Mikrotik

How to set up L2TP+IPSec between 2 Mikrotik routers?

Hello. I've been scratching my head for three days now and can't find what exactly the problem is.
Task Description: There are 2 offices in each office Mikrotik RB951G-2HnD is installed. To access the Internet, a twisted pore is included in the ether1 connector and a PPPoE connection is raised on this interface for authorization on the provider's side. This interface is assigned a permanent white ip address. Ports 2-5 are combined into a bridge, and LAN computers are connected to these ports.
Office 1:
Public IP: pppoe-out - ip 85.12.xx.yy
Local IP: 192.168.1.0/24
Mikrotik Address: 192.168.1.1
Office 2:
Public IP: pppoe-out - ip 83.95.xx.yy
Local IP: 192.168 .2.0/24
Mikrotik address: 192.168.2.1
The task is to connect these 2 local networks via the Internet using L2TP/IPSec Tunnel so that all traffic passing through the tunnel is encrypted:
What I did:
Office 1 is taken as the server side.
1. Set up 1 L2TP Server in Office:
- Create a user:

 > ppp secret add name=Office2 service=l2tp password=123
local-address=10.0.16.9 remote-address=10.0.16.10

 /ppp secret> print detail 
Flags: X - disabled 
 0   name="Office2" service=l2tp caller-id="" password=
     local-address=10.0.16.9 remote-address=10.0.16.10 
     limit-bytes-out=0 last-logged-out=jan/01/1970 00:0

Create an L2TP interface for the created user

 > interface l2tp-server add disabled=no name=l2tp-Office2
user=Office2

- Enable L2TP/IpSec

 > interface l2tp-server server set authentication=pap,chap,
mschap1,mschap2 default-profile=default-encryption enabled=yes 
max-mru=1460 max-mtu=1460 use-ipsec=yes 
 > interface l2tp-server server print                                                       
enabled: yes                                               
max-mtu: 1460
max-mru: 1460
mrru: disabled
authentication: pap,chap,mschap1,mschap2
keepalive-timeout: 15
default-profile: default-encryption
use-ipsec: yes
ipsec-secret: 123456789

- Create an ipsec proposal:

 > ip ipsec proposal set default auth-algorithms=sha1 
disabled=no enc-algorithms=3des lifetime=30m name=default 
pfs-group=modp1024 
 > ip ipsec proposal print 
Flags: X - disabled, * - default 
 0  * name="default" auth-algorithms=sha1 enc-algorithms=3des 
lifetime=30m pfs-group=modp1024 
 >

- Create ipsec policy:
> ip ipsec policy add action=encrypt disabled=no
dst-address=192.168.2.0/24 ipsec-protocols=esp level=require priority=0
proposal=default protocol=udp sa-dst -address=10.0.16.10
sa-src-address=10.0.16.9 src-address=192.168.1.0/24 tunnel=yes
> ip ipsec policy print
Flags: T - template, X - disabled, D - dynamic , I - inactive, * - default
0 TX* group=*3 src-address=0.0.0.0/0 dst-address=0.0.0.0/0 protocol=all proposal=default template=yes
1 src-address=192.168.1.0 /24 src-port=any dst-address=192.168.2.0/24 dst-port=any protocol=udp
action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=10.0.16.9
sa-dst-address=10.0.16.10 proposal=default priority=0
- Create an ipsec peer:

 > ip ipsec peer add address=10.0.16.10 auth-method=pre-shared-key 
dh-group=modp1024 disabled=no dpd-interval=disable-dpd dpd-maximum-failures=1 
enc-algorithm=3des exchange-mode=main generate-policy=no hash-algorithm=sha1 
lifebytes=0 lifetime=1d nat-traversal=no proposal-check=obey secret=test 
send-initial-contact=yes 
 > ip ipsec peer print 
Flags: X - disabled, D - dynamic 
 0  D address=0.0.0.0/0 local-address=0.0.0.0 passive=yes port=500 auth-method=pre-shared-key 
      secret="123456789" generate-policy=port-strict policy-group=*2 exchange-mode=main-l2tp 
      send-initial-contact=yes nat-traversal=yes hash-algorithm=sha1 
      enc-algorithm=3des,aes-128,aes-192,aes-256 dh-group=modp1024 lifetime=1d dpd-interval=2m 
      dpd-maximum-failures=5 

