L2TP connection via IPsec tunnel

linkomatas · December 17, 2020, 5:23pm

Hi,

I want to make L2TP clients to be able to talk to devices over IPsec tunnel, like in the picture below. E.g. users that are connected via L2TP they could be able to reach Site A devices.
Site A and site B has a mikrotik routers.
The thing is that since packet flying through ipsec tunnels, they are encrypted. And I don’t really figured it out how to properly make this scenario working.
I tried adding routes, firewall rules with forwards but every time I end up packets flying via WAN not via IPsec tunnel (for L2TP clients). I’m just wondering how properly should I make this so from L2tp clients site A would be visible to them.
In any case I don’t need that internet would be reachable via Site A router.

sindy · December 18, 2020, 6:33am

You forgot to post the configuration exports of the routers at both sites. See my automatic signature below regarding “non-destructive anonymisation”.

linkomatas · December 18, 2020, 4:50pm

Thanks for reply @sindy.
Below is my config:

Site A:

# dec/18/2020 18:41:20 by RouterOS 6.47.4
# software id = RLRF-39GH
#
# model = 2011UiAS-2HnD
# serial number = 731406A7042E
/interface bridge
add admin-mac= auto-mac=no comment=defconf fast-forward=no \
    name=bridge
add fast-forward=no name=bridge-voip protocol-mode=none
/interface ethernet
set [ find default-name=ether1 ] speed=100Mbps
set [ find default-name=ether2 ] loop-protect=on name=ether2-master speed=\
    100Mbps
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
set [ find default-name=ether6 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=\
    ether6-master
set [ find default-name=ether7 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether8 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether9 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether10 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce \
    country=lithuania disabled=no distance=indoors frequency=auto mode=\
    ap-bridge ssid= station-roaming=enabled \
    wireless-protocol=802.11
/interface vlan
add interface=ether1 name=vlan5-ext vlan-id=5
add interface=ether10 name=vlan5-int vlan-id=5
/interface list
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
add name=WAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
    supplicant-identity=MikroTik wpa-pre-shared-key= \
    wpa2-pre-shared-key=
/ip ipsec peer
add address=8 exchange-mode=ike2 name=
/ip ipsec profile
set [ find default=yes ] dh-group=modp2048 enc-algorithm=aes-256 \
    hash-algorithm=sha256
add dh-group=modp1024 enc-algorithm=aes-128 name=cloud
add dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha256 name=\
    Site_to_site
/ip ipsec peer
add address= exchange-mode=ike2 name= profile=\
    Site_to_site
add address=9 exchange-mode=ike2 name= profile=cloud
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256 enc-algorithms=aes-256-cbc \
    pfs-group=modp2048
add enc-algorithms=aes-128-cbc name=cloud
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc lifetime=1h name=\
    Site_to_site pfs-group=modp2048
/ip pool
add name=dhcp ranges=192.168.1.15-192.168.1.200
/ip dhcp-server
add address-pool=dhcp authoritative=after-2sec-delay disabled=no interface=\
    bridge name=defconf
/ppp profile
add local-address=10.30.0.1 name=ovpn remote-address=10.30.0.2
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/interface bridge port
add bridge=bridge comment=defconf interface=ether2-master
add bridge=bridge comment=defconf interface=ether6-master
add bridge=bridge comment=defconf hw=no interface=sfp1
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge-voip interface=vlan5-ext
add bridge=bridge-voip interface=vlan5-int
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4
add bridge=bridge interface=ether5
add bridge=bridge interface=ether7
add bridge=bridge interface=ether8
add bridge=bridge interface=ether9
/ip neighbor discovery-settings
set discover-interface-list=mactel
/interface list member
add interface=sfp1 list=discover
add interface=ether2-master list=discover
add interface=ether3 list=discover
add interface=ether4 list=discover
add interface=ether5 list=discover
add interface=ether6-master list=discover
add interface=ether7 list=discover
add interface=ether8 list=discover
add interface=ether9 list=discover
add interface=ether10 list=discover
add interface=wlan1 list=discover
add interface=bridge list=discover
add interface=vlan5-ext list=discover
add interface=vlan5-int list=discover
add interface=bridge-voip list=discover
add interface=bridge list=mactel
add interface=bridge list=mac-winbox
add interface=ether1 list=WAN
/interface ovpn-server server
set auth=sha1 certificate=CA cipher=aes128 default-profile=ovpn enabled=yes \
    port=52210
/ip address
add address=192.168.1.254/24 interface=ether2-master network=192.168.1.0
add address= interface=ether1 network=
/ip dhcp-server lease
add address=192.168.1.117 always-broadcast=yes mac-address=
add address=192.168.1.189 mac-address=
/ip dhcp-server network
add address=192.168.1.0/24 comment=lan dns-server=\
     gateway=192.168.1.254 netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,1.1.1.1,192.168.120.1
/ip dns static
add address=192.168.1.254 name=router
/ip firewall address-list
add address=disabled=yes list=
add address= list=
add address= list=
/ip firewall filter
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input dst-port=52210 protocol=tcp
add action=accept chain=forward dst-address=192.168.1.0/24 src-address=\
    192.168.119.0/24
add action=accept chain=forward dst-address=192.168.1.0/24 src-address=\
    192.168.120.0/24
add action=accept chain=forward dst-address=192.168.1.0/24 src-address=\
    192.168.2.0/24
add action=accept chain=forward dst-address=192.168.2.0/24 src-address=\
    192.168.1.0/24
add action=accept chain=forward dst-address=192.168.119.0/24 src-address=\
    192.168.1.0/24
add action=accept chain=forward dst-address=192.168.120.0/24 src-address=\
    192.168.1.0/24
add action=accept chain=input comment="defconf: accept established,related" \
    connection-state=established,related
add action=accept chain=input dst-port=8291 protocol=tcp src-address-list=\
    
