Strange IPSec behaviour - tunnel up no possibility to connect HTTP

RouterOS General
1

Hello Friends!

I have followed guide to setup IPSec VPN tunnel between two Mikrotik routers. Now lets get to the facts:

  • tunnel is up and connected, showing from both sides as connected
    I can see correct routes, PING works from both sides
    I can telnet from one site to another for instance mail server at port 25 works
    I can request websites from remote site to datacenter

Problem now is, that if I try to connect to website from the datacenter side of the tunnel towards remote site, I cannot - connection does not get refused just times out (for instance if I request false port connection is actually refused). If I request website from DNS it is resolved correctly (from the remote DNS server, port 53 obviously works). Basically I can request services on different ports but as soon as I hit the HTTP(S) in browsers, I get nowhere. Any thoughts on this? Information from config part is below.

TIA, rgD

From the datacenter router (111 for easier understanding):

/ip ipsec peer
add name=l2tpserver passive=yes
/ip ipsec profile
set [ find default=yes ] dh-group=modp2048 enc-algorithm=aes-256 nat-traversal=no
add dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha256 name=profile1 nat-traversal=no
/ip ipsec peer
add address=999.999.999.999/32 exchange-mode=ike2 name=RTR_999 port=500 profile=profile1
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256 enc-algorithms=aes-256-cbc pfs-group=modp2048
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc name=proposal1 pfs-group=modp2048
/ip ipsec identity
add generate-policy=port-override peer=l2tpserver secret=999
add peer=RTR_999 secret=999
/ip ipsec policy
set 0 dst-address=0.0.0.0/0 src-address=0.0.0.0/0
add dst-address=10.0.9.0/24 peer=RTR_999 sa-dst-address=999.999.999.999 sa-src-address=111.111.111.111 src-address=10.0.1.0/24 tunnel=yes




/ip firewall filter
add action=accept chain=input connection-state=established,related dst-address=10.0.1.0/24 src-address=10.0.9.0/24
add action=accept chain=input protocol=icmp
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=accept chain=input port=1701,500,4500 protocol=udp
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=input dst-port=25 protocol=tcp
add action=accept chain=input dst-port=443 protocol=tcp
add action=drop chain=input in-interface-list=!LAN




/ip firewall nat
add action=accept chain=srcnat dst-address=10.0.9.0/24 src-address=10.0.1.0/24
add action=masquerade chain=srcnat out-interface-list=WAN
add action=dst-nat chain=dstnat dst-address=111.111.111.111 dst-port=25 protocol=tcp to-addresses=10.0.1.253 to-ports=25
add action=dst-nat chain=dstnat dst-address=111.111.111.111 dst-port=443 protocol=tcp to-addresses=10.0.1.252 to-ports=443

From the remote router (999 for easier understanding):


/ip ipsec peer
add address=111.111.111.111/32 exchange-mode=ike2 name=RTR_111 port=500
/ip ipsec profile
set [ find default=yes ] dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha256
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256 enc-algorithms=aes-256-cbc
/ip ipsec identity
add notrack-chain=prerouting peer=RTR_111 secret=111
/ip ipsec policy
add dst-address=10.0.1.0/24 level=unique peer=RTR_111 sa-dst-address=111.111.111.111 sa-src-address=999.999.999.999 src-address=10.0.9.0/24 \
    tunnel=yes




/ip firewall filter
add action=accept chain=input connection-state=established,related disabled=yes dst-address=10.0.9.0/24 src-address=10.0.1.0/24
add action=accept chain=input protocol=icmp
add action=accept chain=input connection-state=related
add action=accept chain=input port=1701,500,4500 protocol=udp
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=input disabled=yes protocol=ipsec-ah
add action=accept chain=forward comment="Established, Related" connection-state=established,related
add action=accept chain=input dst-port=443 protocol=tcp
add action=drop chain=input




/ip firewall nat
add action=accept chain=srcnat dst-address=10.0.1.0/24 src-address=10.0.9.0/24
add action=masquerade chain=srcnat out-interface-list=WAN
add action=dst-nat chain=dstnat disabled=yes dst-address=999.999.999.999 dst-port=443 protocol=tcp to-addresses=10.0.9.252 to-ports=443