MikroTik

I just got a RB951G-2HnD to set up for a home environment, and I'm having trouble with the site to site VPN. I used a config from a bunch of 951-2n units that I had configured to sit at end users home ofices that have dynamic addresses and were meant only to initiate a VPN tunnel back to the main office from that location - reverse traffic was not intended.

I set this new 951G up for my personal network, and want it to work both ways. Everythign looks as if it should work, but it's only passing traffic from the Mikrotik back to my WAtchguard - from the Watchguard to the Mikrotik isn't passing traffic. Under Firewall > NAT, I originally had one 'accept' 'srcnat' rule with a src address of the Mikrotiks LAN network, and a dst Address my Watchguard LAN. I added in a secont one that is the inverst of the original thinking that was what I needed to get it working, but it still won't pass VPN Traffic to the Mikrotik's network.

Any thoughts on what I may be missing?

I tested a MT to MT vpn a few years ago but only use win clients to a router now.
Have you looked in the log to see if traffic is coming in from the Watchguard?

Greg Sowell has a video on vpn setup, maybe you will find something here.
http://gregsowell.com/?p=1290

Well, I haven't been able to get any useful logging out of the Mikrotik, despite adding a few parameters (debug, firewall, ipsec, route) and changing most of the defaults to action 'echo', but ont he Watchguard, I can see in the realtime log where ICMP packets from the remote network come into the WG and go to their destination, and I can see ICMP packets from my local network hit the WG and are sent into the established IPSec tunnel, so I can only assume that it's something in the Mikrotik that I've missed or mis-configured.

Edit: I got it figured out. The reason it was working outbound is because obviously, all outbound traffic is allowed... but obviously, inbound is not. The 'NAT' entries I added were not enough (and I had to change the one related to traffiv from the Watchgiards network to 'dstnat') - after some more testing of my google-fu, I finally found a useful page and found that I need to add a seperate ACL in the firewall to allow the traffic in. It's now passing traffic both ways.