Problems with traffic (only one way works) in IPSEC tunnel

Hi!
I am kind of new to Mikrotik and I have a question. We have taken over some Mikrotiks for a customer from the previous supplier which has configured these earlier.

I have a IPSEC tunnel which seems to be up and running (Two MIkrotiks) and traffic is flowing from Router2 site to Router1 site. But not the other way around, except pinging from Router1 site to internal ip of Router2 (MIkrotik) !

When I am talking about “site” , I mean the internal subnet.

So basically everything seems to work except traffic from Router1 site to clients other than the Mikrotik itself.

I have other several working IPSEC tunnels from Router1 and all has same configurations, the NAT rule includes Router2 site.
The firewall rules on Router 1 does not specifically say to accept incoming connections from the different sites but every IPsec site works besides this one, as I said earlier.

Router2 has only this mentioned IPSEC tunnel configured. I have changed the NAT rule a bit on Router 2 so there is no difference from other working IPSEC tunnels, and it seemed that the firewall blocked incoming connections on Router2 and now I have changed that. Established and related connections are allowed (First two rules) and I have now even added to allow incoming connections from Router1 site (no specific interface configured and no specific ports configured so I am guessing that I am allowing all traffic) but still the same issue.

Router1 is an RB1100AHx2 Version 6.38rc41 (testing)
Router2 is an RB750GL Version 6.24

I can provide you with specific configurations if that is needed. But I just want to raise the question first to see if someone has any input straight away.

Best Regards
Christoffer

When traffic flows both ways but connections succeed only one way, there is something in the stateful firewall configuration that allows new connections one way and not the other.
(starting a ping is also considered a connection from one side to the other)
So you have to look at the filters tab on the firewall and see how forward is filtered.

Hello,

How did you manage to sort out this one? I have an identical problem (RouterOS 6.47.4 on all devices), and is just not working. I think it’s a bug somewhere in the system, and I’d like to do a packet trace, but I’m not really sure how (if the router itself can do it), or what is the approach here.

In short, I have Router 1 (RB1100AHx4) and Router 2 (hAP ac2), made IPSEC tunnel with no issues, traffic flows, both subnets can be seen with each other.
I have Router 1 (RB1100AHx4) and Router 3 (RB1100AHx4), same type of tunnel same configuration everywhere, traffic flows just from Router 1 to Router 3, but not the other way around. I can ping Router 3 from Router 1, and nothing else in that subnet. Router 3 cannot ping anything in Router 1.
Static routes are created on all routers. It doesn’t make any sense why it would work on one pair of routers and not on the other.

Any pointers would be much appreciated. (I’ve already checked the Firewall Filters 10 times and they all look normal, all look identical)
Thanks!

Look at this post. If it doesn’t help you find the issue, post the configuration of both machines, anonymized as per the hint in my automatic signature here below.

I believe I might have found something. While pinging Router1 from Router3 I have observed there is also another IP address replying to the ping; I’ve realised I have 3 IP addresses on the bridge interface (needed to talk to other switches over the network the other days to reconfigure them). I have disabled to other ip addresses on the bridge beside the main subnet, and now I can ping Router 1 from Router 3!
It doesn’t make any sense. Why would e default dynamic route created for an interface on the bridge (which goes nowhere) would impair the IPSEC tunnel functionality for the main subnets?
Anyway, I can just ping the routers themselves, but not further on, so no ping between anything on the subnets.

Thank you very much for your answer sindy.
I have tried to look at the connections on the other Router while pinging from the first one, but there are not icmp packages on it. I believe it makes sense, as the packets between subnets are already processes as prerouting in the Raw tab.
I’m still puzzled.

Because in order to get matched by an IPsec policy, a packet first needs to pass through the “normal” routing and firewall. Matching of packet’s source and destination address (and protocol and ports if set up like that) is the very last step just before sending the packet out the chosen interface. So if no route is found for a packet in “normal” routing, the packet is not sent via IPsec either.

Yes, if there is an action=notrack rule in /ip firewall raw which matches the packets to/from the remote site, these packets are not connection tracked so there’s nothing to be shown in /ip firewall connection print. So firewall filter rules not allowing “untracked” through in chain=forward could be guilty. Also NAT rules do not affect these packets in such case (NAT fully depends on connection tracking).

As said above - post the configurations. If you looked into the rules 20 times, chances that you’ll find something at 21st look are low, but other eyes may see something.

OK, I have exported the config, anonymized (all IPs are fake, used Find and Replace).

