I add this only as reference from acx1100 point of view
I strongly suggest to follow the IPSEC labs
acx1100 IPSEC lab configuration
root@acx1100> show configuration | no-more
## Last commit: 2023-12-26 09:02:13 UTC by lrc
version 21.2R3.8;
system {
host-name acx1100;
root-authentication {
encrypted-password "$6$Me.8rVDl$EF9PcbjYNNuRCuN5NejjRizhrBup688f5DY3A6yUgGujNDniHIYKjekVwxkmZ4LY34fT0FqqlhhKwh7R6XPeK0"; ## SECRET-DATA
}
login {
class lr1 {
logical-system lr1;
permissions all;
}
class lr2 {
logical-system lr2;
permissions all;
}
class lr3 {
logical-system lr3;
permissions all;
}
class lrc {
logical-system lrc;
permissions all;
}
user lr1 {
uid 2008;
class lr1;
authentication {
encrypted-password "$6$X8FfXB.u$ygojhfj.X6pEjOzQJ4.WVg9PckYHQrREUqyxDvrXrFbpSSVsp0dDgk4bjGG8UCJkLyDUPqChpMvE.V8hkkF4X1"; ## SECRET-DATA
}
}
user lr2 {
uid 2009;
class lr2;
authentication {
encrypted-password "$6$xBWmGCiz$UKy0NMZxOAoedM1V9Hw1G88zhE4QGLfB1KLkOOnZxsZqRAXqsxoX5bxh//N1eKHdF2LAyN9NxyDTLWJs6CGCC."; ## SECRET-DATA
}
}
user lr3 {
uid 2010;
class lr3;
authentication {
encrypted-password "$6$Ek5ihlUw$BSs4L9b8ymDjSLdMEMEiPJTcu0K5IEB1mJvHBATayaKSnVgQZ0K0NkcX3jfuths4J8tNtTjDTf7.vJu/zpPPP/"; ## SECRET-DATA
}
}
user lrc {
uid 2013;
class lrc;
authentication {
encrypted-password "$6$InAquAUa$UxnSAT9c1G476uTROWHZH25vz9yuqvFoSAvWKkOPVWZhzOf/o5uCR2uY4mWex3CKQbxwYRbpzkHBEq6L4mk8y."; ## SECRET-DATA
}
}
}
services {
ssh {
root-login allow;
}
netconf {
ssh;
}
}
domain-name lab.ls;
name-server {
8.8.8.8;
8.8.4.4;
}
syslog {
user * {
any emergency;
}
file interactive-commands {
interactive-commands any;
}
file messages {
any error;
authorization info;
}
}
}
logical-systems {
lr1 {
interfaces {
ge-0/0/1 {
unit 0 {
description lrc-ge-0/0/5;
family inet {
address 10.0.1.1/30;
}
}
}
lo0 {
unit 1 {
family inet {
address 100.1.1.1/32;
}
}
}
}
protocols {
ospf {
area 0.0.0.0 {
interface ge-0/0/1.0;
interface lo0.1 {
passive;
}
}
}
}
}
lr2 {
interfaces {
ge-0/0/2 {
unit 0 {
description lrc-ge-0/0/6;
family inet {
address 10.0.2.1/30;
}
}
}
lo0 {
unit 2 {
family inet {
address 100.2.2.2/32;
}
}
}
}
protocols {
ospf {
area 0.0.0.0 {
interface ge-0/0/2.0;
interface lo0.2 {
passive;
}
}
}
}
}
lr3 {
interfaces {
ge-0/0/3 {
unit 0 {
description lrc-ge-0/0/7;
family inet {
address 10.0.3.1/30;
}
}
}
ge-0/0/4 {
unit 0 {
description lrc-arm64-frr-dhcp;
family inet {
address 10.0.4.1/30;
}
}
}
lo0 {
unit 3 {
family inet {
address 100.3.3.3/32;
}
}
}
}
protocols {
