IPSec TCP traffic not working

Hi
Thanks in advance for your time!

I currently have a IPSec tunnel established between my Mikrotik router and the Oracle OCI.
For configuration I followed this guide: https://tech.belidzs.hu/blog/site-to-site-vpn-between-oracle-cloud-infrastructure-and-a-mikrotik-device/

Everything was working fine, but suddenly I couldn’t connect to the apache hosted at OCI site.
I then tried to connect via ssh. This worked, but if I open e.g. “top” the connection freezes.
Also pinging works from both sides.

I guess the IPSec connection is working and there must be something wrong with Routing or the Firewall?
Here is the export of my current configuration:

/ip firewall address-list
add address=0.0.0.0/8 list=private
add address=10.0.0.0/8 list=private
add address=100.64.0.0/10 list=private
add address=127.0.0.0/8 list=private
add address=169.254.0.0/16 list=private
add address=172.16.0.0/12 list=private
add address=192.0.0.0/24 list=private
add address=192.0.2.0/24 list=private
add address=192.168.0.0/16 list=private
add address=198.18.0.0/15 list=private
add address=198.51.100.0/24 list=private
add address=203.0.113.0/24 list=private
add address=224.0.0.0/3 list=private
add address=192.168.111.0/24 list=lan
add address=10.1.0.0/16 list=ipsec

/ip firewall filter
add action=drop chain=input comment="drop bogons" in-interface-list=wan ipsec-policy=in,none src-address-list=private
add action=accept chain=input comment="accept established,related" connection-state=established,related
add action=accept chain=input comment="accept ICMP" protocol=icmp
add action=drop chain=input comment="drop all from WAN" in-interface-list=wan
add action=accept chain=forward comment="accept established,related" connection-state=established,related
add action=accept chain=forward comment="accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="accept out ipsec policy" ipsec-policy=out,ipsec
add action=drop chain=forward comment="drop invalid connection" connection-state=invalid
add action=drop chain=forward comment="drop all from WAN not dstnat" connection-nat-state=!dstnat connection-state=new in-interface-list=wan

/ip firewall mangle
add action=log chain=prerouting comment="Mark Connection - WAN1" disabled=yes
add action=mark-connection chain=input connection-mark=no-mark in-interface=ppp-wan1 new-connection-mark=wan1 passthrough=yes
add action=mark-connection chain=forward connection-mark=no-mark in-interface=ppp-wan1 new-connection-mark=wan1 passthrough=yes
add action=mark-connection chain=output connection-mark=no-mark new-connection-mark=wan1 out-interface=ppp-wan1 passthrough=yes
add action=mark-connection chain=postrouting connection-mark=no-mark new-connection-mark=wan1 out-interface=ppp-wan1 passthrough=yes
add action=log chain=prerouting comment="Mark Connection - WAN2" disabled=yes
add action=mark-connection chain=input connection-mark=no-mark in-interface=ether2_wan2 new-connection-mark=wan2 passthrough=yes
add action=mark-connection chain=forward connection-mark=no-mark in-interface=ether2_wan2 new-connection-mark=wan2 passthrough=yes
add action=mark-connection chain=output connection-mark=no-mark new-connection-mark=wan2 out-interface=ether2_wan2 passthrough=yes
add action=mark-connection chain=postrouting connection-mark=no-mark new-connection-mark=wan2 out-interface=ether2_wan2 passthrough=yes
add action=log chain=prerouting comment="Mark Connection - WAN3" disabled=yes
add action=mark-connection chain=input connection-mark=no-mark in-interface=ether3_wan3 new-connection-mark=wan3 passthrough=yes
add action=mark-connection chain=forward connection-mark=no-mark in-interface=ether3_wan3 new-connection-mark=wan3 passthrough=yes
add action=mark-connection chain=output connection-mark=no-mark new-connection-mark=wan3 out-interface=ether3_wan3 passthrough=yes
add action=mark-connection chain=postrouting connection-mark=no-mark new-connection-mark=wan3 out-interface=ether3_wan3 passthrough=yes

/ip firewall nat
add action=accept chain=srcnat comment="oci ipsec bypass" dst-address-list=ipsec src-address-list=lan
add action=masquerade chain=srcnat comment="masquerade wan1 ppp" out-interface=ppp-wan1
add action=masquerade chain=srcnat comment="masquerade wan1 interface" out-interface=ether1_wan1
add action=masquerade chain=srcnat comment="masquerade wan2 interface" out-interface=ether2_wan2
add action=masquerade chain=srcnat comment="masquerade wan3 interface" out-interface=ether3_wan3