Router 1:

# Router 1
# Public IP address: 11.22.33.44
# LAN Network: 192.168.1.0/24
#
# oct/05/2020 22:15:01 by RouterOS 6.47.4
# software id = ---------
#
# model = RBD52G-5HacD2HnD
# serial number = 0123456789
/interface bridge add admin-mac=D8:60:B4:16:54:7F auto-mac=no comment=defconf name=bridge
/interface ethernet set [ find default-name=ether1 ] speed=100Mbps
/interface ethernet set [ find default-name=ether2 ] speed=100Mbps
/interface ethernet set [ find default-name=ether3 ] speed=100Mbps
/interface ethernet set [ find default-name=ether4 ] speed=100Mbps
/interface ethernet set [ find default-name=ether5 ] speed=100Mbps
/interface wireless set [ find default-name=wlan1 ] antenna-gain=0 band=2ghz-b/g/n channel-width=20/40mhz-Ce country=no_country_set disabled=no distance=indoors frequency=auto frequency-mode=manual-txpower mode=ap-bridge ssid=Wireless station-roaming=enabled wireless-protocol=802.11 wps-mode=disabled
/interface wireless set [ find default-name=wlan2 ] antenna-gain=0 band=5ghz-a/n/ac channel-width=20/40/80mhz-Ceee country=no_country_set disabled=no distance=indoors frequency=auto frequency-mode=manual-txpower mode=ap-bridge ssid=Wireless5Ghz station-roaming=enabled wireless-protocol=802.11 wps-mode=disabled
/interface vlan add interface=ether1 name=vlan10 vlan-id=10
/interface list add comment=defconf name=WAN
/interface list add comment=defconf name=LAN
/interface wireless security-profiles set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys supplicant-identity=MikroTik
/ip hotspot profile set [ find default=yes ] html-directory=flash/hotspot
/ip ipsec peer add address=100.200.250.100/32 local-address=11.22.33.44 name=ike1-Berlin
/ip ipsec profile set [ find default=yes ] dh-group=ecp384 dpd-interval=5m enc-algorithm=aes-256 hash-algorithm=sha256 name=ike1-Berlin
/ip ipsec proposal add auth-algorithms=sha256 enc-algorithms=aes-256-ctr name=ike1-Berlin pfs-group=ecp384
/ip pool add name=dhcp ranges=192.168.1.110-192.168.1.250
/ip dhcp-server add address-pool=dhcp disabled=no interface=bridge lease-time=1w23h59m59s name=defconf
/port set 0 baud-rate=9600 data-bits=8 flow-control=none name=usb1 parity=none stop-bits=1
/interface ppp-client add apn=vodafone default-route-distance=2 name=ppp-VDF port=usb1
/user group set full policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api,romon,dude,tikapp
/interface bridge port add bridge=bridge comment=defconf interface=ether2
/interface bridge port add bridge=bridge comment=defconf interface=ether3
/interface bridge port add bridge=bridge comment=defconf interface=ether4
/interface bridge port add bridge=bridge comment=defconf interface=ether5
/interface bridge port add bridge=bridge comment=defconf interface=wlan1
/interface bridge port add bridge=bridge comment=defconf interface=wlan2
/ip firewall connection tracking set icmp-timeout=30s tcp-close-timeout=20s tcp-close-wait-timeout=20s tcp-fin-wait-timeout=20s tcp-last-ack-timeout=20s tcp-syn-received-timeout=15s tcp-syn-sent-timeout=15s tcp-time-wait-timeout=20s udp-timeout=20s
/ip neighbor discovery-settings set discover-interface-list=!dynamic
/interface detect-internet set wan-interface-list=WAN
/interface list member add comment=defconf interface=bridge list=LAN
/interface list member add comment=defconf interface=vlan10 list=WAN
/ip address add address=192.168.1.1/24 comment=defconf interface=bridge network=192.168.1.0
/ip cloud set ddns-enabled=yes
/ip dhcp-client add comment=defconf disabled=no interface=vlan10
/ip dhcp-server config set store-leases-disk=1w
/ip dhcp-server lease add address=192.168.1.105 always-broadcast=yes client-id=1:22:33:44:AA:D9:01 mac-address=22:33:44:AA:D9:01 server=defconf
/ip dhcp-server lease add address=192.168.1.2 always-broadcast=yes client-id=1:11:22:33:55:E3:DC mac-address=11:22:33:55:E3:DC server=defconf