ospf {
area 0.0.0.0 {
interface ge-0/0/3.0;
interface lo0.3 {
passive;
}
}
}
}
}
lrc {
interfaces {
gr-0/0/0 {
unit 0 {
tunnel {
source 10.0.0.2;
destination 10.10.10.10;
}
family inet {
address 10.1.1.1/30;
}
}
}
ge-0/0/5 {
unit 0 {
description lr1-ge-0/0/1;
family inet {
address 10.0.1.2/30;
}
}
}
ge-0/0/6 {
unit 0 {
description lr2-ge-0/0/2;
family inet {
address 10.0.2.2/30;
}
}
}
ge-0/0/7 {
unit 0 {
description lr3-ge-0/0/3;
family inet {
address 10.0.3.2/30;
}
}
}
ge-0/1/1 {
unit 0 {
description acx-ge-0/1/0;
family inet {
address 10.0.0.2/30;
}
}
}
lo0 {
unit 123 {
family inet {
address 100.1.2.3/32;
}
}
}
}
protocols {
ospf {
area 0.0.0.0 {
interface gr-0/0/0.0;
interface ge-0/0/5.0;
interface ge-0/0/6.0;
interface ge-0/0/7.0;
interface lo0.123 {
passive;
}
}
}
}
routing-options {
static {
route 0.0.0.0/0 next-hop 10.0.0.1;
}
}
}
}
chassis {
fpc 0 {
pic 0 {
tunnel-services {
bandwidth 10g;
}
inline-services {
bandwidth 10g;
}
}
service-package bundle-nat-ipsec;
}
}
services {
service-set ipsec {
next-hop-service {
inside-service-interface si-0/0/0.1;
outside-service-interface si-0/0/0.2;
}
ipsec-vpn-options {
local-gateway 172.20.13.1;
no-anti-replay;
}
ipsec-vpn-rules neo4;
}
service-set ipsec-mk {
next-hop-service {
inside-service-interface si-0/0/0.3;
outside-service-interface si-0/0/0.4;
}
ipsec-vpn-options {
local-gateway 172.20.13.1;
no-anti-replay;
}
ipsec-vpn-rules mikrotik;
}
ipsec-vpn {
rule neo4 {
term 1 {
from {
destination-address {
192.168.168.0/24;
}
ipsec-inside-interface si-0/0/0.1;
}
then {
remote-gateway 172.20.13.20;
dynamic {
ike-policy ike-pol;
ipsec-policy ipsec-pol;
}
}
}
match-direction input;
}
rule mikrotik {
term 1 {
from {
source-address {
10.0.0.0/30;
}
destination-address {
10.10.10.10/32;
}
ipsec-inside-interface si-0/0/0.3;
}
then {
remote-gateway 172.20.13.30;
dynamic {
ike-policy ike-pol;
ipsec-policy ipsec-pol;
}
}
}
match-direction input;
}
ipsec {
proposal ipsec-prop {
protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm aes-128-cbc;
}
policy ipsec-pol {
proposals ipsec-prop;
}
}
ike {
proposal ike-prop {
authentication-method pre-shared-keys;
dh-group group2;
authentication-algorithm sha1;
encryption-algorithm aes-128-cbc;
}
policy ike-pol {
version 2;
proposals ike-prop;
pre-shared-key ascii-text "$9$AI04p1RhSeMLxlKoJGDmP"; ## SECRET-DATA
}
}
establish-tunnels immediately;
}
}
interfaces {
ge-0/0/0 {
flexible-vlan-tagging;
unit 13 {
description WAN;
vlan-id 13;
