I just spent hours trying to figure out the problem with an IPSec Tunnel only to realize that it was caused by a faulty “place-before=0” switch.
So I was trying to setup an IPSec Tunnel between two RB2011L-RM running v6.20 following the official guide.
The tunnel you go up but I couldn’t ping any resources on the opposite side. I finally realized that I had to delete and manually recreate the NAT Bypass rule using Webfig and then moving it to the top for it to take effect.
Creating the rule from the command line using the “place-before=0” switch would indeed create the rule, and indeed put it at the top but it wouldn’t actually have priority over my masquerade rule. Dragging the rule back in forth from top to bottom wouldn’t help either. I really had to delete it completely.
I don’t have access to other units running version previous to 6.20 so I don’t know if it affects other versions as well. I can certainly confirm that it affects this version on two different RB2011 units though…
Bug report?
Hope this saves other people the headaches 