Still having massive problems with IPSec here.

My IPSec tunnels will come up as in the policy will get generated and a SA installed for both in and out, however from inside my lan on the Mikrotik i cannot ping or communicate at all with the remote lans. Oddly enough though from my remote lans they can ping into my Mikrotik's LAN....

further more when i watch the statistics of the IPSec policy, when the remote lan pings in i see the reply packet encrypted, when i try to ping out from the lan here to the remote lan, nothing gets encrypted! Are there some better tools for me to inspect what the hell is going on?

Its driving me insane please help.

I can be contacted here or at jtaylor*AT*wonderlan.net

:: Interfaces ::

[admin@MikroTik] interface> print detail
Flags: X - disabled, D - dynamic, R - running
0 R name="C1_P1_T1_Uplink" mtu=1500 type=ether rx-rate=0 tx-rate=0

1 R name="C1_P2_Client_WAN" mtu=1500 type=ether rx-rate=0 tx-rate=0

2 R name="C1_P3_WLC_DMZ" mtu=1500 type=ether rx-rate=0 tx-rate=0

3 R name="C1_P4_LAN" mtu=1500 type=ether rx-rate=0 tx-rate=0

4 R name="T1 Bridge" mtu=1500 type=bridge rx-rate=0 tx-rate=0
[admin@MikroTik] interface> eth
[admin@MikroTik] interface ethernet> print detail
Flags: X - disabled, R - running
0 R name="C1_P1_T1_Uplink" mtu=1500 mac-address=00:0C:42:02:2C:E2 arp=enabled disable-running-check=yes
auto-negotiation=yes full-duplex=yes cable-settings=default speed=100Mbps

1 R name="C1_P2_Client_WAN" mtu=1500 mac-address=00:0C:42:02:2C:E3 arp=enabled disable-running-check=yes
auto-negotiation=yes full-duplex=yes cable-settings=default speed=100Mbps

2 R name="C1_P3_WLC_DMZ" mtu=1500 mac-address=00:0C:42:02:2C:E4 arp=enabled disable-running-check=yes
auto-negotiation=yes full-duplex=yes cable-settings=default speed=100Mbps

3 R name="C1_P4_LAN" mtu=1500 mac-address=00:0C:42:02:2C:E5 arp=enabled disable-running-check=yes
auto-negotiation=yes full-duplex=yes cable-settings=default speed=100Mbps


:: IPSEC ::

[admin@MikroTik] ip ipsec policy> print
Flags: X - disabled, D - dynamic, I - invalid
0 D src-address=192.168.168.0/24:any dst-address=10.208.1.0/24:any
protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes
sa-src-address=12.145.155.2 sa-dst-address=69.17.100.66 proposal=default
dont-fragment=clear

[admin@MikroTik] ip ipsec installed-sa> print
Flags: A - AH, E - ESP, P - pfs, M - manual
0 E spi=0x8A605102 direction=in src-address=69.17.100.66
dst-address=12.145.155.2 auth-algorithm=md5 enc-algorithm=3des
replay=4 state=mature auth-key="472bfcf8c52525fbc5c2bc8d0f4924c8"
enc-key="c18aec37ddb7b4ce96d7e6fb33271032f6dc28519d3b4532"
add-lifetime=6h24m/8h use-lifetime=0s/0s lifebytes=0/0
current-addtime=oct/14/2005 00:30:14
current-usetime=oct/14/2005 00:30:25 current-bytes=72

1 E spi=0xB6AB6B3B direction=out src-address=12.145.155.2
dst-address=69.17.100.66 auth-algorithm=md5 enc-algorithm=3des
replay=4 state=mature auth-key="6403fdad483708ff8e8985d214bc49f7"
enc-key="d8ffd5d5c5b217598ba3c0323b97b8ae1647ac446061c793"
add-lifetime=6h24m/8h use-lifetime=0s/0s lifebytes=0/0
current-addtime=oct/14/2005 00:30:14
current-usetime=oct/14/2005 00:30:25 current-bytes=72


:: NAT Rules ::
[admin@MikroTik] ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat src-address=192.168.168.0/24 packet-mark=!VPN
action=masquerade


:::: Marking Rules :::

Flags: X - disabled, I - invalid, D - dynamic
0 chain=forward dst-address=10.13.11.0/24 action=mark-packet
new-packet-mark=VPN passthrough=yes

1 chain=prerouting dst-address=10.208.1.0/24 action=mark-packet
new-packet-mark=VPN passthrough=yes

2 chain=prerouting dst-address=192.168.0.0/24 action=mark-packet
new-packet-mark=VPN passthrough=yes

3 chain=prerouting dst-address=10.13.8.0/24 action=mark-packet
new-packet-mark=VPN passthrough=yes

... a lot more related to NETBios, HTTP, HTTPS, and so on