family inet {
address 172.20.13.1/24;
}
}
}
si-0/0/0 {
unit 0 {
family inet;
}
unit 1 {
description ipsec-neo4-in;
family inet;
service-domain inside;
}
unit 2 {
description ipsec-neo4-out;
family inet;
service-domain outside;
}
unit 3 {
description ipsec-mikrotik-in;
family inet;
service-domain inside;
}
unit 4 {
description ipsec-mikrotik-out;
family inet;
service-domain outside;
}
}
ge-0/1/0 {
media-type copper;
unit 0 {
description lrc-ge-0/1/1;
family inet {
address 10.0.0.1/30;
}
}
}
ge-0/1/1 {
media-type copper;
}
ge-0/1/2 {
media-type copper;
}
fxp0 {
unit 0 {
family inet {
dhcp {
client-identifier {
use-interface-description device;
}
}
}
}
}
lo0 {
unit 0 {
family inet {
address 100.0.1.1/32;
}
}
}
}
routing-options {
static {
route 0.0.0.0/0 next-hop 172.20.13.254;
route 192.168.168.0/24 next-hop si-0/0/0.1;
route 10.10.10.10/32 next-hop si-0/0/0.3;
}
}
acx1100 IPSEClab configuration SET
root@acx1100> show configuration | display set |no-more
set version 21.2R3.8
set system host-name acx1100
set system root-authentication encrypted-password "$6$Me.8rVDl$EF9PcbjYNNuRCuN5NejjRizhrBup688f5DY3A6yUgGujNDniHIYKjekVwxkmZ4LY34fT0FqqlhhKwh7R6XPeK0"
set system login class lr1 logical-system lr1
set system login class lr1 permissions all
set system login class lr2 logical-system lr2
set system login class lr2 permissions all
set system login class lr3 logical-system lr3
set system login class lr3 permissions all
set system login class lrc logical-system lrc
set system login class lrc permissions all
set system login user lr1 uid 2008
set system login user lr1 class lr1
set system login user lr1 authentication encrypted-password "$6$X8FfXB.u$ygojhfj.X6pEjOzQJ4.WVg9PckYHQrREUqyxDvrXrFbpSSVsp0dDgk4bjGG8UCJkLyDUPqChpMvE.V8hkkF4X1"
set system login user lr2 uid 2009
set system login user lr2 class lr2
set system login user lr2 authentication encrypted-password "$6$xBWmGCiz$UKy0NMZxOAoedM1V9Hw1G88zhE4QGLfB1KLkOOnZxsZqRAXqsxoX5bxh//N1eKHdF2LAyN9NxyDTLWJs6CGCC."
set system login user lr3 uid 2010
set system login user lr3 class lr3
set system login user lr3 authentication encrypted-password "$6$Ek5ihlUw$BSs4L9b8ymDjSLdMEMEiPJTcu0K5IEB1mJvHBATayaKSnVgQZ0K0NkcX3jfuths4J8tNtTjDTf7.vJu/zpPPP/"
set system login user lrc uid 2013
set system login user lrc class lrc
set system login user lrc authentication encrypted-password "$6$InAquAUa$UxnSAT9c1G476uTROWHZH25vz9yuqvFoSAvWKkOPVWZhzOf/o5uCR2uY4mWex3CKQbxwYRbpzkHBEq6L4mk8y."
