policy-template-group=default exchange-mode=main-l2tp
send-initial-contact=no nat-traversal=no hash-algorithm=sha1
enc-algorithm=3des,aes-128,aes-256 dh-group=modp1024 lifetime=8h
dpd-interval=disable-dpd dpd-maximum-failures=5

src-address=31.134.xxx.xxx/32 src-port=any dst-address=46.28.xxx.xxx/32
dst-port=any protocol=all action=encrypt level=require
ipsec-protocols=esp tunnel=yes sa-src-address=31.134.xxx.xxx
sa-dst-address=46.28.xxx.xxx proposal=default priority=0

ipsec.conf
version 2 # conforms to second version of ipsec.conf specification

config setup
dumpdir=/var/run/pluto/
#in what directory should things started by setup (notably the Pluto daemon) be allowed to dump core?

nat_traversal=yes
#whether to accept/offer to support NAT (NAPT, also known as "IP Masqurade") workaround for IPsec

virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v6:fd00::/8,%v6:fe80::/10
#contains the networks that are allowed as subnet= for the remote client. In other words, the address ranges that may live behind a NAT router through whi$

protostack=netkey
#decide which protocol stack is going to be used.

force_keepalive=yes
keep_alive=60
# Send a keep-alive packet every 60 seconds.

conn L2TP-PSK-noNAT
authby=secret
#shared secret. Use rsasig for certificates.

pfs=no
#Disable pfs

auto=add
#the ipsec tunnel should be started and routes created when the ipsec daemon itself starts.

keyingtries=3
#Only negotiate a conn. 3 times.

ikelifetime=8h
keylife=1h

ike=aes256-sha1,aes128-sha1,3des-sha1
phase2alg=aes256-sha1,aes128-sha1,3des-sha1
# https://lists.openswan.org/pipermail/users/2014-Ap...
# specifies the phase 1 encryption scheme, the hashing algorithm, and the diffie-hellman group. The modp1024 is for Diffie-Hellman 2. Why 'modp' instead o$

type=transport
#because we use l2tp as tunnel protocol

left=46.28.xxx.xxx
#fill in server IP above

leftprotoport=17/1701
right=%any
rightprotoport=17/%any

dpddelay=10
# Dead Peer Dectection (RFC 3706) keepalives delay
dpdtimeout=20
# length of time (in seconds) we will idle without hearing either an R_U_THERE poll from our peer, or an R_U_THERE_ACK reply.
dpdaction=clear
# When a DPD enabled peer is declared dead, what action should be taken. clear means the eroute and SA with both be cleared.

не могу найти логов openswan, позже выложу.