 1    address=10.0.16.10/32 local-address=0.0.0.0 passive=no port=500 auth-method=pre-shared-key 
      secret="test" generate-policy=no policy-group=*2 exchange-mode=main send-initial-contact=yes 
      nat-traversal=no proposal-check=obey hash-algorithm=sha1 enc-algorithm=3des dh-group=modp1024 
      lifetime=1d lifebytes=0 dpd-interval=disable-dpd dpd-maximum-failures=1

- Add a route to Office 2

 > ip route add comment=Office2 disabled=no distance=1 
dst-address=192.168.2.0/24 gateway=10 .0.16.10 scope=30 target-scope=10

With the configuration of the first Mikrotik completed, let's move on to the second one, which will be an L2TP client:
- Create an l2tp interface to connect to the server

 > interface l2tp-client add add-default-route=no allow=pap,chap,
mschap1,mschap2 connect-to=85.12.xx.yy dial-on-demand=no disabled=no 
max-mru=1460 max-mtu=1460 name=l2tp-Office1 password=123 user=Office2

After executing this command, an L2TP tunnel is established.
- Create an ipsec proposal (the settings are exactly the same as we did on the server):

 > ip ipsec proposal set default auth-algorithms=sha1 
disabled=no enc-algorithms=3des lifetime=30m name=default pfs-group=modp1024 
 > ip ipsec proposal print 
Flags: X - disabled, * - default 
 0  * name="default" auth-algorithms=sha1 enc-algorithms=3des lifetime=30m 
      pfs-group=modp1024

- Create ipsec policy:

 > ip ipsec policy add action=encrypt disabled=no 
dst-address=192.168.1.0/24 ipsec-protocols=esp level=require priority=0 
proposal=default protocol=udp sa-dst-address=10.0.16.9 
sa-src-address=10.0.16.10 src-address=192.168.2.0/24 tunnel=yes 
 > ip ipsec policy print 
Flags: T - template, X - disabled, D - dynamic, I - inactive, * - default 
 0 TX* group=default src-address=85.172.xx.yy/32 dst-address=83.239.xx.yy/32 
       protocol=udp proposal=default template=yes 

 1     src-address=192.168.2.0/24 src-port=any dst-address=192.168.1.0/24 
       dst-port=any protocol=udp action=encrypt level=require 
       ipsec-protocols=esp tunnel=yes sa-src-address=10.0.16.10 
       sa-dst-address=10.0.16.9 proposal=default priority=0

- Create ipsec peer:
> ip ipsec peer add address=10.0.16.9/32 auth-method=pre-shared-key
dh-group=modp1024 disabled=no dpd-interval=disable-dpd dpd-maximum- failures=1
enc-algorithm=3des exchange-mode=main generate-policy=no hash-algorithm=sha1
lifebytes=0 lifetime=1d nat-traversal=no proposal-check=obey secret=test
send-initial-contact=yes
[ [email protected]] > ip ipsec peer print
Flags: X - disabled, D - dynamic
0 address=10.0.16.9/32 local-address=0.0.0.0 passive=no port=500
auth-method=pre-shared-key secret= "test" generate-policy=no
policy-group=default exchange-mode=main send-initial-contact=yes
nat-traversal=no proposal-check=obey hash-algorithm=sha1
enc-algorithm=3des dh-group=modp1024 lifetime=1d lifebytes=0
dpd-interval=disable-dpd dpd-maximum-failures=1
- Add route to Office one

 > ip route add disabled=no distance=1 dst-address=192.168.1.0/24 
gateway=10.0.16.9 scope=30 target-scope=10

After all these settings, connections are displayed in / ip ipsec remote-peers

 > ip ipsec remote-peers print 
 0 local-address=10.0.16.9 remote-address=10.0.16.10 state=established 
   side=initiator established=4m22s

It would seem that the whole setup is not complicated, and after that, entries should appear in / ip ipsec installed-sa, but they do not appear in any way. Data is transferred from one network to another perfectly, but I have a suspicion that the channel turned out to be not encrypted, since there are no entries in / ip ipsec installed-sa and the processor does not load at all during operation. Trying to deal with the problem, I added a rule for the firewall on each of Mikrotik:

/ip firewall filter
add chain=input protocol=udp port=1701,500,4500
add chain=input protocol=ipsec-esp

Mikrotik versions 6.19.
I have already tried everything, I read all the instructions, I could only find them, but I still can’t get it to work. ;( Please tell me what else I missed when setting up and what needs to be corrected. Many thanks in advance for the advice.