set system services ssh root-login allow
set system services netconf ssh
set system domain-name lab.ls
set system name-server 8.8.8.8
set system name-server 8.8.4.4
set system syslog user * any emergency
set system syslog file interactive-commands interactive-commands any
set system syslog file messages any error
set system syslog file messages authorization info
set logical-systems lr1 interfaces ge-0/0/1 unit 0 description lrc-ge-0/0/5
set logical-systems lr1 interfaces ge-0/0/1 unit 0 family inet address 10.0.1.1/30
set logical-systems lr1 interfaces lo0 unit 1 family inet address 100.1.1.1/32
set logical-systems lr1 protocols ospf area 0.0.0.0 interface ge-0/0/1.0
set logical-systems lr1 protocols ospf area 0.0.0.0 interface lo0.1 passive
set logical-systems lr2 interfaces ge-0/0/2 unit 0 description lrc-ge-0/0/6
set logical-systems lr2 interfaces ge-0/0/2 unit 0 family inet address 10.0.2.1/30
set logical-systems lr2 interfaces lo0 unit 2 family inet address 100.2.2.2/32
set logical-systems lr2 protocols ospf area 0.0.0.0 interface ge-0/0/2.0
set logical-systems lr2 protocols ospf area 0.0.0.0 interface lo0.2 passive
set logical-systems lr3 interfaces ge-0/0/3 unit 0 description lrc-ge-0/0/7
set logical-systems lr3 interfaces ge-0/0/3 unit 0 family inet address 10.0.3.1/30
set logical-systems lr3 interfaces ge-0/0/4 unit 0 description lrc-arm64-frr-dhcp
set logical-systems lr3 interfaces ge-0/0/4 unit 0 family inet address 10.0.4.1/30
set logical-systems lr3 interfaces lo0 unit 3 family inet address 100.3.3.3/32
set logical-systems lr3 protocols ospf area 0.0.0.0 interface ge-0/0/3.0
set logical-systems lr3 protocols ospf area 0.0.0.0 interface lo0.3 passive
set logical-systems lrc interfaces gr-0/0/0 unit 0 tunnel source 10.0.0.2
set logical-systems lrc interfaces gr-0/0/0 unit 0 tunnel destination 10.10.10.10
set logical-systems lrc interfaces gr-0/0/0 unit 0 family inet address 10.1.1.1/30
set logical-systems lrc interfaces ge-0/0/5 unit 0 description lr1-ge-0/0/1
set logical-systems lrc interfaces ge-0/0/5 unit 0 family inet address 10.0.1.2/30
set logical-systems lrc interfaces ge-0/0/6 unit 0 description lr2-ge-0/0/2
set logical-systems lrc interfaces ge-0/0/6 unit 0 family inet address 10.0.2.2/30
set logical-systems lrc interfaces ge-0/0/7 unit 0 description lr3-ge-0/0/3
set logical-systems lrc interfaces ge-0/0/7 unit 0 family inet address 10.0.3.2/30
set logical-systems lrc interfaces ge-0/1/1 unit 0 description acx-ge-0/1/0
set logical-systems lrc interfaces ge-0/1/1 unit 0 family inet address 10.0.0.2/30
set logical-systems lrc interfaces lo0 unit 123 family inet address 100.1.2.3/32
set logical-systems lrc protocols ospf area 0.0.0.0 interface gr-0/0/0.0
set logical-systems lrc protocols ospf area 0.0.0.0 interface ge-0/0/5.0
set logical-systems lrc protocols ospf area 0.0.0.0 interface ge-0/0/6.0
set logical-systems lrc protocols ospf area 0.0.0.0 interface ge-0/0/7.0
set logical-systems lrc protocols ospf area 0.0.0.0 interface lo0.123 passive
set logical-systems lrc routing-options static route 0.0.0.0/0 next-hop 10.0.0.1
set chassis fpc 0 pic 0 tunnel-services bandwidth 10g
set chassis fpc 0 pic 0 inline-services bandwidth 10g
set chassis fpc 0 service-package bundle-nat-ipsec
set services service-set ipsec next-hop-service inside-service-interface si-0/0/0.1
set services service-set ipsec next-hop-service outside-service-interface si-0/0/0.2
set services service-set ipsec ipsec-vpn-options local-gateway 172.20.13.1
set services service-set ipsec ipsec-vpn-options no-anti-replay
set services service-set ipsec ipsec-vpn-rules neo4
