Hi, I've got functional tunnels and BGP peering ok. Prefixes are as expected on both sides, so I'm thinking I have an iptables problem. I've played with some of what I've seen on other posts in NAT and Mangle chains, but no dice. Can someone spot the missing piece?

[craigb@MikroTik] /ip/firewall> /ip/ipsec/active-peers/print
Flags: N - NATT-PEER
Columns: ID, STATE, UPTIME, PH2-TOTAL, REMOTE-ADDRESS
# ID STATE UPTIME PH2-TOTAL REMOTE-ADDRESS
;;; AWS-2
0 N 34.239.16.250 established 1h56m46s 1 34.239.16.250
;;; AWS-1
1 N 18.233.233.35 established 1h56m46s 1 18.233.233.35

[craigb@MikroTik] /ip/firewall> /routing/bgp/connection/print
Flags: D - dynamic, X - disabled, I - inactive
0 ;;; AWS-1
name="AWS-1"
remote.address=169.254.79.193 .as=64512
local.address=169.254.79.194 .role=ebgp
connect=yes listen=yes routing-table=main as=65008 hold-time=30s keepalive-time=10s address-families=ip
output.network=LAN-PL

1 X ;;; AWS-2
name="AWS-2"
remote.address=169.254.112.69 .as=64512
local.address=169.254.112.70 .role=ebgp
connect=yes listen=yes routing-table=main as=65008 address-families=ip
output.network=LAN-PL

[craigb@MikroTik] /ip/firewall> /ip/route/print
Flags: D - DYNAMIC; A - ACTIVE; c - CONNECT, b - BGP, o - OSPF, d - DHCP
Columns: DST-ADDRESS, GATEWAY, DISTANCE
DST-ADDRESS GATEWAY DISTANCE
DAd 0.0.0.0/0 76.244.28.1 1
DAo 10.17.38.16/31 192.168.9.0%e2-Transit 110
DAb 10.60.0.0/16 169.254.79.193 20
DAc 76.244.28.0/22 e1-INET1 0
DAc 169.254.79.192/30 e1-INET1 0
DAc 169.254.112.68/30 e1-INET1 0
DAc 192.168.9.0/31 e2-Transit 0
DAo 192.168.10.0/24 192.168.9.0%e2-Transit 110
DAo 192.168.11.0/24 192.168.9.0%e2-Transit 110
DAo 192.168.12.0/24 192.168.9.0%e2-Transit 110
DAc 192.168.20.0/24 BR-20 0

/ip firewall address-list
add address=192.168.10.0/24 comment=LAN-PL list=LAN-PL
add address=192.168.9.0/31 list=LAN-PL
add address=10.60.0.0/16 list=AWS
/ip firewall connection tracking
set udp-timeout=10s
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=drop chain=input connection-state=new in-interface=e1-INET1 log=yes
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface-list=WAN

Finally got ICMP working, but I'm not wild about this solution. Apparently if I add another policy for the src and dst network prefixes, it works. I was hoping that wasn't necessary since I'm trying to use BGP to propagate prefixes in the first place. Can someone advise if this is necessary on ROS7, or if I can just use route-based VPN approach with BGP and have only an IPSEC policy for the BGP peers on either side?

[craigb@MikroTik] /ip/firewall> /ip/ipsec/policy/print
Flags: T - TEMPLATE; X - DISABLED, I - INVALID, A - ACTIVE; * - DEFAULT
Columns: PEER, TUNNEL, SRC-ADDRESS, DST-ADDRESS, PROTOCOL, ACTION, LEVEL, PH2-COUNT
# PEER TUNNEL SRC-ADDRESS DST-ADDRESS PROTOCOL ACTION LEVEL PH2-COUNT
0 T * 0.0.0.0/0 0.0.0.0/0 all
;;; AWS-1
1 A AWS-1 yes 169.254.79.194/32 169.254.79.193/32 all encrypt unique 1
;;; AWS-2
2 X AWS-2 yes 169.254.112.70/32 169.254.112.69/32 all encrypt require 0
3 A AWS-1 yes 192.168.10.0/24 10.60.0.0/16 all encrypt unique 1