add action=accept chain=forward protocol=ipsec-esp
add action=accept chain=input dst-port=500 protocol=udp
add action=accept chain=input dst-port=4500 protocol=udp
add action=drop chain=input comment="defconf: drop all from WAN" \
    in-interface=ether1
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related" \
    connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface=ether1
/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.119.0/24 src-address=\
    192.168.1.0/24
add action=accept chain=srcnat dst-address=192.168.120.0/24 src-address=\
    192.168.1.0/24
add action=accept chain=srcnat dst-address=192.168.2.0/24 src-address=\
    192.168.1.0/24
add action=accept chain=srcnat disabled=yes dst-address=192.168.1.0/24 \
    src-address=192.168.2.0/24
add action=accept chain=srcnat disabled=yes dst-address=192.168.1.0/24 \
    src-address=192.168.120.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    out-interface=ether1
add action=dst-nat chain=dstnat comment=8080 dst-port=8080 in-interface=\
    ether1 protocol=tcp to-addresses=192.168.1.243 to-ports=80
add action=dst-nat chain=dstnat comment=" " dst-port=37777 \
    in-interface=ether1 protocol=tcp to-addresses=192.168.1.1 to-ports=37777
add action=dst-nat chain=dstnat dst-port=37781 in-interface=ether1 protocol=\
    tcp to-addresses=192.168.1.33 to-ports=37781
add action=dst-nat chain=dstnat dst-address= dst-port=443,5001 \
    protocol=tcp to-addresses=192.168.1.10 to-ports=5001
add action=dst-nat chain=dstnat dst-address= dst-port=6690 \
    in-interface=ether1 protocol=tcp to-addresses=192.168.1.10 to-ports=6690
add action=masquerade chain=srcnat dst-address=192.168.1.0/24 src-address=\
    192.168.1.0/24
/ip ipsec identity
add peer= secret=
add peer= secret=
add peer= secret=
/ip ipsec policy
add dst-address=192.168.2.0/24 peer= sa-dst-address= \
    sa-src-address=0.0.0.0 src-address=192.168.1.0/24 tunnel=yes
add dst-address=192.168.119.0/24 peer= proposal=cloud sa-dst-address=\
     sa-src-address= src-address=192.168.1.0/24 \
    tunnel=yes
add dst-address=192.168.120.0/24 peer= proposal=Site_to_site \
    sa-dst-address= sa-src-address= src-address=\
    192.168.1.0/24 tunnel=yes
/ip route
add distance=1 gateway=
add disabled=yes distance=1 dst-address=192.168.0.0/24 gateway=bridge \
    pref-src=
add distance=1 dst-address=192.168.120.0/24 gateway=ether1 pref-src=\
    192.168.1.254
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/lcd pin
set pin-number=4455
/lcd interface pages
set 0 interfaces="sfp1,ether1,ether2-master,ether3,ether4,ether5,ether6-master\
    ,ether7,ether8,ether9,ether10"
/ppp secret
add disabled=yes name=rem1 password= profile=ovpn
/system clock
set time-zone-name=
/system ntp client
set enabled=yes primary-ntp= secondary-ntp=
/system scheduler
add name="upgrade OS" on-event=":log info (\"Rebooted Mikrotik. Installing upd\
    ates...\")\r\
    \n:delay 2s;\r\
    \n/system reboot" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=oct/17/2020 start-time=02:06:08
/tool mac-server
set allowed-interface-list=mactel
/tool mac-server mac-winbox
set allowed-interface-list=mac-winbox
/tool sniffer
set filter-interface=*F00002

