Hi, I have configured L2TP server with IPSec on my RB951G-2HnD, I followed some tutorials on youtube and here.

My network is 192.168.0.0/24.
In PPP/Profiles local adress is set to 172.16.100.1 and remote adress is set to 172.16.100.2-172.16.100.100

I can connect to VPN from Windows 7, connection works. This computer is in network 10.20.10.0/24. But I can't see devices in my network 192.168..... If I change local adress and remote adress in PPP/Profiles to 192.168.0.1 and pool 192.168.0.210-192.168.0.220 everything is ok and I can ping devices. But it's not what I want.

On my lan interface is proxy-arp enabled. What else should I change to get it work with adresses from another range?

Computers in the same range expect others to reply to their arp queries, i.e. expect the rest to be L2 connected and thus receiving/replying broadcasts straight on their own.

Proxy-arp aids when you use the same range for the VPN, as remote computers aren't directly connected to the network; it makes the router to "proxy", or act in their behalf, when asking/answering arp requests.

Using a different range for the VPN puts you in a completely different scenario, where routing needs to be properly set for inter-communication between 192.168.x.x and 10.x.x.x subnets to happen.

You have two possible solutions for routing in this case:

1. Set VPN clients to send all traffic to remote network, sometimes labeled as "use default gateway on remote network" (Windows) or "send all traffic through the VPN" (Mac). This has a drawback though; all traffic from the remote computer, including traffic addressed to internet, will go back and forth the VPN.
2. Manually add a route to the LAN subnet using VPN as gateway on the remote computer, telling it: "to reach 192.168.x.x you have to use VPN tunnel remote IP as gateway".

Thank you, your first advice works perfectly after adding masquare for 172.16.100.0 network for internet support.

And what if remote client is another mikrotik? Is it possible to make it work like devices from 192.168.0.0/24 can see devices after another mikrotik (connected to VPN to master mikrotik) where network is 10.20.10.0/24 and reversely?

Then I need to add route from your second advice to mikrotik (vpn client) and another route to master mikrotik, right? Or something else?

Using L2TP to connect two MikroTik devices and the networks behind them is totally possible. You can do it all with static routes, a dynamic protocol like BGP or static neighbors in OSPF or a mix of that and PPP routes.

For a small or simple pair of two MikroTik devices I would suggest either all static routes or static routes and PPP routes. The way PPP routes work is that when a client connects the server adds the routes defined into their routing table. This is because the client typically injects a default route back to the server. This is likely undesirable in a site to site VPN setup so the client typically turns off the add default route option and relies on a static route specific to the networks behind the MikroTik acting as the server.

Say we have 2 devices, m1 and m2. The networks behind each MikroTik router are 192.168.1.0/24 for m1 and 192.168.2.0/24. We'll use 172.16.254.0/24 for our VPN clients, carving out a /31 to use with each pair to keep things super clean. The m1 device will be the server at 172.16.254.0 and the m2 device will be the client at 172.16.254.1 under the 172.16.254.0/31 allocation for our IPAM fanatics. Lastly, the public IP for m1 will be 1.1.1.2/30 and m2 will be 2.2.2.2/30.

For m1, configure it to be an L2TP server and setup the PPP profile and user accounts.
For m2, configure it to be an L2TP client and setup a static route for 192.168.1.0/24 to 172.16.254.0/24.

Its working, nice.
Now I want to ask you, this works only when there is one client only (mikrotik). What is the best way to do if there would be for example 5 mikrotiks and 10 people joining l2tp server from Windows clients for accessing server in 192.168.0.0/24 network. Should I create L2TP profiles with secrets for any mikrotik and any user or they should share only one profile?

Its working, nice.
Now I want to ask you, this works only when there is one client only (mikrotik). What is the best way to do if there would be for example 5 mikrotiks and 10 people joining l2tp server from Windows clients for accessing server in 192.168.0.0/24 network. Should I create L2TP profiles with secrets for any mikrotik and any user or they should share only one profile?

If you're talking about my example above, you can either define each connection or you can assign addresses from a pool. For the remote client access (Windows VPN clients) I'd place the pool on a PPP profile and remove the routes command.

For my site to site VPNs I'd probably continue to configure them explicitly, if the number of sites was very high I'd consider leveraging a pool to simplify configuration but I would need to lay something underneath the L2TP like a tunnel to handle routes as I could no longer guarantee the remote address of the client. That said, my preferred site to site VPN approach has always been GRE with IPSec in transport mode. This is because it supports all 3 types of IPv4 traffic, unicast, broadcast and multicast. L2TP only supports unicast. That said, L2TP is very useful because it can be used for clients with dynamic addressing. In those situations I often look to use L2TP with IPSec and then I lay an unencrypted GRE tunnel underneath, sure it's a tunnel in a tunnel but it gives me the highly flexible GRE tunnel to work with.