I'm trying to establish an IPSEC site-to-site VPN from
Site 1, initiator, public dynamic ip address, RB5009
slow LTE internet connection
to
Site 2, responder, CCR2004 with private ip, behind a provider rb750 with fixed public ip address
CCR2004 is an "exposed host" but doesn't have the public ip
Previously we had a Zyxel USG 210 instead of CCR2004 and the VPS was working decently.
When changing from USG to CCR we just copied ipsec setting from RB5009 to CCR.
After changing the USG with a CCR, the VPN trafic seems slow from site 2 to site 1 (17Mbps compared to 32Mbps bypassing VPN), and almost not working from site 1 to site 2 (0.2Mbps average compared to 10Mbps bypassing VPN)
Both the RB5009 and CCR2004 have more or less the "bulding advanced firewall" configuration from Mikrotik web site.
The CCR2004 accept input UDP 500,4500; both accept forward in/out IPSEC before the fasttrack.
I ask myself if the fact that the CCR is behind the rb750, and the Local Address in IPSEC active peers is a private IP, require some special NAT/filter rule.
Where can I start to investigate the issue?