/ip dhcp-server lease add address=192.168.1.101 client-id=1:1:23:45:6A:9F:50 mac-address=01:23:45:6A:9F:50 server=defconf
/ip dhcp-server lease add address=192.168.1.110 client-id=1:99:44:AC:2D:81:75 mac-address=99:44:AC:2D:81:75 server=defconf
/ip dhcp-server lease add address=192.168.1.50 client-id=1:00:FF:15:A0:AE:3A mac-address=00:FF:15:A0:AE:3A server=defconf
/ip dhcp-server network add address=192.168.1.0/24 comment=defconf dns-server=192.168.1.1 domain=home.lan gateway=192.168.1.1 netmask=24
/ip dns set allow-remote-requests=yes servers=9.9.9.9
/ip dns static add address=192.168.1.1 name=router.home.lan ttl=1w
/ip dns static add address=192.168.1.2 name=srv.home.lan ttl=1w
/ip dns static add address=192.168.1.105 name=mantis.home.lan ttl=1w
/ip firewall filter add action=drop chain=forward disabled=yes out-interface=vlan10 src-address=192.168.1.50
/ip firewall filter add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
/ip firewall filter add action=accept chain=input comment="accept www management from any outside IP" dst-port=2000 in-interface=vlan10 protocol=tcp
/ip firewall filter add action=accept chain=input in-interface=vlan10 protocol=ipsec-esp src-address=100.200.250.100
/ip firewall filter add action=accept chain=input dst-port=500 in-interface=vlan10 protocol=udp src-address=100.200.250.100
/ip firewall filter add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
/ip firewall filter add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
/ip firewall filter add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface=vlan10
/ip firewall filter add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
/ip firewall filter add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
/ip firewall filter add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
/ip firewall filter add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
/ip firewall filter add action=accept chain=forward comment="allow all forwarded ports" connection-nat-state=dstnat
/ip firewall filter add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
/ip firewall filter add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface=vlan10
/ip firewall nat add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface=vlan10
/ip firewall nat add action=dst-nat chain=dstnat comment="Forward SRV" dst-port=2001 protocol=tcp to-addresses=192.168.1.2 to-ports=8000
/ip firewall nat add action=dst-nat chain=dstnat comment="Forward JIRA TCP port to SRV" disabled=yes dst-port=2002 protocol=tcp to-addresses=192.168.1.2 to-ports=8080
/ip firewall nat add action=dst-nat chain=dstnat comment="Forward JIRA UDP port to SRV" disabled=yes dst-port=2002 protocol=udp to-addresses=192.168.1.2 to-ports=8080
/ip firewall raw add action=notrack chain=prerouting dst-address=192.168.50.0/24 src-address=192.168.1.0/24
/ip firewall raw add action=notrack chain=prerouting dst-address=192.168.1.0/24 src-address=192.168.50.0/24
/ip firewall service-port set ftp disabled=yes
/ip ipsec identity add peer=ike1-Berlin
/ip ipsec policy add dst-address=192.168.50.0/24 level=unique peer=ike1-Berlin proposal=ike1-Berlin sa-dst-address=100.200.250.100 sa-src-address=11.22.33.44 src-address=192.168.1.0/24 tunnel=yes
/ip route add distance=1 dst-address=192.168.50.0/24 gateway=bridge
/ip service set telnet disabled=yes
/ip service set ftp disabled=yes
/ip service set www disabled=yes port=80
/ip service set www-ssl address=0.0.0.0/0 certificate=Certificate_mgmt_Mikrotik disabled=no port=443
/ip ssh set allow-none-crypto=yes forwarding-enabled=remote
/system clock set time-zone-name=Europe/Tokyo
/system identity set name=Tokyo-Router
/system routerboard settings set reformat-hold-button=15s
/tool mac-server set allowed-interface-list=LAN
/tool mac-server mac-winbox set allowed-interface-list=LAN

