I've ready multiple posts and answers here and spent many hours trying to figure this out. I just cannot figure out what I am doing wrong. My rules are basically a compilation of everything I found in other posts.

Please help.

I have a successful Site-to-Site VPN tunnel established.
No traffic occurs between the LAN hosts.
When I ping from the local host, I see no activity on the Mikrotik.
I can see bytes increasing from local to remote in the IPsec Installed SAs and in firewall rules, but not the other way around.

I've gone as far as simply allowing any traffic between our external IPs and the Internal IPs

External IPs
Local: x.x.x.85
Remote: x.x.x.66

Internal IPs
Local: 10.25.35.67
Remote: 192.168.100.118

DST-ADDRESS PREF-SRC GATEWAY DISTANCE

0 A S 0.0.0.0/0 50.232.96.81 1
5 ADC 10.25.35.0/24 10.25.35.28 ether2 0
7 ADC 50.232.96.80/29 50.232.96.85 ether1-gateway 0


/ip firewall mangle
add action=mark-connection chain=forward comment="Mark IPsec In"
ipsec-policy=in,ipsec log=yes new-connection-mark=ipsec passthrough=yes
add action=mark-connection chain=forward comment="Mark IPsec Out"
ipsec-policy=out,ipsec new-connection-mark=ipsec passthrough=yes

ip firewall nat
add action=accept chain=srcnat dst-address=192.168.100.118 log=yes
src-address=10.25.35.67
add action=accept chain=srcnat dst-address=10.25.35.67 log=yes src-address=
192.168.100.118
add action=masquerade chain=srcnat dst-address-list=!LSI_internet_IPs
log-prefix=masq_ out-interface=ether1-gateway

/ip firewall raw
add action=notrack chain=prerouting dst-address=10.25.35.0/24 src-address=
192.168.100.0/24
add action=notrack chain=prerouting dst-address=192.168.100.0/24 src-address=
10.25.35.0/24

/ip firewall filter
add action=accept chain=input comment="allow LSI Inbound" dst-address=
x.x.x.85 in-interface=ether1-gateway log=yes src-address=
x.x.x.66
add action=accept chain=forward comment=
"TEST - Allow outbound to LSI Internal" dst-address=192.168.100.118 log=
yes src-address=10.25.35.67
add action=accept chain=forward comment=
"TEST - Accept traffic from LSI Internal" dst-address=10.25.35.0/24 log=
yes log-prefix=LSI_In_ out-interface=ether2 src-address=192.168.100.118
add action=accept chain=input comment="allow VPN (ipsec-esp)" log=yes
protocol=ipsec-esp
add action=accept chain=input comment="Accept related connections"
connection-state=established,related log=yes
add action=accept chain=forward comment="Accept related connections"
connection-state=established,related log=yes

You haven’t posted a single row of your ipsec related configuration.

Your /ip firewall raw rules basically make your /ip firewall nat rules with action=accept redundant.

So I’d recommend you to post the full configration of devices at both ends of the tunnel, plus the output of /ip ipsec installed-sa print detail and /ip ipsec policy print detail following the guidelines in my automatic signature, because it seems that something is wrong rather there than in the firewall; nevertheless, the full configuration gives a better overview.

NB: the auth and enc keys used in the installed-sa are dynamically created so not a really sensitive info unless you keep them unchanged for days, but it doesn’t matter if you replace them by xxxx. But only modify the IP addresses using find&replace to keep the port information, if present, unchanged.

Magically things started working.

Sorry, I hadn’t posted the IPSEC setup because both phase 1 and phase 2 were established.

Thanks for the information regarding the /ip firewall raw rules making the /ip firewall nat rules redundant.

When you have connections that were already attempted before you finished your configuration of the firewall,
they won’t start working when the configuration is completed. In that case it is best to reboot the router to clear
all tracking and NAT. Apparently that has already happened or the bad entries have timed out, and it started working.