I'm currently trying to set up IPsec tunnels from 2 remote sites that are using a FritzBox, to a MikroTik RB3011. The goal is to allow machines connected to those access to a server on the MikroTik side.
I have the IPsec tunnels connected and I can see the packets arrive from a machine on the remote site. With Torch as well as the firewall rule 'action=log chain=forward ipsec-policy=in,ipsec log=yes log-prefix=IPSEC'. I do not see any arrive at the target server though.
I don't see any log entries appear for the rule 'action=log chain=forward ipsec-policy=out,ipsec log=yes log-prefix=IPSEC' either. This rule also doesn't trigger if I ping from the server to the remote.

Now what I think is relevant here is that on the RB3011 side, all connected machines are in a VLAN with an isolated subnet. There is no '0' VLAN or untagged VLAN active.
This means that the packet coming from the remote system basically has the following route to take:
Remote PC <-----> Remote Router (IPsec tunnel) <-----> RB3011 (IPsec tunnel) <-----> VLAN <-----> Server
I've tried with the FritzBox set up as s2s (where the FritzBox remote network value == server VLAN's subnet) and as a rw (mode-config with IPsec dedicated pool). The behaviour did not change.

How it looks to me is that the line 'RB3011 (IPsec tunnel) <-----> VLAN' is the problem point in the connection from/to the remote and the server.
I have no background in networking though so this is where I've reached the limits of my IPsec and/or MikroTik understanding so here we are.

Does anyone here have experience with such a config or know how to set this up?
I've also tried to take the following actions in an attempt to fix this:
- Add/Remove notrack prerouting raw rule for the remote IPsec addresses (both a src and/or dst one)
- Add/Remove NAT accept rule for the remote IPsec addresses (both a src and/or dst one)
- Add/Remove firewall allow rules for the remote IPsec addresses (both a src and/or dst one)
- Disable fasttrack rules
- Pretty much all combinations of the above.


As an extra FYI; an IPsec+L2TP setup works perfectly fine (I use this for another rw setup) but from what I can tell that is solely because the L2TP connections are using routing instead of policy matching.
Using L2TP (or any other tunneling over IPsec) is not an option for the FritzBox connections though as these router only support IPsec in either s2s or as rw (client mode)...

After a bit more work, it turned out that the packet not reaching the server was actually caused by a routing conflict on the target system. Another network was actually hooked up with a direct line instead of an IPsec tunnel over the internet and was using the same IP range as one of the tunnels. This was resolved.
As a result, the packets from the remote system are now reaching the target server perfectly fine.

The connections are still not established though. I can now see the packet arrive at the server and see that the server sends a response but I do not see this response arrive at the initiating client.
I also still don't see the IPsec out log firewall rule trigger when initiating a connection from the server to the client. I do see the src and dst for said connection on the server's VLAN interface in Torch.

EDIT:
I currently have the following rules set up (used quote blocks as opposed to code as for some reason the post seems to completely break apart when using code blocks...).
MANGLE

0 D ;;; special dummy rule to show fasttrack counters
chain=prerouting action=passthrough
1 D ;;; special dummy rule to show fasttrack counters
chain=forward action=passthrough
2 D ;;; special dummy rule to show fasttrack counters
chain=postrouting action=passthrough
3 ;;; Mark IPsec
chain=prerouting action=mark-connection new-connection-mark=ipsec passthrough=yes log=no log-prefix=""
ipsec-policy=in,ipsec
4 chain=postrouting action=mark-connection new-connection-mark=ipsec passthrough=yes log=no log-prefix=""
ipsec-policy=out,ipsec

NAT

0 ;;; IPsec NAT bypass
chain=srcnat action=accept connection-mark=ipsec log=no log-prefix=""
1 ;;; LAN to WAN (dynamic)
chain=srcnat action=masquerade out-interface=pppoe1 log=no log-prefix=""

Then for IPsec I modified the fasttrack rules to exclude the marked connections:

4 ;;; fasttrack established,related (!ipsec)
chain=forward action=fasttrack-connection connection-state=established,related
connection-mark=!ipsec log=no log-prefix=""
5 chain=input action=fasttrack-connection connection-state=established,related
connection-mark=!ipsec log=no log-prefix=""

In addition I also adapted the bogon drop filter to exclude the marked ipsec connections:

10 ;;; drop bogons from WAN (!ipsec)
chain=forward action=drop src-address-list=BOGONS connection-mark=!ipsec
in-interface=pppoe1 log=yes log-prefix="IPV4 BOGON"
11 chain=input action=drop src-address-list=BOGONS connection-mark=!ipsec
in-interface=pppoe1 log=yes log-prefix="IPV4 BOGON"
12 ;;; drop bogons to WAN (!ipsec)
chain=forward action=drop dst-address-list=BOGONS connection-mark=!ipsec
out-interface=pppoe1 log=yes log-prefix="IPV4 BOGON"
13 chain=output action=drop dst-address-list=BOGONS connection-mark=!ipsec
out-interface=pppoe1 log=yes log-prefix="IPV4 BOGON"

For testing purposes I've currently set all IPsec traffic as allowed:

0 D ;;; special dummy rule to show fasttrack counters
chain=forward action=passthrough
1 chain=forward action=accept connection-mark=ipsec log=no log-prefix=""
2 chain=input action=accept connection-mark=ipsec log=no log-prefix=""
3 chain=output action=accept connection-mark=ipsec log=no log-prefix=""