IPsec MikroTik és Zyxel Zywall USG között

/ip ipsec profile add name=Site-to-site dh-group=modp1024 dpd-interval=3s enc-algorithm=aes-128 nat-traversal=no
/ip ipsec peer add name=Site-to-site profile=Site-to-site address=<Zywall IP> local-address=<MikroTik IP>
/ip ipsec proposal add name=Site-to-site  enc-algorithms=aes-128-cbc 
/ip ipsec identity add peer=Site-to-site  notrack-chain=output secret=HelloNSA
/ip ipsec policy add dst-address=<Zywall subnet> src-address=<Mikrotik subnet> proposal=Site-to-site sa-dst-address=<Zywall IP> sa-src-address=<MikroTik IP> tunnel=yes
/ip firewall nat add action=accept chain=srcnat dst-address=<Zywall subnet> src-address=<Mikrotik subnet>
/ip firewall nat add action=accept chain=srcnat dst-address=<Mikrotik subnet> src-address=<Zywall subnet>

enable
configure terminal

address-object Mikrotik_LAN <Mikrotik subnet>
address-object Zywall_LAN <Zywall subnet>

isakmp policy Mikrotik
 activate
 local-ip interface wan1
 peer-ip <MikroTik IP> 
 authentication pre-share
 keystring HelloNSA
 local-id type ip 0.0.0.0
 peer-id type any
 fall-back-check-interval 300
 lifetime 86400
 group2
 transform-set aes128-sha
 mode main
 dpd-interval 30
 no natt
exit

crypto map Mikrotik
 activate
 adjust-mss auto
 ipsec-isakmp Mikrotik
 scenario site-to-site-static
 encapsulation tunnel
 transform-set esp-aes128-sha
 set security-association lifetime seconds 1800
 set pfs group2
 local-policy Zywall_LAN
 remote-policy Mikrotik_LAN
 no conn-check activate
exit

zone TUNNEL
 crypto Mikrotik
exit

secure-policy append
 name to_Mikrotik
 destinationip Mikrotik_LAN
 action allow
exit

secure-policy append
 name from_Mikrotik
 sourceip Mikrotik_LAN
 action allow
exit

policy append
 name to_Mikrotik
 dscp any
 destination Mikrotik_LAN
 next-hop tunnel Mikrotik
exit