Routing IPsec HUB with two S2S remote offices

Hi, I have 2 mikrotiks routers connecting with Cloud HUB that provide VM for us. Both mikrotiks use IPsec S2S to HUB. All stations on both sites can reach VM in HUB.

SiteA 192.168.2.0/24 s2s --> HUB 192.168.1.1/24 <-- s2s 192.168.3.0/24 SiteB

How can I add routes to mikrotiks so sites can access each other through HUB?

Adding

mikrotik 1 SiteA /ip route add dst-address=192.168.3.0/24 gateway=192.168.1.1

mikrotik 2 SiteB /ip route add dst-address=192.168.2.0/24 gateway=192.168.1.1

Did not work very well. Like there is no IPsec remote sites in routing table?

Why don’t you just create an additional IPSec S2S directly between the sites?

You don’t add route, you add new policy. Now e.g. SiteA has policy for 192.168.2.0/24 ↔ 192.168.1.0/24, so you will need to add a new one for 192.168.2.0/24 ↔ 192.168.3.0/24 (similarly for SiteB and also HUB needs to add matching policy for each peer). It will make packets for 192.168.3.0/24 go to HUB and it will then take care of routing them to SiteB.

No access to HUB admins, so I will just create direct As2sB.