IPSEC and Fastrack

Hi,

I was trying to find why I had poor performance over my VPN provider until I found that Fasttrack was causing the issue. I then implemented this solution https://blog.johannfenech.com/mikrotik-fasttrack-configuration-with-l2tp-ipsec-vpn/ which solved my issue.

My question is more about the two other default rule in my hAP ac lite which I thought would do basically the same.. defconf accept in ipsec policy and defconf accept out ipsec policy by accepting all ipsec traffic prior to the fasttrak policy. I then noticed the accept in ipsec policy counter do increase but no the out. Could someone explain the purpose of those policy?

Rock.

Those two default rules in forward filter are fine for site to site VPNs. But not for popular VPNs where you route your traffic to internet via the tunnel, and you only get single IP address for your end from them. Because then you have to use srcnat, and only after that will outgoing packets match IPSec policy. Problem is, forward is before srcnat, and those rules can’t see in future.