linkomatas · December 18, 2020, 4:52pm

For some reason I can’t put two codes into one comment, it displays it without code option. Below is site B

# dec/18/2020 18:31:56 by RouterOS 6.47.8
# software id = 
#
#
#
/interface l2tp-server
add name=l2tp-in1 user=""
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec profile
add dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha256 name=\
    Site_to_site
/ip ipsec peer
add address= exchange-mode=ike2 name= profile=\
    Site_to_site
/ip ipsec proposal
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc lifetime=1h name=\
    Site_to_site pfs-group=modp2048
/ip pool
add name=dhcp ranges=192.168.120.50-192.168.120.100
add name=vpn ranges=192.168.200.50-192.168.200.150
/ip dhcp-server
add address-pool=dhcp disabled=no interface=ether2 lease-time=8h name=DHCP
/ppp profile
add dns-server=192.168.120.1,8.8.8.8 local-address=192.168.120.254 name=\
    L2TP_VPN rate-limit=5000000 remote-address=vpn
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
    sword,web,sniff,sensitive,api,romon,dude,tikapp"
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface l2tp-server server
set authentication=mschap1,mschap2 default-profile=L2TP_VPN enabled=yes \
    ipsec-secret= use-ipsec=yes
/interface list member
add interface=ether1 list=WAN
add list=LAN
/ip address
add address= interface=ether1 network=185.193.27.0
add address=192.168.120.254/24 interface=ether2 network=192.168.120.0
/ip dhcp-client
add interface=ether1
/ip dhcp-server network
add address=192.168.120.0/24 dns-server=192.168.120.1,192.168.120.254 \
    gateway=192.168.120.254 netmask=24
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,8.8.8.8,192.168.120.1
/ip firewall address-list
add address= list=
add address= list=
/ip firewall filter
add action=accept chain=input comment="accept established,related,untracked" \
    connection-state=established,related,untracked
add action=accept chain=forward dst-address=192.168.1.0/24 src-address=\
    192.168.120.0/24
add action=accept chain=forward disabled=yes dst-address=192.168.1.0/24 \
    src-address=192.168.200.0/24
add action=accept chain=forward disabled=yes dst-address=192.168.200.0/24 \
    src-address=192.168.1.0/24
add action=accept chain=forward dst-address=192.168.120.0/24 src-address=\
    192.168.1.0/24
add action=accept chain=input dst-port=8291 protocol=tcp src-address-list=\
    