set services service-set ipsec-mk next-hop-service inside-service-interface si-0/0/0.3
set services service-set ipsec-mk next-hop-service outside-service-interface si-0/0/0.4
set services service-set ipsec-mk ipsec-vpn-options local-gateway 172.20.13.1
set services service-set ipsec-mk ipsec-vpn-options no-anti-replay
set services service-set ipsec-mk ipsec-vpn-rules mikrotik
set services ipsec-vpn rule neo4 term 1 from destination-address 192.168.168.0/24
set services ipsec-vpn rule neo4 term 1 from ipsec-inside-interface si-0/0/0.1
set services ipsec-vpn rule neo4 term 1 then remote-gateway 172.20.13.20
set services ipsec-vpn rule neo4 term 1 then dynamic ike-policy ike-pol
set services ipsec-vpn rule neo4 term 1 then dynamic ipsec-policy ipsec-pol
set services ipsec-vpn rule neo4 match-direction input
set services ipsec-vpn rule mikrotik term 1 from source-address 10.0.0.0/30
set services ipsec-vpn rule mikrotik term 1 from destination-address 10.10.10.10/32
set services ipsec-vpn rule mikrotik term 1 from ipsec-inside-interface si-0/0/0.3
set services ipsec-vpn rule mikrotik term 1 then remote-gateway 172.20.13.30
set services ipsec-vpn rule mikrotik term 1 then dynamic ike-policy ike-pol
set services ipsec-vpn rule mikrotik term 1 then dynamic ipsec-policy ipsec-pol
set services ipsec-vpn rule mikrotik match-direction input
set services ipsec-vpn ipsec proposal ipsec-prop protocol esp
set services ipsec-vpn ipsec proposal ipsec-prop authentication-algorithm hmac-sha1-96
set services ipsec-vpn ipsec proposal ipsec-prop encryption-algorithm aes-128-cbc
set services ipsec-vpn ipsec policy ipsec-pol proposals ipsec-prop
set services ipsec-vpn ike proposal ike-prop authentication-method pre-shared-keys
set services ipsec-vpn ike proposal ike-prop dh-group group2
set services ipsec-vpn ike proposal ike-prop authentication-algorithm sha1
set services ipsec-vpn ike proposal ike-prop encryption-algorithm aes-128-cbc
set services ipsec-vpn ike policy ike-pol version 2
set services ipsec-vpn ike policy ike-pol proposals ike-prop
set services ipsec-vpn ike policy ike-pol pre-shared-key ascii-text "$9$AI04p1RhSeMLxlKoJGDmP"
set services ipsec-vpn establish-tunnels immediately
set interfaces ge-0/0/0 flexible-vlan-tagging
set interfaces ge-0/0/0 unit 13 description WAN
set interfaces ge-0/0/0 unit 13 vlan-id 13
set interfaces ge-0/0/0 unit 13 family inet address 172.20.13.1/24
set interfaces si-0/0/0 unit 0 family inet
set interfaces si-0/0/0 unit 1 description ipsec-neo4-in
set interfaces si-0/0/0 unit 1 family inet
set interfaces si-0/0/0 unit 1 service-domain inside
set interfaces si-0/0/0 unit 2 description ipsec-neo4-out
set interfaces si-0/0/0 unit 2 family inet
set interfaces si-0/0/0 unit 2 service-domain outside
set interfaces si-0/0/0 unit 3 description ipsec-mikrotik-in
set interfaces si-0/0/0 unit 3 family inet
set interfaces si-0/0/0 unit 3 service-domain inside
set interfaces si-0/0/0 unit 4 description ipsec-mikrotik-out
set interfaces si-0/0/0 unit 4 family inet
set interfaces si-0/0/0 unit 4 service-domain outside
set interfaces ge-0/1/0 media-type copper
set interfaces ge-0/1/0 unit 0 description lrc-ge-0/1/1
set interfaces ge-0/1/0 unit 0 family inet address 10.0.0.1/30
set interfaces ge-0/1/1 media-type copper
set interfaces ge-0/1/2 media-type copper
set interfaces fxp0 unit 0 family inet dhcp client-identifier use-interface-description device
set interfaces lo0 unit 0 family inet address 100.0.1.1/32
set routing-options static route 0.0.0.0/0 next-hop 172.20.13.254
set routing-options static route 192.168.168.0/24 next-hop si-0/0/0.1
set routing-options static route 10.10.10.10/32 next-hop si-0/0/0.3