Although might be that this setup will be to advanced for my "basic-beginner" knowledge but i can try.
Easy tasks don't move us forward
1. LTE: i use mikrotik SXT LTE device, with integrated modem(not sure which one it is from the list above, but i dont see any dhcp client on it).
In your particular case, it is not so important that you have the PPP-based LTE modem, I'll explain why.
The questionnaire was there to find out which of the two uplinks possibly has a changing gateway IP address, because we need three categories of routes on the WAN side - one for transport packets of each of the two tunnels and for the actual traffic which uses the tunnels as gateways. And if the gateway IPs were changing at both uplinks, it would require scripting to update the
gateway of any route except the default one in the default routing table which the DHCP client updates automatically. However, only the manually added DHCP client allows to attach a script triggered at each address renewal (or initial assignment, or rejection), whereas the one added automatically by the LTE subsystem doesn't have such feature, so the script watching for gateway changes must be triggered by a scheduler.
In your case, given that you use a separate Mikrotik device for the LTE connection and that the ADSL uses PPPoE, both gateways are static - in case of PPPoE it is the interface name, and in case of LTE it would be the IP address of the SXT-LTE in the interconnection subnet if it was used as a mere "LTE to Ethernet converter". So no need for route updating scripts at all.
Even better than that, as you have two separate Mikrotik machines, you don't need to use policy routing to bind each VPN tunnel to another WAN, so you can use L2TP which is among the simplest ones for configuration. Plus, as the data running through the tunnels will be those which would have normally gone directly through the internet, at least for the proof of concept stage you don't even need to bother about IPsec - the only reason to use IPsec would be the relative weakness of the encryption of the L2TP authentication as compared to IPsec encryption.
So follow the
example on the wiki and create one L2TP user on the remote Mikrotik for each of the two local ones, just don't add any routes into the
/ppp profile at any end. Choose the
remote-address and
local-address in the
/ppp profile at the "remote Mikrotik" not to collide with any of the subnets at any of your two sites (four /32 addresses in total). But before enabling the
/interface l2tp-client on the client machines,
- add a route with dst-address=ip.of.remote.mikrotik at each machine, with gateway set to the interface name of the pppoe client on the 2011 and of the LTE interface on the SXT-LTE. This will ensure that once you replace the default route by one pointing to the L2TP tunnel, the transport packets of the tunnel will continue using the "almost physical" WAN interface (PPPoE or LTE). Once done, you can set add-default-route in /interface pppoe-client and /interface lte apn settings to no, and manually add a default route at the SXT-LTE via the L2TP tunnel (/ip route add dst-address=0.0.0.0/0 gateway=l2tp-out1), and a default route at the 2011 via the SXT-LTE (/ip route add dst-address=0.0.0.0/0 gateway=ip.of.sxt-lte.on.interconnecting.subnet).
- add the following firewall rule at the 2011:
/ip firewall nat add chain=srcnat action=src-nat to-addresses=the.l2tp.ip.of.2011 out-interface=the-ethernet-looking-towards-sxt-lte
Now enable the L2TP clients, the above should be sufficient so that all would work.
I recommend you to draw it before you start implementing it, and to check your existing firewall rules for possible collisions.
Once this minimalistic setup satisfies your expectations regarding the concept, you can think about implementing the failovers to make it tolerant against link outages. It will require just a few more routes to add.