Fri Jul 05, 2019 8:58 pm
You have not posted enough of your Mikrotiks' configurations, but as you only describe the dst-nat part of the setup at the rightmost Mikrotik, I assume you haven't thought deep enough about the routing on the complete path.
The PC is on some external address, so when it sends a packet to the "public" IP of the rightmost Mikrotik, the dst-nat rule on that Mikrotik changes the destination address to the one of the leftmost Mikrotik. To match the packet and deliver it to the leftmost Mikrotik, the IPsec policy you use between the Mikrotiks would have to have 0.0.0.0/0 as src-address at the rightmost Mikrotik and as dst-address on the leftmost Mikrotik. If it did, all traffic of the leftmost Mikrotik would be redirected via the rightmost one, which is probably not what you have set up.
Even if the request packet made it somehow to the leftmost Mikrotik, the response packet from the leftmost Mikrotik would take the default route because no other route towards the PC's address exists on the leftmost Mikrotik, so the packet would arrive to the PC but src-nated to the public IP behind which the leftmost Mikrotik is placed, so the PC wouldn't recognize it as a response to its request.
So post both configurations so that we could suggest you a solution instead of guessing what mistakes you may have done. See a hint on anonymisation in my automatic signature below.
But as a quick shot, as your NAT rules with action=accept suggest that you use an IPsec policy just between 192.168.200.0/24 and 192.168.100.0/24, try to add the following rule right before the final action=masquerade one in chain=srcnat of /ip firewall nat:
chain=srcnat action=src-nat dst-address=192.168.200.1 connection-nat-state=dstnat protocol=tcp dst-port=8291 to-addresses=192.168.100.1
Also, change the to-addresses in the dst-nat rule from 192.168.0.30 to 192.168.200.1.