Router 2:

# Router 2
# Public IP address: 100.200.250.100
# LAN Network: 192.168.50.0/24
#
# oct/05/2020 04:14:56 by RouterOS 6.47.4
# software id = ----------
#
# model = RouterBOARD 1100Dx4
# serial number = 12345ABC67890
/interface bridge add name=bridge
/interface ethernet set [ find default-name=ether1 ] speed=100Mbps
/interface ethernet set [ find default-name=ether2 ] speed=100Mbps
/interface ethernet set [ find default-name=ether3 ] speed=100Mbps
/interface ethernet set [ find default-name=ether4 ] speed=100Mbps
/interface ethernet set [ find default-name=ether5 ] speed=100Mbps
/interface ethernet set [ find default-name=ether6 ] speed=100Mbps
/interface ethernet set [ find default-name=ether7 ] speed=100Mbps
/interface ethernet set [ find default-name=ether8 ] speed=100Mbps
/interface ethernet set [ find default-name=ether9 ] speed=100Mbps
/interface ethernet set [ find default-name=ether10 ] speed=100Mbps
/interface ethernet set [ find default-name=ether11 ] speed=100Mbps
/interface ethernet set [ find default-name=ether12 ] speed=100Mbps
/interface ethernet set [ find default-name=ether13 ] speed=100Mbps
/interface list add name=LAN
/interface list add name=WAN
/interface list add name=WAN-mobil
/interface wireless security-profiles set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec profile add dh-group=ecp384 dpd-interval=5m enc-algorithm=aes-256 hash-algorithm=sha256 name=ike1-Tokyo
/ip ipsec profile add dh-group=ecp384 dpd-interval=5m enc-algorithm=aes-256 hash-algorithm=sha256 name=ike1-London
/ip ipsec peer add address=11.22.33.44/32 local-address=100.200.250.100 name=ike1-Tokyo profile=ike1-Tokyo
/ip ipsec peer add address=200.74.23.49/32 local-address=100.200.250.100 name=ike1-London profile=ike1-London
/ip ipsec proposal add auth-algorithms=sha256 enc-algorithms=aes-256-ctr name=ike1-Tokyo pfs-group=ecp384
/ip ipsec proposal add auth-algorithms=sha256 enc-algorithms=aes-256-ctr name=ike1-London pfs-group=ecp384
/ip pool add name=DHCP-Pool1 ranges=192.168.50.10-192.168.50.250
/ip dhcp-server add address-pool=DHCP-Pool1 disabled=no interface=bridge lease-time=1w23h59m59s name=Server-DHCP
/snmp community set [ find default=yes ] addresses=0.0.0.0/0
/user group set full policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api,romon,dude,tikapp
/dude set data-directory=diskSSD1/dudeDB enabled=yes
/interface bridge port add bridge=bridge hw=no interface=ether1
/interface bridge port add bridge=bridge hw=no interface=ether2
/interface bridge port add bridge=bridge hw=no interface=ether3
/interface bridge port add bridge=bridge hw=no interface=ether4
/interface bridge port add bridge=bridge hw=no interface=ether5
/interface bridge port add bridge=bridge hw=no interface=ether6
/interface bridge port add bridge=bridge hw=no interface=ether7
/interface bridge port add bridge=bridge hw=no interface=ether8
/interface bridge port add bridge=bridge hw=no interface=ether9
/interface bridge port add bridge=bridge hw=no interface=ether10
/interface bridge port add bridge=bridge interface=ether11
/ip neighbor discovery-settings set discover-interface-list=!dynamic
/interface list member add interface=bridge list=LAN
/interface list member add interface=ether13 list=WAN
/interface list member add interface=ether12 list=WAN-mobile
/ip address add address=100.200.250.100/24 comment="WAN" interface=ether13 network=100.200.250.1
/ip address add address=192.168.50.1/24 comment="Internal main LAN Home" interface=bridge network=192.168.50.0
/ip address add address=192.168.50.252/24 interface=ether11 network=192.168.50.0
/ip dhcp-server lease add address=192.168.50.27 comment=TS200 mac-address=00:11:FF:A4:A0:BC server=Server-DHCP
/ip dhcp-server lease add address=192.168.50.23 comment=DRV mac-address=FF:00:A1:24:F8:80 server=Server-DHCP
/ip dhcp-server lease add address=192.168.50.50 comment=RADIO mac-address=00:1C:C0:29:73:F1 server=Server-DHCP
/ip dhcp-server lease add address=192.168.50.51 comment=RADIO-L mac-address=00:1E:EE:E7:E1:10 server=Server-DHCP
/ip dhcp-server lease add address=192.168.50.22 comment=METEO mac-address=6A:D1:89:80:17:09 server=Server-DHCP
/ip dhcp-server lease add address=192.168.50.21 comment=Alex mac-address=5A:EE:40:C1:78:B0 server=Server-DHCP
/ip dhcp-server lease add address=192.168.50.24 comment=TS99 mac-address=00:11:22:33:44:FF server=Server-DHCP
/ip dhcp-server network add address=192.168.50.0/24 dns-server=192.168.50.1 domain="London LAN" gateway=192.168.50.1 netmask=24
/ip dns set allow-remote-requests=yes servers=8.8.8.8,9.9.9.9
/ip firewall filter add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
/ip firewall filter add action=accept chain=input comment="Management SSL" connection-state=established,related,new dst-port=443 in-interface=ether13 protocol=tcp
