Hi, I’ve created site to site VPN using this guide https://systemzone.net/mikrotik-site-to-site-vpn-configuration-with-ipsec/
I use two routers - Mikrotik hap ac3. I’ve created

this the router R1 configuration acting as a server

apr/05/2022 17:46:16 by RouterOS 6.47.10

software id = YX7L-JKQ7

model = RBD53iG-5HacD2HnD

serial number = F34E0F4207A8

/interface bridge
add admin-mac=xx:xx:xx:xx:xx:xx arp=local-proxy-arp auto-mac=no comment=
defconf name=bridge
add disabled=yes name=guestwifi
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n country=bulgaria disabled=no
distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=
Leica wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=
20/40/80mhz-XXXX country=bulgaria distance=indoors frequency=auto
installation=indoor mode=ap-bridge ssid=MikroTik-3397C8
wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods=“” mode=
dynamic-keys supplicant-identity=MikroTik wpa-pre-shared-key=
“))))))))))” wpa2-pre-shared-key=“)))))))))”
add authentication-types=wpa2-psk eap-methods=“” mode=dynamic-keys name=
guestwifi supplicant-identity=“” wpa2-pre-shared-key=******
/ip pool
add name=dhcp ranges=192.168.1.10-192.168.1.200
add name=vpn ranges=192.168.89.2-192.168.89.255
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/ppp profile
set *FFFFFFFE dns-server=192.168.1.1 local-address=192.168.89.1
remote-address=vpn
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=guestwifi comment=defconf interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface l2tp-server server
set enabled=yes ipsec-secret=“(((((((((” use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface pptp-server server
set enabled=yes
/interface sstp-server server
set default-profile=default-encryption enabled=yes
/ip address
add address=192.168.1.1/24 comment=defconf interface=bridge network=
192.168.1.0
add address=А.A.B.C/22 interface=ether1 network=A.A.0.0
add address=192.168.30.1 interface=wlan2 network=255.255.255.0
add address=192.168.1.1/24 disabled=yes interface=ether2 network=192.168.1.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server lease

/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf dns-server=
192.168.1.1,212.50.10.50,8.8.8.8 gateway=192.168.1.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=212.247.50.10,8.8.8.8
/ip dns static
add address=192.168.1.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=
“defconf: accept established,related,untracked” connection-state=
established,related,untracked
add action=accept chain=input comment=“WinBox Wan Administration” dst-port=
8291 protocol=tcp
add action=accept chain=forward comment=“defconf: accept in ipsec policy”
ipsec-policy=in,ipsec
add action=accept chain=forward comment=“defconf: accept out ipsec policy”
ipsec-policy=out,ipsec
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=input comment=
“defconf: accept to local loopback (for CAPsMAN)” dst-address=127.0.0.1
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack”
connection-state=established,related
add action=accept chain=forward comment=
“defconf: accept established,related, untracked” connection-state=
established,related,untracked
add action=drop chain=input comment=“defconf: drop all not coming from LAN”
disabled=yes in-interface-list=!LAN
add action=drop chain=forward comment=“defconf: drop invalid”
connection-state=invalid disabled=yes
add action=drop chain=input comment=“defconf: drop invalid” connection-state=
invalid disabled=yes
add action=drop chain=forward comment=
“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat
connection-state=new disabled=yes in-interface-list=WAN
add action=accept chain=input comment=“VPN Windows Client” dst-port=
500,1701,4500 protocol=udp
/ip firewall nat

guestwifi not ready

add action=masquerade chain=srcnat comment=“defconf: masquerade”
ipsec-policy=out,none out-interface=guestwifi
add action=masquerade chain=srcnat out-interface-list=WAN
add action=masquerade chain=srcnat comment=“masq. vpn traffic” src-address=
192.168.89.0/24

/ip route
add distance=1 gateway=A.A.B.D
/ppp secret
add local-address=172.22.22.1 name=)))) password=))))))
remote-address=172.22.22.2 routes=“192.168.0.0/24 172.22.22.2 1” service=
l2tp
add name=vpn password=“))))))))))))”
/system clock
set time-zone-name=Europe/Sofia
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Right now I can’t enter into R2 router, but he is the client. So, R1 role is for the server of site2site VPN and he is also acting as VPN server in client2site config for remote clients connecting from their homes.

Good afternoon Sirs,

Everything’s looking good from this end as far as I can see, but you might want to remove the double up of the 192.168.1.1 address on ether2.
So to confirm this is a l2tp with IPsec tunnel?
If so I can see that you have set up the routes through the secret to the 192.168.0.0/24 subnet, I presume that’s the local subnet on the other side of this tunnel that you are trying to reach?
so the route will tell our traffic to use the vpn and the default firewall will allow it back in but the question is, is the traffic coming back?

For the traffic to come back we need one of two things we either need to have a static route back to the 192.168.1.0/24 or 192.168.30.0/24 addresses that would have the gateway of the vpn tunnel interface(only do this on point to point links) and that way if the connection is initiated from either side it should be routed through correctly.
I.E local subnet form router A can ping local subnet on router B and local subnet form router B can ping local subnet on router A

The other option is to not worry about the route on the other side of this VPN and instead put a src-nat on the vpn interface, if you masquerade the traffic going out that interface (make sure you make a static VPN binding for this) you would get the following behaviour:
local subnet form router A can ping local subnet on router B and local subnet form router B is unable to ping local subnet on router A
Remember this way we will be able to get communication back from router B but the traffic has to be initiated from the A side first

@svt11, what is the issue you need help with? The fact that you cannot access management of R2 from R1 or something else?

My colleague actually reset the R2 router and inserted new config. He put SSTP for client to site config which works. For thtunnel ill check it out again.