Mikrotik to Strongswan client access

I have successfully setup a connection largely starting from here: https://www.paranoids.at/mikrotik-routeros-6-38-ikev2-strongswan-rsa-auth-howto/

Everything is connected and the client (Centos 7 Strongswan) can connect to local (192.168.5.0/24) addresses, but I cannot connect to anything on the VPN client side (the Centos Strongswan setup) from 192.168.5.0/24 machines. I have disabled firewalls on the client and still no go. I cannot ping the host from Mikrotik over the vpn_bridge either.

Any ideas?

Mikrotik (IPSEC server):

/ip address
add address=192.168.5.1/24 comment=Default interface=bridge-local network=192.168.5.0
add address=192.168.89.1/24 comment="ipsec vpn" interface=vpn-bridge network=192.168.89.0

/ip ipsec mode-config
add address=192.168.89.5 address-prefix-length=32 name=cfg-cloud static-dns=192.168.5.1,8.8.8.8,8.8.4.4 system-dns=no
/ip ipsec peer
add exchange-mode=ike2 name=peer1 passive=yes send-initial-contact=no
/ip ipsec profile
set [ find default=yes ] dh-group=modp2048 dpd-interval=1h enc-algorithm=aes-256,aes-128 hash-algorithm=sha256 lifetime=1h
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256 enc-algorithms=aes-256-cbc,aes-128-cbc pfs-group=modp2048
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc name=ikev2-proposal pfs-group=none
/ip ipsec identity
add auth-method=digital-signature certificate=vpn.server comment="Misc Client" generate-policy=port-strict mode-config=cfg1 my-id=fqdn:vpn.server peer=peer1 \
    remote-certificate=vpn.client remote-id=fqdn:vpn.client
add auth-method=digital-signature certificate=vpn.server comment="Google Cloud Server" generate-policy=port-strict mode-config=cfg-cloud my-id=fqdn:vpn.server peer=\
    peer1 remote-certificate=vpn.cloud remote-id=fqdn:vpn.cloud
/ip ipsec mode-config
add address-pool=vpn name=cfg1 static-dns=192.168.5.1,8.8.8.8,8.8.4.4 system-dns=no
/ip ipsec policy
set 0 comment=vpn dst-address=192.168.89.0/24 proposal=ikev2-proposal src-address=0.0.0.0/0

/ip pool
add name=home ranges=192.168.5.10-192.168.5.250
add name=vpn ranges=192.168.89.10-192.168.89.50

StrongSwan ipsec.conf:

config setup
         strictcrlpolicy=no
         uniqueids=no
         #charondebug="ike 1, knl 0, cfg 0"
         charondebug="yes"

conn %default

conn tunnel
 keyexchange=ikev2
 ike=aes256-sha256-modp2048
 esp=aes256-sha256-modp2048
 ikelifetime = 24h
 lifetime = 30m
 dpddelay = 120s
 left=%defaultroute
 leftsourceip=%config
 leftcert=cloud.crt
 leftid=vpn.cloud
 leftfirewall=no
 right=home.domain.com
 rightsubnet=192.168.89.0/24,192.168.5.0/24
 rightid=vpn.server
 modeconfig=push
 auto=start

Show me
/ip firewall nat export
/ip firewall raw export

@sindy appreciate any help you can offer.

/ip firewall nat
add action=masquerade chain=srcnat comment=Outgoing out-interface=ether1-gateway
add action=accept chain=srcnat

/ip firewall raw export

Add a chain=srcnat dst-address=192.168.89.0/24 action=accept rule before (above) the action=masquerade one in /ip firewall nat and you should be good. BTW, the current “accept all” one is completely usesless. If you use a GUI, the rules can be dragged using mouse to change their order.

Using command line, it would be
/ip firewall nat add chain=srcnat dst-address=192.168.89.0/24 action=accept place-before=[find action=masquerade]

The reason is that the src-nat (masquerade is a special case of src-nat) is done before IPsec policy matching. So the packets to 192.168.89.0/24 take the default route through WAN, get masqueraded, and thus the IPsec policy misses them and lets them take the WAN path. By accepting them in chain=srcnat before the masquerade takes place, you let the policy match and steal them.

Only the first packet of each connection is handled by the srcnat and dstnat chains, all the subsequent packets inherit the handling of the first one via connection tracking. This explains why you could initiate connections from the CentOS to Mikrotik but not vice versa.

Thank you @sindy!

That did it and the explanation helped me understand. Really appreciate it!