Okay, im back to this problem and can't seem to make anything work - except for setting static routes to the destination.
An overview of what I'm trying to accomplish:
Basically its a mikrotik with dual gateways, using ECMP and allowing L2TP/PPTP connections from outside. The tunnel drops and reconnects everytime ECMP gives the tunnel endpoint a different route. The replies from Mikrotik to the l2tp-client come from the alternate gateway address therefore breaking the security and tearing down the tunnel. I believe this happens for l2tp / ipsec solely because udp/1701 is not connection-tracked for very long, therefore the connection table times out and takes the next gateway choice. PPTP might not have this problem because its tcp/gre and in the table longer.
It would be best to tell clients to use 10.30.1.1 as their tunnel endpoint so that they get the redundancy of both connections coming in. I want the response packets to come from 10.30.1.1 but go out either gateway. Simple NAT usually takes care of this, however since MT is generating the tunnel and you can't NAT output I can't accomplish this. Who knows if that option would even work.
How can I tell Mikrotik to bind its ppp/l2tp/pptp server to a specific IP so that I can force it to use a single IP? I can't be entering static routes for a single gateway for each remote destination, especially if they are dynamic addresses.
The SOLUTION is to force RouterOS to use the same source IP throughout the tunnel lifetime... not sure how easy that is to implement though.
Thx all