I have two mikrotik's behind NAT both are CHR's on latest 6.48.3 firmware and two different subnet's on both end's. I created site to side vpn between them following official guide:

https://wiki.mikrotik.com/wiki/Manual:I ... sec_tunnel

Mikrotik A - 10.91.22.56/24

Mikrotik B - 10.101.0.251/24


Traffic goes fine, both routers can see each other and different hosts in remote subnets. Basic routing/nat applied:
Same but different dst-address on Mikrotik B.

After this I fired up l2tp server on Mikrotik A and applied subnet 10.99.99.2-254 for l2tp clients.
I tried client connection from Ubuntu using NM and L2tp profile there. I added necessary login data and it worked like a charm with default options which is routing whole traffic thru vpn.
I don't want all traffic to go thru vpn, so I check "Use this connection only for resources on its network" and this is desired client scenario but in this case I can't reach any of the subnet's.
If I manually add routes and mikrotik as GW on client side all works again as expected I can reach both subnet's. I need help on following:

1. In case client uses to ignore all traffic going thru tunnel how can I add routes once connection is established except manually?
Can this part be somehow delivered once client connection is established or on mikrotik side using mangle rules for traffic coming from vpn pool 10.99.99.0.0?

2. I choose l2tp server since it's compatible with all major clients WIndows, Linux, OSX, Android maybe I just choose some other option for clients in my case.
Important is that the clients can reach both subnet's once connected using l2tp or any other protocol and avoid routing whole traffic and adding static routes on client.
I want mikrotik to route also vpn clients towards both subnets. Some examples for my case much appreciated.

3. What do I need to add, so hosts behind each subnet can communicate between each other? For now communication works from both Mikrotik's, they can reach both subnet's and hosts behind them but hosts different from Mikrotik can't communicate between each other. I tried adding static route and mikrotik as GW but no luck

1.,2.: the only VPN protocol for which RouterOS currently supports pushing routes to the client is bare IKEv2. The native VPN client of Windows supports the same mechanism (Option 249 via DHCPINFORM) also in LT2P but RouterOS doesn't. But pushing routes to iOS and Strongswan is restricted to a single subnet (and it uses a different mechanism than for Windows - traffic selector narrowing), and it seems that the newer Android versions, which natively support IKEv2, have the same limitation.

3. is just another consequence of 1. and 2.

So all in all there is no universal solution, and as far as I understand, none at all for Android.

Thx for claryfing. I can switch to ikev2. What you mean by pure in this case?
Also in case of ikev2, what can I do about routing and using mikrotik as gw?
Can you point to some examples?

By "bare" I mean it is not "some other tunneling protocol over IPsec" but just "the payload over IPsec".

On Windows, the traffic selector negotiated is 0.0.0.0/0 <=> individual.ip.assigned.to.windows, but the Windows only actually use the IPsec connection for traffic towards destination prefixes received via DHCP Option 249.

On iOS, Strongswan etc., the initiator asks for 0.0.0.0/0 <=> individual.ip.assigned.to.initiator, but the responder (RouterOS) narrows that down to one of the split-include subnets; whereas another Mikrotik keeps asking for 0.0.0.0/0 <=> individual.ip.assigned.to.initiator until it gets a rejection, so as many policies get created as there are subnets in the split-include list, iOS, Strongswan etc. give up after the first response, so only a policy for the first subnet in the split-include list is established.