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=input dst-port=500,1701,4500 protocol=udp
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=accept chain=input comment="accept ICMP" protocol=icmp
add action=drop chain=input comment="drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment=\
    "accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=accept chain=forward comment="accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="accept out ipsec policy" \
    ipsec-policy=out,ipsec
/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.1.0/24 src-address=\
    192.168.120.0/24
add action=accept chain=srcnat dst-address=192.168.120.0/24 src-address=\
    192.168.1.0/24
add action=masquerade chain=srcnat out-interface=ether1
add action=dst-nat chain=dstnat comment="" \
    dst-port=2245 protocol=tcp src-address= to-addresses=\
    192.168.120.10 to-ports=3389
/ip ipsec identity
add peer= secret=
/ip ipsec policy
add dst-address=192.168.1.0/24 peer= proposal=Site_to_site \
    sa-dst-address= sa-src-address=0.0.0.0 src-address=\
    192.168.120.0/24 tunnel=yes
/ip route
add distance=1 gateway=
add distance=1 dst-address=192.168.1.0/24 gateway=ether1 pref-src=\
    192.168.120.254
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ppp aaa
set use-radius=yes
/ppp secret
/radius
add address=192.168.120.1 secret= \
    service=ppp src-address=192.168.120.254 timeout=1s
/system clock
set time-zone-name=
/system ntp client
set enabled=yes primary-ntp= secondary-ntp=
/tool bandwidth-server
set enabled=no

sindy · December 18, 2020, 6:05pm

There are formatting issues when using some skins (at least the default one), adding some empty lines before the second code block fixes that.

Regarding your issue: you use a pool 192.168.200.50-192.168.200.150 for the L2TP clients, but you only have an IPsec policy dst-address=192.168.1.0/24 src-address=192.168.120.0/24 (at Site B).

To allow the L2TP clients to reach 192.168.1.0/24 as well, you have to add another IPsec policy at each router - a copy of the already existing one but with 192.168.200.0/24 instead of 192.168.120.0/24 at the appropriate place (src-address at Site B and dst-address at Site A).

The action=accept rules in chain=srcnat of /ip firewall nat have to be added too; on the other hand, you can remove those of these rules where the local subnet is matched as dst-address. So at Site B, the following chain=srcnat action=accept rules are sufficient:
src-address=192.168.120.0/24 dst-address=192.168.1.0/24
src-address=192.168.200.0/24 dst-address=192.168.1.0/24

Also, have a better look at how the stateful firewall works:
First, there is no action=drop rule in the forward chain, so transit traffic is not restricted in any way (the presence of NAT is not a 100 % protection against attacks from outside if the attacker knows the LAN addresses).
Second, you’ve placed permissive rules before the “accept established, related” ones, which is a waste of CPU.
Next, you have one action=accept rule matching on src-address and dst-address of the LAN subnets, and then other action=accept rules matching on ipsec-policy which are shadowed by the previous one. This is not a waste of CPU but may be a source of surprises.

linkomatas · December 18, 2020, 8:19pm

Thanks for your reply.

So basically, if I would change L2TP clients’ pool from “vpn” to “dhcp” then I should be able to reach site A, right?
I think that could be the solution to go.

I also tried your suggestion. I created exact copy of existing IPsec policy with same name but with different addresses but still I was not able to ping site A from L2TP client. But that’s probably because I didn’t rebooted routers.

EDIT:
I changed pool to “dhcp”. Now I am able to ping site A but can’t reach site B at all.

sindy · December 18, 2020, 8:30pm

This would work, but you would have to take other measures to make L2TP clients talk to devices in Site B’s LAN subnet (or, more precisely, the devices in Site B’s LAN subnet to deliver packets to the L2TP clients). So I would not go this way.

No, reboot is not necessary. Check that the newly added policies are active at both routers, and if yes, check the firewall rules at Site A - I haven’t looked at them at all. And as I wrote, it is not enough to add the policies, you also have to exclude the connections from 192.168.200.0/24 to 192.168.1.0/24 from getting src-nated at Site B.

linkomatas · December 18, 2020, 8:51pm

OK, so I added in firewall so called NAT loopback rule with src address 192.168.120.0/24 and dst address 192.168.120.0/24 and now it seems I am able to reach site B and site A from L2TP client.
Nice. Thank you for your suggestions.

sindy · December 18, 2020, 9:00pm

Why a “NAT loopback” rule with same src-address and dst-address should help makes little sense to me. Either it is a typo or something else has actually helped. Can you post the current exports of both machines?

linkomatas · December 18, 2020, 9:21pm

Basically I went with changing dhcp pool to “dhcp” for my scenario. It actually makes sense to me since L2TP clients are not able to reach Site B so NAT loops it back to the same network. Since you said that, I tried to disable that rule and again tried to ping or RDP to server with no luck. Enabled that rule back it allows me to reach Site B from L2TP client. I also can see counter adding numbers each time I make a request to the 192.168.120.0/24 from L2TP client.

