Mikrotik

IPSec + Mikrotik, why doesn't it work?

I want to set up an IPSec tunnel between two Mikrotiks. I do everything according to the manual from the official wiki.
The following commands were executed on Mikrotiks
(xx.xx.xx.xx white ip of the first office, yy.yy.yy.yy - of the second, 192.168.1.x subnet of the first office, 192.168.87.x - of the second office)
office 1
/ ip ipsec peer
add address=yy.yy.yy.yy/32 port=500 auth-method=pre-shared-key secret="/u]45ms]E>[email protected]<1C^&7dffaoep{h2]krrNxQG+YCwe~ HT;"
/ip ipsec policy
add src-address=192.168.1.0/24 src-port=any dst-address=192.168.87.0/24 dst-port=any \
sa-src-address=xx.xx.xx.xx sa-dst -address=yy.yy.yy.yy \
tunnel=yes action=encrypt proposal=default
/ip firewall nat
add chain=srcnat action=accept place-before=0 \
src-address=192.168.1.0/24 dst-address=192.168.87.0/24
office 2
/ip ipsec peer
add address=xx.xx.xx.xx/32 port=500 auth-method=pre-shared-key secret= "/u]45ms]E>[email protected]<1C^&7dffaoep{h2]krrNxQG+YCwe~HT;"
/ip ipsec policy
add src-address=192.168.87.0/24 src-port=any dst-address=192.168.1.0/24 dst-port=any \
sa-src-address=yy.yy.yy.yy sa-dst -address=xx.xx.xx.xx \
tunnel=yes action=encrypt proposal=default
/ip firewall nat
add chain=srcnat action=accept place-before=0 \
src-address=192.168.87.0/24 dst-address= 192.168.1.0/24
After the manipulations done, nothing happens, the installed sa is empty, the subnets are not pinged (from one office to another). ROS version 6.30.2 (on both Mikrotiks). I've looked all over and can't figure it out, can anyone help?