[admin@MikroTik-1] > ip ipsec peer
add address=192.168.80.1/32 port=500 auth-method=pre-shared-key \
secret="verysecret" hash-algorithm=sha256 enc-algorithm=aes-256 \
dh-group=modp2048 lifetime=1d

[admin@MikroTik-1] > ip ipsec proposal
add name=my-proposal auth-algorithms=sha256 enc-algorithms=aes-256-cbc \
lifetime=1d pfs-group=modp2048

[admin@MikroTik-1] > ip ipsec policy add
src-address=10.1.202.0/24 src-port=any dst-address=10.1.101.0/24 dst-port=any \
sa-src-address=192.168.90.1 sa-dst-address=192.168.80.1 tunnel=yes \
action=encrypt proposal=my-proposal