/ip firewall filter add action=accept chain=input in-interface=ether13 protocol=ipsec-esp src-address=11.22.33.44
/ip firewall filter add action=accept chain=input dst-port=500 in-interface=ether13 protocol=udp src-address=11.22.33.44
/ip firewall filter add action=accept chain=input in-interface=ether13 log=yes protocol=ipsec-esp src-address=200.74.23.49
/ip firewall filter add action=accept chain=input dst-port=500 in-interface=ether13 log=yes protocol=udp src-address=200.74.23.49
/ip firewall filter add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
/ip firewall filter add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
/ip firewall filter add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface=ether13
/ip firewall filter add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
/ip firewall filter add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
/ip firewall filter add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
/ip firewall filter add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
/ip firewall filter add action=accept chain=forward comment="allow all forwarded ports" connection-nat-state=dstnat
/ip firewall filter add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
/ip firewall filter add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface=ether13
/ip firewall nat add action=accept chain=srcnat disabled=yes protocol=udp src-port=500,4500
/ip firewall nat add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface=ether13
/ip firewall nat add action=dst-nat chain=dstnat comment=TS200-TCP dst-port=2780 protocol=tcp to-addresses=192.168.50.27 to-ports=2780
/ip firewall nat add action=dst-nat chain=dstnat comment=TS200-UDP dst-port=2780 protocol=udp to-addresses=192.168.50.27 to-ports=2780
/ip firewall nat add action=dst-nat chain=dstnat comment=DRV-TCP dst-port=3770-3780 protocol=tcp to-addresses=192.168.50.23 to-ports=3770-3780
/ip firewall nat add action=dst-nat chain=dstnat comment=DRV-UDP dst-port=3770-3780 protocol=udp to-addresses=192.168.50.23 to-ports=3770-3780
/ip firewall nat add action=dst-nat chain=dstnat comment=TS99-TCP dst-port=1278 protocol=tcp to-addresses=192.168.50.24 to-ports=1278
/ip firewall nat add action=dst-nat chain=dstnat comment=TS99-UDP dst-port=1278 protocol=udp to-addresses=192.168.50.24 to-ports=1278
/ip firewall nat add action=dst-nat chain=dstnat comment=ECHOLINK-UDP dst-port=15198-15199 protocol=udp to-addresses=192.168.50.21 to-ports=15198-15199
/ip firewall nat add action=dst-nat chain=dstnat comment=ECHOLINK-TCP dst-port=15198-15199 protocol=tcp src-port="" to-addresses=192.168.50.21 to-ports=15198-15199
/ip firewall nat add action=dst-nat chain=dstnat comment="YA 1" dst-port=6100 protocol=udp to-addresses=192.168.50.21 to-ports=6100
/ip firewall nat add action=dst-nat chain=dstnat comment="YA 2" dst-port=6110 protocol=udp to-addresses=192.168.50.21 to-ports=6110
/ip firewall nat add action=dst-nat chain=dstnat comment="YA 3" dst-port=6112 protocol=udp to-addresses=192.168.50.21 to-ports=6112
/ip firewall nat add action=dst-nat chain=dstnat comment="YA 4" dst-port=6114 protocol=udp to-addresses=192.168.50.21 to-ports=6114
/ip firewall nat add action=dst-nat chain=dstnat comment="YA 5" dst-port=6120 protocol=udp to-addresses=192.168.50.21 to-ports=6120
/ip firewall nat add action=dst-nat chain=dstnat comment="YA 6" dst-port=6122 protocol=udp to-addresses=192.168.50.21 to-ports=6122
/ip firewall raw add action=notrack chain=prerouting dst-address=192.168.1.0/24 src-address=192.168.50.0/24
/ip firewall raw add action=notrack chain=prerouting dst-address=192.168.50.0/24 src-address=192.168.1.0/24
/ip firewall raw add action=notrack chain=prerouting dst-address=192.168.200.0/24 log=yes src-address=192.168.50.0/24
/ip firewall raw add action=notrack chain=prerouting dst-address=192.168.50.0/24 src-address=192.168.200.0/24
/ip ipsec identity add peer=ike1-Tokyo
/ip ipsec identity add peer=ike1-London
/ip ipsec policy add dst-address=192.168.1.0/24 level=unique peer=ike1-Tokyo proposal=ike1-Tokyo sa-dst-address=11.22.33.44 sa-src-address=100.200.250.100 src-address=192.168.50.0/24 tunnel=yes
/ip ipsec policy add dst-address=192.168.200.0/24 level=unique peer=ike1-London proposal=ike1-London sa-dst-address=200.74.23.49 sa-src-address=100.200.250.100 src-address=192.168.50.0/24 tunnel=yes
/ip route add comment="Main route out" distance=10 gateway=100.200.250.1
/ip route add comment="Tokyo LAN over VPN from bridge" distance=1 dst-address=192.168.1.0/24 gateway=bridge
/ip route add comment="London LAN over VPN from bridge" distance=1 dst-address=192.168.200.0/24 gateway=bridge
/ip service set www-ssl address=0.0.0.0/0 certificate=Certificate_www_SSL disabled=no port=443 tls-version=only-1.2
/ip smb set domain=berlin.lan
/system clock set time-zone-name=Europe/Berlin
/system identity set name=Berlin-Router

