Hi all, I think I'm missing something obvious here, but it has been so long since I've done anything with IPSEC that I can't remember all of the tricks. The configuration is a RB2011, with two interfaces active - 1 goes to an Optus fibre WAN link, the other goes to a single subnet LAN via NAT. Inside that LAN, there is a Mac OS X box running an IPSEC VPN server for road warrior type access. This was previously working with a Cisco 881, but that has been replaced with the RB2011 to get a bit more flexibility. So far, I have not been able to establish a VPN link from the outside using the Mikrotik. As an aside, the test workstation has a public IP address with no NAT or firewalling involved, so there shouldn't be any problems on that end. I have forwarded ports 500, 1701, 4500 (all UDP) to the server, and (with some additional logging firewall rules), I can see the traffic hitting the router and being forwarded to the Mac server, but I can't see anything going back the other way. /ip firewall filter add chain=input comment="Allow ICMP" protocol=icmp add chain=input comment="Allow established connections" connection-state=established add chain=input comment="Allow related connections" connection-state=related add chain=input comment="Allow access to the administration" in-interface=wan-optus src-address=<my remote admin workstation> add action=drop chain=input comment="Drop anything addressed to the router coming in from WAN not specifically allowed above" in-interface=wan-optus add chain=forward comment="Forward on any established connections without rechecking rules" connection-state=established add chain=forward comment="Forward on any related connections without rechecking rules" connection-state=related add chain=forward comment="Allow some UDP ports in from Optus" dst-port=500,1701,4500 in-interface=wan-optus protocol=udp *** various other allow rules redacted - all of these only touch TCP packets add action=drop chain=forward comment="Drop any invalid" connection-state=invalid add action=drop chain=forward comment="Drop any inbound traffic that is not specifically allowed by other rules" in-interface=wan-optus /ip firewall nat add action=masquerade chain=srcnat comment="NAT masquerade for Optus" out-interface=wan-optus add action=dst-nat chain=dstnat comment="NAT from Optus to Mac server - UDP ports" dst-port=500,1701,4500 in-interface=wan-optus protocol=udp to-addresses=<internal IP of Mac server> *** various other dstnat rules redacted - all involve TCP Any tips would be much appreciated. Cheers, Thomas