Strange issue with IPSEC

Hello all ,

Im breaking my head for about 2-3 hours troubleshooting connectivity issues between a checkpoint virtual firewall and mikrotik chr. I have create an ipsec tunnel between them. Topology is very simple . A virtual machine on the lan network behind checkpoint and the same on mikrotik side. No traffic is passing .

So tunnel is up , i can see the active peer is online and also the install SAs from all the source and destinations . Im running ping to both sides but nothing is passing. Firewall to the servers behind the routers is offline . I can see traffic passing through the counters of the SAs and also in the active peer.

Running wireshark in the server behind mikrotik i can see icmp coming from the remote site .
Running wireshark in the checkpoint site no traffic comming from mikrotik , nothing at all .

Any ideas maybe ?

Policy problem, src-nat problem (masquerade).

Do you have a src-nat rule on the Mikrotik that says: If packets are destined to the remote side’s subnet, then accept the packet.
Put that rule above your masquerade rule. Otherwise your packet destined to the remote side will have it’s src IP replaced with your public IP and the remote IPSec device will determine that no such policy exists for that src-ip.

In this diagram: https://wiki.mikrotik.com/wiki/Manual:Packet_Flow#IPsec_Encryption.2FDecryption
Follow the green arrows, then orange. Your ICMP packet makes it to post-routing which is where the masquerade happens. Then it gets wrapped in the IPSec tunnel headers and sent out. You need to stop the masquerading with another src-nat rule. I think that’s the case…