Site A:

# dec/18/2020 23:10:45 by RouterOS 6.47.4
# software id = RLRF-39GH
#
# model = 2011UiAS-2HnD
# serial number = 731406A7042E
/interface bridge
add admin-mac= auto-mac=no comment=defconf fast-forward=no \
    name=bridge
add fast-forward=no name=bridge-voip protocol-mode=none
/interface ethernet
set [ find default-name=ether1 ] speed=100Mbps
set [ find default-name=ether2 ] loop-protect=on name=ether2-master speed=\
    100Mbps
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
set [ find default-name=ether6 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=\
    ether6-master
set [ find default-name=ether7 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether8 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether9 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether10 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce \
    country=lithuania disabled=no distance=indoors frequency=auto mode=\
    ap-bridge ssid= station-roaming=enabled \
    wireless-protocol=802.11
/interface vlan
add interface=ether1 name=vlan5-ext vlan-id=5
add interface=ether10 name=vlan5-int vlan-id=5
/interface list
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
add name=WAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
    supplicant-identity=MikroTik wpa-pre-shared-key= \
    wpa2-pre-shared-key=
/ip ipsec peer
add address= exchange-mode=ike2 name=
/ip ipsec profile
set [ find default=yes ] dh-group=modp2048 enc-algorithm=aes-256 \
    hash-algorithm=sha256
add dh-group=modp1024 enc-algorithm=aes-128 name=cloud
add dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha256 name=\
    Site_to_site
/ip ipsec peer
add address= exchange-mode=ike2 name= profile=\
    Site_to_site
add address= exchange-mode=ike2 name= profile=cloud
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256 enc-algorithms=aes-256-cbc \
    pfs-group=modp2048
add enc-algorithms=aes-128-cbc name=cloud
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc lifetime=1h name=\
    Site_to_site pfs-group=modp2048
/ip pool
add name=dhcp ranges=192.168.1.15-192.168.1.200
/ip dhcp-server
add address-pool=dhcp authoritative=after-2sec-delay disabled=no interface=\
    bridge name=defconf

/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/interface bridge port
add bridge=bridge comment=defconf interface=ether2-master
add bridge=bridge comment=defconf interface=ether6-master
add bridge=bridge comment=defconf hw=no interface=sfp1
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge-voip interface=vlan5-ext
add bridge=bridge-voip interface=vlan5-int
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4
add bridge=bridge interface=ether5
add bridge=bridge interface=ether7
add bridge=bridge interface=ether8
add bridge=bridge interface=ether9
/ip neighbor discovery-settings
set discover-interface-list=mactel
/interface list member
add interface=sfp1 list=discover
add interface=ether2-master list=discover
add interface=ether3 list=discover
add interface=ether4 list=discover
add interface=ether5 list=discover
add interface=ether6-master list=discover
add interface=ether7 list=discover
add interface=ether8 list=discover
add interface=ether9 list=discover
add interface=ether10 list=discover
add interface=wlan1 list=discover
add interface=bridge list=discover
add interface=vlan5-ext list=discover
add interface=vlan5-int list=discover
add interface=bridge-voip list=discover
add interface=bridge list=mactel
add interface=bridge list=mac-winbox
add interface=ether1 list=WAN
/interface ovpn-server server
set auth=sha1 certificate=CA cipher=aes128 default-profile=ovpn enabled=yes \
    port=52210
/ip address
add address=192.168.1.254/24 interface=ether2-master network=192.168.1.0
add address= interface=ether1 network=
/ip dhcp-server lease
add address=192.168.1.117 always-broadcast=yes mac-address
add address=192.168.1.189 mac-address=
/ip dhcp-server network
add address=192.168.1.0/24 comment=lan dns-server=\
    192.168.120.1, gateway=192.168.1.254 netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,1.1.1.1,192.168.120.1
/ip dns static
add address=192.168.1.254 name=router
/ip firewall address-list
add address= disabled=yes list=
add address= list=
add address= list
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related" \
    connection-state=established,related
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input dst-port=52210 protocol=tcp
add action=accept chain=forward dst-address=192.168.1.0/24 src-address=\
    192.168.119.0/24
add action=accept chain=forward dst-address=192.168.1.0/24 src-address=\
    192.168.120.0/24
add action=accept chain=forward dst-address=192.168.1.0/24 src-address=\
    192.168.2.0/24
add action=accept chain=forward dst-address=192.168.2.0/24 src-address=\
    192.168.1.0/24
add action=accept chain=forward dst-address=192.168.119.0/24 src-address=\
    192.168.1.0/24
add action=accept chain=forward dst-address=192.168.120.0/24 src-address=\
    192.168.1.0/24
add action=accept chain=input dst-port=8291 protocol=tcp src-address-list=\
  
