I have recently replaced a Snapgear (FreeS/WAN-based Linux router) with a Mikrotik RB750 for an IPSec tunnel, and I am having problems with the routing.

I have a slightly unusual setup whereby the network at the remote end includes the network at the local end:

10.0.2.0/24 <===> 10.0.0.0/8

The Snapgear automatically handled this, because it uses the routing table for IPSec, and the local route takes precedence, but the RB750 seems to be sending traffic destined for itself down the tunnel too, and not replying locally. e.g. RB750 inside IP is 10.0.2.1/24, with client 10.0.2.202; client can ping devices on remote network (e.g. 10.0.0.1, 10.4.12.3, etc.) and also on internet (masqueraded), but cannot ping or otherwise connect to 10.0.2.1 itself.

I presume I need to add some sort of rule to the firewall to accept this incoming traffic before it is allowed to pass through to the IPSec policy. I have studied the packet flow diagram http://wiki.mikrotik.com/wiki/Manual:Packet_Flow but unfortunately I don't understand enough about it to work out what rule to add. Can anyone help, please?

Thanks.

I have the very same problem and haven't found any real solution for it yet. So far i have 'solved' it by using the address of the WAN interface to access the router, even from the inside, and also used it for DNS address, it works, but ain't pretty.

You have to add a new ipsec policy for traffic from the Mikrotik IP to the LAN. see my post here: http://forum.mikrotik.com/viewtopic.php ... 1&p=265385