Router 3:

# Router 3
# Public IP address: 200.74.23.49
# LAN Network: 192.168.200.0/24
#
# oct/03/2020 05:05:08 by RouterOS 6.47.4
# software id = ----------
#
# model = RouterBOARD 1100Dx4
# serial number = 53989ABEF54390
/interface bridge add admin-mac=64:D1:54:E0:06:18 auto-mac=no comment=defconf name=bridge
/interface ethernet set [ find default-name=ether11 ] disabled=yes
/interface ethernet set [ find default-name=ether12 ] disabled=yes
/interface list add name=WAN
/interface list add name=LAN
/ip ipsec peer add address=100.200.250.100/32 local-address=200.74.23.49 name=ike1-Berlin
/ip ipsec profile set [ find default=yes ] dh-group=ecp384 dpd-interval=5m enc-algorithm=aes-256 hash-algorithm=sha256 name=ike1-Berlin
/ip ipsec proposal add auth-algorithms=sha256 enc-algorithms=aes-256-ctr name=ike1-Berlin pfs-group=ecp384
/ip pool add name=DHCP-PoolLondon1 ranges=192.168.200.10-192.168.200.250
/ip dhcp-server add address-pool=DHCP-PoolLondon1 disabled=no interface=bridge lease-time=1w23h59m59s name=Server-DHCP-London1
/user group set full policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api,romon,dude,tikapp
/interface bridge port add bridge=bridge comment=defconf interface=ether1
/interface bridge port add bridge=bridge comment=defconf interface=ether2
/interface bridge port add bridge=bridge comment=defconf interface=ether3
/interface bridge port add bridge=bridge comment=defconf interface=ether4
/interface bridge port add bridge=bridge comment=defconf interface=ether5
/interface bridge port add bridge=bridge comment=defconf interface=ether6
/interface bridge port add bridge=bridge comment=defconf interface=ether7
/interface bridge port add bridge=bridge comment=defconf interface=ether8
/interface bridge port add bridge=bridge comment=defconf interface=ether9
/interface bridge port add bridge=bridge comment=defconf interface=ether10
/ip neighbor discovery-settings set discover-interface-list=!dynamic
/interface list member add interface=ether13 list=WAN
/interface list member add interface=bridge list=LAN
/ip address add address=200.74.23.49/24 comment="main WAN" interface=ether13 network=200.74.23.1
/ip address add address=200.74.23.50/24 comment="Second WAN" disabled=yes interface=ether12 network=200.74.23.1
/ip address add address=192.168.200.1/24 comment="default LAN Gateway" interface=bridge network=192.168.200.0
/ip address add address=200.74.23.51/24 comment="Third WAN interface" disabled=yes interface=ether11 network=200.74.23.1
/ip address add address=200.74.23.52/24 disabled=yes interface=ether11 network=200.74.23.1
/ip address add address=200.74.23.53/24 disabled=yes interface=ether11 network=200.74.23.1
/ip address add address=192.168.10.10/24 disabled=yes interface=bridge network=192.168.10.0
/ip address add address=192.168.88.69/24 disabled=yes interface=bridge network=192.168.88.0
/ip dhcp-server lease add address=192.168.200.25 comment=Switch1 mac-address=74:79:12:01:48:D8
/ip dhcp-server lease add address=192.168.200.22 comment="Control TS200" mac-address=00:1A:0D:81:8E:04
/ip dhcp-server lease add address=192.168.200.20 comment="IP Video" mac-address=00:00:11:00:B2:B2
/ip dhcp-server lease add address=192.168.200.24 comment="Router Wireless" disabled=yes mac-address=26:11:7C:7E:38:A5
/ip dhcp-server lease add address=192.168.200.21 comment="HD Radio" mac-address=00:60:80:90:02:6F
/ip dhcp-server lease add address=192.168.200.26 comment=IPSkt mac-address=01:95:59:11:E3:85
/ip dhcp-server lease add address=192.168.200.29 comment="Control TS99" mac-address=22:1E:FF:01:87:05
/ip dhcp-server lease add address=192.168.200.23 comment=Switch2 disabled=yes mac-address=FF:EC:FF:11:06:65
/ip dhcp-server lease add address=192.168.200.28 comment="TS99" mac-address=F1:FF:EE:AA:0D:25
/ip dhcp-server lease add address=192.168.200.100 comment="VR London" mac-address=AA:ED:88:BA:22:9F
/ip dhcp-server network add address=192.168.200.0/24 dns-server=192.168.200.1 domain="London LAN" gateway=192.168.200.1 netmask=24
/ip dns set allow-remote-requests=yes servers=8.8.8.8,9.9.9.9
/ip firewall filter add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked log=yes