add action=accept chain=forward protocol=ipsec-esp
add action=accept chain=input dst-port=500 protocol=udp
add action=accept chain=input dst-port=4500 protocol=udp
add action=drop chain=input comment="defconf: drop all from WAN" \
    in-interface=ether1
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related" \
    connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface=ether1
/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.119.0/24 src-address=\
    192.168.1.0/24
add action=accept chain=srcnat dst-address=192.168.120.0/24 src-address=\
    192.168.1.0/24
add action=accept chain=srcnat dst-address=192.168.2.0/24 src-address=\
    192.168.1.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    out-interface=ether1
add action=dst-nat chain=dstnat comment=8080 dst-port=8080 in-interface=\
    ether1 protocol=tcp to-addresses=192.168.1.243 to-ports=80
add action=dst-nat chain=dstnat comment="" dst-port=37777 \
    in-interface=ether1 protocol=tcp to-addresses=192.168.1.1 to-ports=37777
add action=dst-nat chain=dstnat dst-port=37781 in-interface=ether1 protocol=\
    tcp to-addresses=192.168.1.33 to-ports=37781
add action=dst-nat chain=dstnat dst-address= dst-port=443,5001 \
    protocol=tcp to-addresses=192.168.1.10 to-ports=5001
add action=dst-nat chain=dstnat dst-address= dst-port=6690 \
    in-interface=ether1 protocol=tcp to-addresses=192.168.1.10 to-ports=6690
add action=masquerade chain=srcnat dst-address=192.168.1.0/24 src-address=\
    192.168.1.0/24
/ip ipsec identity
add peer= secret=
add peer= secret=
add peer= secret=
/ip ipsec policy
add dst-address=192.168.2.0/24 peer= sa-dst-address= \
    sa-src-address=0.0.0.0 src-address=192.168.1.0/24 tunnel=yes
add dst-address=192.168.119.0/24 peer= proposal=cloud sa-dst-address=\
     sa-src-address= src-address=192.168.1.0/24 \
    tunnel=yes
add dst-address=192.168.120.0/24 peer= proposal=Site_to_site \
    sa-dst-address= sa-src-address= src-address=\
    192.168.1.0/24 tunnel=yes
/ip route
add distance=1 gateway=
add disabled=yes distance=1 dst-address=192.168.0.0/24 gateway=bridge \
    pref-src=
add distance=1 dst-address=192.168.120.0/24 gateway=ether1 pref-src=\
    192.168.1.254
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/lcd pin
set pin-number=4455
/lcd interface pages
set 0 interfaces="sfp1,ether1,ether2-master,ether3,ether4,ether5,ether6-master\
    ,ether7,ether8,ether9,ether10"
/ppp secret
add disabled=yes name=rem1 password= profile=ovpn
/system clock
set time-zone-name=
/system ntp client
set enabled=yes primary-ntp= secondary-ntp=
/system scheduler
add name="upgrade OS" on-event=":log info (\"Rebooted Mikrotik. Installing upd\
    ates...\")\r\
    \n:delay 2s;\r\
    \n/system reboot" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=oct/17/2020 start-time=02:06:08
/tool mac-server
set allowed-interface-list=mactel
/tool mac-server mac-winbox
set allowed-interface-list=mac-winbox
/tool sniffer
set filter-interface=*F00002

