I’ve got a VPN (IPSec Site to Site) setup between two offices and it works great. I also have a static nat (port forward) on the external interface of my office for port 9100 that works as expected.
External if: forward 9100 to 10.0.0.151 on LAN for remote printing.
There is another printer located at 10.0.0.152 on the lan.
The server on the other end of the IPSec tunnel (192.168.1.111) sends traffic to 10.0.0.152:9100 and the router directs it to 10.0.0.151:9100
I’m baffled. I’ll post my config here after I sanitize it.
# oct/29/2015 17:41:23 by RouterOS 6.32.2
# software id = TDAR-4EY2
#
/interface bridge
add admin-mac=E4:8D:8C:29:A1:C5 auto-mac=no name=bridge-local
/interface ethernet
set [ find default-name=ether1 ] name=ether1-gateway
set [ find default-name=ether2 ] name=ether2-master-local
set [ find default-name=ether3 ] master-port=ether2-master-local name=ether3-slave-local
set [ find default-name=ether4 ] master-port=ether2-master-local name=ether4-slave-local
set [ find default-name=ether5 ] master-port=ether2-master-local name=ether5-slave-local
set [ find default-name=ether6 ] name=ether6-master-local
set [ find default-name=ether7 ] master-port=ether6-master-local name=ether7-slave-local
set [ find default-name=ether8 ] master-port=ether6-master-local name=ether8-slave-local
set [ find default-name=ether9 ] master-port=ether6-master-local name=ether9-slave-local
set [ find default-name=ether10 ] master-port=ether6-master-local name=ether10-slave-local
/ip neighbor discovery
set ether1-gateway discover=no
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des lifetime=8h pfs-group=none
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/interface bridge port
add bridge=bridge-local interface=ether2-master-local
add bridge=bridge-local interface=ether6-master-local
add bridge=bridge-local interface=sfp1
/ip address
add address=10.0.0.100/24 comment="default configuration" interface=bridge-local network=10.0.0.0
add address=x.x.x.93/29 interface=ether1-gateway network=x.x.x.88
/ip dhcp-client
add comment="default configuration" dhcp-options=hostname,clientid interface=ether1-gateway
/ip dhcp-server network
add address=10.0.0.0/24 comment="default configuration" gateway=10.0.0.100 netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,75.75.75.75
/ip dns static
add address=10.0.0.100 name=router
/ip firewall filter
add chain=input comment="default configuration" protocol=icmp
add chain=input comment="default configuration" connection-state=established,related
add action=drop chain=input comment="default configuration" in-interface=ether1-gateway
add action=fasttrack-connection chain=forward comment="default configuration" connection-state=established,related
add chain=forward comment="default configuration" connection-state=established,related
add action=drop chain=forward comment="default configuration" connection-state=invalid
add action=drop chain=forward comment="default configuration" connection-nat-state=!dstnat connection-state=new in-interface=ether1-gateway
/ip firewall nat
add chain=srcnat dst-address=192.168.1.0/24 log=yes log-prefix=IPSEC-OUT src-address=10.0.0.0/24
add action=masquerade chain=srcnat comment="default configuration" out-interface=ether1-gateway
add action=dst-nat chain=dstnat dst-port=9100 in-interface=ether1-gateway log=yes protocol=tcp to-addresses=10.0.0.151 to-ports=9100
/ip ipsec peer
# Unsafe configuration, suggestion to use certificates
add address=x.x.x.162/32 enc-algorithm=3des exchange-mode=aggressive lifetime=8h nat-traversal=no secret=xxxxxxxxxxxxx
/ip ipsec policy
add dst-address=192.168.1.0/24 sa-dst-address=x.x.x.162 sa-src-address=x.x.x.93 src-address=10.0.0.0/24 tunnel=yes
/ip route
add distance=1 gateway=x.x.x.94
add distance=1 dst-address=192.168.1.0/24 gateway=ether1-gateway
/lcd
set default-screen=informative-slideshow
/system clock
set time-zone-name=America/Los_Angeles
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=ether2-master-local
add interface=ether3-slave-local
add interface=ether4-slave-local
add interface=ether5-slave-local
add interface=ether6-master-local
add interface=ether7-slave-local
add interface=ether8-slave-local
add interface=ether9-slave-local
add interface=ether10-slave-local
add interface=sfp1
add interface=bridge-local
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=ether2-master-local
add interface=ether3-slave-local
add interface=ether4-slave-local
add interface=ether5-slave-local
add interface=ether6-master-local
add interface=ether7-slave-local
add interface=ether8-slave-local
add interface=ether9-slave-local
add interface=ether10-slave-local
add interface=sfp1
add interface=bridge-local
Log
13:57:55 firewall,info dstnat: in:ether1-gateway out:(none), src-mac 76:54:7d:91:5d:0a, proto TCP (SYN), 192.168.1.111:36078->10.0.0.152:9100, len 60
13:57:55 firewall,info IPSEC-IN srcnat: in:(none) out:bridge-local, src-mac 76:54:7d:91:5d:0a, proto TCP (SYN), 192.168.1.111:36078->10.0.0.151:9100, NAT 192.168.1.111:36078->(10.0.0.152:9100->10.0.0.151:9100), len 60
13:57:59 firewall,info dstnat: in:ether1-gateway out:(none), src-mac 76:54:7d:91:5d:0a, proto TCP (SYN), 192.168.1.111:36079->10.0.0.152:9100, len 60
13:57:59 firewall,info IPSEC-IN srcnat: in:(none) out:bridge-local, src-mac 76:54:7d:91:5d:0a, proto TCP (SYN), 192.168.1.111:36079->10.0.0.151:9100, NAT 192.168.1.111:36079->(10.0.0.152:9100->10.0.0.151:9100), len 60
At a guess, I would say that your inbound NAT rule for the printer is either not specific enough.
Add your wan address as the dst-address (not the to-address) of you Nat rule. Specifying just the incoming interface will catch IPSec traffic as well as Internet traffic.