/ip ipsec identity
add peer=oci-1 policy-template-group=oci
/ip ipsec peer
add address=130.61.194.105/32 name=oci-1 profile=oci
/ip ipsec policy
add dst-address=10.1.0.0/16 peer=oci-1 proposal=oci src-address=192.168.111.0/24 tunnel=yes
/ip ipsec policy group
add name=oci
/ip ipsec profile
add dh-group=ecp256,ecp384,modp2048,modp1536,modp1024 enc-algorithm=aes-256,aes-192,aes-128 hash-algorithm=sha384 lifetime=8h name=oci nat-traversal=no
/ip ipsec proposal
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc,aes-256-gcm,aes-192-cbc,aes-192-gcm,aes-128-cbc,aes-128-gcm lifetime=1h name=oci pfs-group=modp1536

/ip route
add distance=1 gateway=10.255.255.3 routing-mark=wan3_route
add distance=2 gateway=10.255.255.1 routing-mark=wan3_route
add distance=3 gateway=10.255.255.2 routing-mark=wan3_route
add distance=1 gateway=10.255.255.1 routing-mark=wan1_route
add distance=2 gateway=10.255.255.2 routing-mark=wan1_route
add distance=3 gateway=10.255.255.3 routing-mark=wan1_route
add distance=1 gateway=10.255.255.2 routing-mark=wan2_route
add distance=2 gateway=10.255.255.1 routing-mark=wan2_route
add distance=3 gateway=10.255.255.3 routing-mark=wan2_route
add comment=wan1_route distance=1 gateway=10.255.255.1
add comment=wan2_route distance=2 gateway=10.255.255.2
add comment=wan3_route distance=3 gateway=10.255.255.3
add comment=wan2_check distance=1 dst-address=8.8.4.4/32 gateway=192.168.0.1 scope=10
add comment=wan1_check distance=1 dst-address=8.8.8.8/32 gateway=62.52.192.142 scope=10
add comment=wan1_check distance=1 dst-address=9.9.9.10/32 gateway=62.52.192.142 scope=10
add distance=1 dst-address=10.1.0.0/16 gateway=132.145.232.34
add check-gateway=ping comment=wan1_virtual_hop distance=1 dst-address=10.255.255.1/32 gateway=8.8.8.8 scope=10
add check-gateway=ping comment=wan1_virtual_hop distance=1 dst-address=10.255.255.1/32 gateway=1.0.0.1 scope=10
add check-gateway=ping comment=wan2_virtual_hop distance=1 dst-address=10.255.255.2/32 gateway=8.8.4.4 scope=10
add check-gateway=ping comment=wan2_virtual_hop distance=1 dst-address=10.255.255.2/32 gateway=208.67.222.222 scope=10
add check-gateway=ping comment=wan3_virtual_hop distance=1 dst-address=10.255.255.3/32 gateway=208.67.220.220 scope=10
add check-gateway=ping comment=wan3_virtual_hop distance=1 dst-address=10.255.255.3/32 gateway=149.112.112.112 scope=10
add comment=wan3_check distance=1 dst-address=149.112.112.10/32 gateway=46.0.0.1 scope=10
add comment=wan3_check distance=1 dst-address=208.67.220.220/32 gateway=46.0.0.1 scope=10
add comment=wan2_check distance=1 dst-address=208.67.222.222/32 gateway=192.168.0.1 scope=10

What can I do to debug the issue and which other information do you need to help me?
I would appreciate any help!

Edit: It seems to work until the wan connection disconnects. After a reboot of the router the connection is working again. What could cause this issue and is there anything I can do to prevent this happening?

Traffic freeze can also be due to incorrect operation of traffic flow. There have been many such cases. Firewall rule policy is executed from top to bottom and the order of entries also matters. We use “default” firewall rules as the basis for everything. Try to fix the firewall section and then see how the router works. Of course, a restart is required after the changes.

/interface list
add name=WAN
add name=LAN
/interface list member
add interface=ether1 list=WAN
add interface=bridge1 list=LAN

/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment=L2TP dst-port=500,1701,4500 protocol=udp
add action=accept chain=input comment="IKE IPSec" protocol=ipsec-esp
add action=accept chain=input in-interface-list=LAN
add action=drop chain=input comment="drop all else"
add action=accept chain=forward comment="accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment="allow internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="allow port forwarding" connection-nat-state=dstnat
add action=drop chain=forward comment="drop all else"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN

Sorry for the late reply! I did not enable notifications for that thread.

That was my thought too. I don’t know if it’s because I have multiple WAN interfaces and therefore the traffic might be taking the wrong route?
I have tried the change to the filters and rebooted the router. Unfortunately, this was not successful.