Site B:

# dec/18/2020 23:10:02 by RouterOS 6.47.8
# software id = 
#
#
#
/interface l2tp-server
add name=l2tp-in1 user=""
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec profile
add dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha256 name=\
    Site_to_site
/ip ipsec peer
add address= exchange-mode=ike2 name= profile=\
    Site_to_site
/ip ipsec proposal
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc lifetime=1h name=\
    Site_to_site pfs-group=modp2048
/ip pool
add name=dhcp ranges=192.168.120.50-192.168.120.100
add name=vpn ranges=192.168.200.50-192.168.200.150
/ip dhcp-server
add address-pool=dhcp disabled=no interface=ether2 lease-time=8h name=DHCP
/ppp profile
add dns-server=192.168.120.1,8.8.8.8 local-address=192.168.120.254 name=\
    L2TP_VPN rate-limit=5000000 remote-address=dhcp
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
    sword,web,sniff,sensitive,api,romon,dude,tikapp"
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface l2tp-server server
set authentication=mschap1,mschap2 default-profile=L2TP_VPN enabled=yes \
    ipsec-secret= use-ipsec=yes
/interface list member
add interface=ether1 list=WAN
add list=LAN
/ip address
add address=interface=ether1 network=
add address=192.168.120.254/24 interface=ether2 network=192.168.120.0
/ip dhcp-client
add interface=ether1
/ip dhcp-server network
add address=192.168.120.0/24 dns-server=192.168.120.1,192.168.120.254 \
    gateway=192.168.120.254 netmask=24
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,8.8.8.8,192.168.120.1
/ip firewall address-list
add address=list=
add address= list=
/ip firewall filter
add action=accept chain=input comment="accept established,related,untracked" \
    connection-state=established,related,untracked
add action=accept chain=forward dst-address=192.168.1.0/24 src-address=\
    192.168.120.0/24
add action=accept chain=forward dst-address=192.168.120.0/24 src-address=\
    192.168.1.0/24
add action=accept chain=input dst-port=8291 protocol=tcp src-address-list=\
    
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=input dst-port=500,1701,4500 protocol=udp
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=accept chain=input comment="accept ICMP" protocol=icmp
add action=drop chain=input comment="drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment=\
    "accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=accept chain=forward comment="accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="accept out ipsec policy" \
    ipsec-policy=out,ipsec
/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.1.0/24 src-address=\
    192.168.120.0/24
add action=accept chain=srcnat dst-address=192.168.120.0/24 src-address=\
    192.168.1.0/24
add action=masquerade chain=srcnat out-interface=ether1
add action=dst-nat chain=dstnat comment="" \
    dst-port=2245 protocol=tcp src-address= to-addresses=\
    192.168.120.10 to-ports=3389
add action=masquerade chain=srcnat dst-address=192.168.120.0/24 src-address=\
    192.168.120.0/24
/ip ipsec identity
add peer= secret=
/ip ipsec policy
add dst-address=192.168.1.0/24 peer= proposal=Site_to_site \
    sa-dst-address= sa-src-address=0.0.0.0 src-address=\
    192.168.120.0/24 tunnel=yes
/ip route
add distance=1 gateway=
add distance=1 dst-address=192.168.1.0/24 gateway=ether1 pref-src=\
    192.168.120.254
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ppp aaa
set use-radius=yes
/ppp secret

/radius
add address=192.168.120.1 secret= \
    service=ppp src-address=192.168.120.254 timeout=1s
/system clock
set time-zone-name=
/system ntp client
set enabled=yes primary-ntp= secondary-ntp=
/tool bandwidth-server
set enabled=no

sindy · December 18, 2020, 9:28pm

Now I understand, I was suggesting NAT rules needed to make it work with the additional policies, whereas you have added a NAT rule to make it work with L2TP clients getting their addresses from the LAN subnet on Site B.

As @Chupaka says in his automatic signature - your life, your routing