MikroTik

Can me somebody explain, why when I made an ipsec channel between lans, on one side i getting all connections from a remote lan with the same ip for all clients? I suspect that a nat rule working, but how I can get clients original ip addresess?

IMHO you should have similar rule at the top of your rules to prevent packets to be masquaraded.
This particular rule is taken from central router with 192.168.1.x/24 which is concentrator for some IPSEC with 192.168.x.0/24 subnets.
This rule passes all trafic between all IPSec tunnels.
At each subnet there are rules like:

But I had such rule and I added another one

0 chain=srcnat action=accept src-address=192.168.111.0/24 dst-address=192.168.0.0/16 log=no log-prefix="111______"
1 chain=srcnat action=accept src-address=192.168.0.0/16 dst-address=192.168.111.0/24 log=no log-prefix="112__"

but it is not helped.

I have server 192.168.111.5 and all incoming connections from 192.168.x.x/24 has an ip address 192.168.111.1 ( it is local address of mirkotik )

If I correct understood action must be "accept", is it right? If yes, then I can't understand why it is not working

Are you sure it'll match properly with that subnet?

Anyway I already exclude internal networks in the masquerading rule like add subnets to the whitelist and no need for the accept rule. off course you can also just do a variant without the list but make it explicit in the rule.

unfortunately magchiel, your advise didn't help : - ( but anyway thanks for your reply