From our IPsec/GRE tests, we observed that the ACX1100 has some IPsec-related limitations—one likely cause being the missing
services ipsec-vpn rule RULE_NAME match-direction output
statement. If we disable IPsec and use only GRE, routing between the MikroTik (PC1, PC2) and the ACX1100 logical routers (LR1, LR2, LR3) proceeds without any issues.
That said, the ACX1100’s IPsec/ESP capabilities are still perfectly usable for tasks like encrypted management access to remote ACX1100 devices, and they’ll suit many other lightweight VPN scenarios.
It’s possible we’ve overlooked a configuration nuance that would make this particular IPsec/GRE setup fully functional. However, keep in mind that the ACX platform is primarily optimized for routing, not as a dedicated security gateway.
If you need a more robust IPsec feature set, pairing the ACX1100 with a Juniper SRX is a solid choice. 🙂