/ip firewall filter add action=accept chain=input comment="Management SSL" connection-state=established,related,new dst-port=443 in-interface-list=WAN log=yes protocol=tcp
/ip firewall filter add action=accept chain=input in-interface=ether13 log=yes protocol=ipsec-esp src-address=100.200.250.100
/ip firewall filter add action=accept chain=input dst-port=500 in-interface=ether13 log=yes protocol=udp src-address=100.200.250.100
/ip firewall filter add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
/ip firewall filter add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
/ip firewall filter add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=WAN
/ip firewall filter add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
/ip firewall filter add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
/ip firewall filter add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
/ip firewall filter add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
/ip firewall filter add action=accept chain=forward comment="allow all forwarded ports" connection-nat-state=dstnat
/ip firewall filter add action=accept chain=forward connection-nat-state=dstnat connection-state=established,related disabled=yes in-interface=ether13
/ip firewall filter add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
/ip firewall filter add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat add action=accept chain=srcnat disabled=yes protocol=udp src-port=500,4500
/ip firewall nat add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface=ether13
/ip firewall nat add action=dst-nat chain=dstnat comment="WIRE 1 input" dst-address=200.74.23.52 to-addresses=192.168.200.8
/ip firewall nat add action=src-nat chain=srcnat comment="WIRE 1 output" src-address=192.168.200.8 to-addresses=200.74.23.52
/ip firewall nat add action=dst-nat chain=dstnat comment="WIRE 2 input" dst-address=200.74.23.53 to-addresses=192.168.200.9
/ip firewall nat add action=src-nat chain=srcnat comment="WIRE 2 output" src-address=192.168.200.9 to-addresses=200.74.23.53
/ip firewall nat add action=dst-nat chain=dstnat comment="VR HTTPS" dst-address=200.74.23.49 dst-port=2443 in-interface=ether13 protocol=tcp to-addresses=192.168.200.100 to-ports=443
/ip firewall nat add action=src-nat chain=srcnat comment="VR HTTPS Output" protocol=tcp src-address=192.168.200.100 src-port=443 to-addresses=200.74.23.49 to-ports=2443
/ip firewall nat add action=dst-nat chain=dstnat comment="VR TCP" dst-address=200.74.23.49 dst-port=5200 protocol=tcp to-addresses=192.168.200.100 to-ports=5200
/ip firewall nat add action=dst-nat chain=dstnat comment="VR UDP" dst-address=200.74.23.49 dst-port=5220 protocol=udp to-addresses=192.168.200.100 to-ports=5220
/ip firewall nat add action=dst-nat chain=dstnat comment="VR RTSP" dst-address=200.74.23.49 dst-port=5554 protocol=tcp to-addresses=192.168.200.100 to-ports=554
/ip firewall nat add action=dst-nat chain=dstnat dst-port=5443 in-interface=ether13 protocol=tcp to-addresses=192.168.200.2 to-ports=443
/ip firewall nat add action=dst-nat chain=dstnat dst-port=5444 in-interface=ether13 protocol=tcp to-addresses=192.168.10.1 to-ports=80
/ip firewall nat add action=dst-nat chain=dstnat dst-port=5445 in-interface=ether13 protocol=tcp to-addresses=192.168.200.3 to-ports=80
/ip firewall raw add action=notrack chain=prerouting dst-address=192.168.50.0/24 src-address=192.168.200.0/24
/ip firewall raw add action=notrack chain=prerouting dst-address=192.168.200.0/24 src-address=192.168.50.0/24
/ip ipsec identity add peer=ike1-Berlin
/ip ipsec policy add dst-address=192.168.50.0/24 level=unique peer=ike1-Berlin proposal=ike1-Berlin sa-dst-address=100.200.250.100 sa-src-address=200.74.23.49 src-address=192.168.200.0/24 tunnel=yes
/ip route add comment="Main route out" distance=10 gateway=200.74.23.1 pref-src=200.74.23.49
/ip route add comment="Berlin LAN over VPN from bridge" distance=1 dst-address=192.168.50.0/24 gateway=bridge
/ip service set www-ssl certificate=Certificate_mgmt_Mikrotik disabled=no port=443
/ip smb set domain=london.lan
/ip ssh set allow-none-crypto=yes forwarding-enabled=remote
/system identity set name=London-Router

As already stated, Router 1 to Router 2 works with no issues.
Router 2 to Router 3 it works just the ping between the routers themselves, nothing on their subnets though. Any other IP activated on the bridge interface of Router 3 renders it unable to ping Router 2 LAN address (although Router 2 can still ping Router 3 LAN IP address).

Any pointer would be much appreciated.

Thank you!

Do you control all the routers in your network? Is there any reason why you need to stick to these direct IPsec tunnels and not use the much simpler to configure GRE/IPsec or IPIP/IPsec tunnels?

I do.
Do you have an example?
I have devised this configuration using the Mikrotik wiki site - to - site over IPsec, basically is pure IPsec I believe.
Wouldn’t adding GRE or IPIP make things even more complicated?

It’s hard to get a grasp of all the different options without an explanatory diagram and how they work on a Mikrotik.

I’ve done previously VPNs on TP-Links and it took me 1-2 hours to configure them and have the tunnels up and running, but after almost over 10 hours invested in learning how to make VPNs on Mikrotiks and playing with them, I am highly disappointed they are not running and is so hard to make them work (and I have almost 10 years as telco engineer).

GRE/IPsec is much simpler! You just add the GRE tunnel interfaces on each peer, set an IPsec secret there so all IPsec will be auto-configured.
Then you add a /30 network address on each tunnel end, and you can then either set static routes for the remote subnets (a.b.c.d/24 gateway e.f.g.h where e.f.g.h is the address you had set on the remote side of the GRE tunnel), or you setup autorouting using BGP or OSPF.
An advantage is that you get logical interfaces for each tunnel so the firewall rules become easier (no need to match IPsec traffic separately, no need to circumvent NAT rules, …)

I’ll give that a try. But still, what is wrong in my configuration I’ve posted above?

I’m looking at this option here, to make L2TP/IPsec between the 2 sites, instead of pure IPsec, and there is one thing I do not understand exactly:
why do I need to configure a l2tp-pool, and ppp profile with local address?
I don’t want to assign a secondary IP to the devices in the other subnet, I want them to have their own IP, and both of the accessible from both Router 2 subnet and Router 3 subnet.
Is that actually the case with this L2TP, or not really?

That is not standard IP routing. You normally have a different IP address on each of your interfaces, in this case your LAN interfaces and your tunnel endpoints.
In case of L2TP/IPsec there would be a separate subnet where the central router has an IP address (I put it on a separate bridge without any ports) and each client receives their IP from the server, either via a pool or via a static assignment as the “remote address” in the secret.
These addresses are then used in the routing between the networks assigned to the LAN interfaces.

That is all just IP routing 101. When you “want to do it differently”, you will likely encounter all kinds of issues along the way.

I can confirm that I haven’t found anything wrong in your firewall rules. You do have the action=notrack rules in raw, you do have the “accept untracked” rule in chain=forward of filter, your policies do not overlap in any way, and reception of ipsec-esp from the peer’s IP is permitted in the firewall at both ends.

But there is another point - I usually create a dedicated bridge with no member ports (so it is always up no matter what happens to the member ports) to be used as the gateway for the route to the remote subnet(s) which need to be handled by the policies (as there must be some route so that the packet could be matched by a policy, and I don’t want the packets to leak out through the default route if the VPN is down). So I don’t know whether there cannot be some unusual behaviour due to the fact that you use the same interface through which the packet from LAN comes in as the gateway to route it out. Maybe you could give it a try and create a “br-blackhole” bridge and use it as a gateway for the route to the remote subnet instead of the LAN bridge (at both ends so that it made sense)?

It doesn’t make sense, it should work. I’ll try some overcomplicated setups of the proposed ones, see what I get.

Update here: wanted to try it now, and the tunnel seemed up, although the traffic counter of the Router2 → Router 3 was increasing like crazy. The port forwarded web management was not working from Router3. SSH from Router 2 worked though.
I logged in, rebooted Router 3.
Stopped Dude Server on Router 2.

Router 3 booted, and now all is up, tunnel is up, I can ping any IPs between subnet 2 and 3…

And is not like I haven’t restarted the router before. Is it possible the ISP was blocking the tunnel?

All my assumptions were based on the fact that you wrote that you could ping between routers’ internal private addresses, and that only communication between LAN subnets didn’t work. If I’ve understood that part correctly, blocking by ISP could not have been the reason.