How to access different subnets over the VPN?

Hello!
There is an office of 4 branches (192.168.1.0/24, 192.168.2.0/24, 192.168.3.0/24 and 192.168,4,0/24) between branches is configured with IPsec, all each other see everything is working properly.
When you connect the VPN I can see only the Central branch is 192.168.1.0/24, and then will not let me. but it is necessary to put a tick in properties of the VPN gateway to use a remote branch, it works, but I don't need all traffic to be passed through the remote branch :)
Where is the hidden crutch that without this Daw all worked????

example config :

/interface bridge
add arp=proxy-arp name=bridge_lan
/interface ethernet
set [ find default-name=ether1 ] comment=WAN
set [ find default-name=ether2 ] comment=LAN
set [ find default-name=ether3 ] comment=LAN
set [ find default-name=ether4 ] comment=LAN
set [ find default-name=ether5 ] comment=LAN
/ip neighbor discovery
set ether1 comment=WAN
set ether2 comment=LAN
set ether3 comment=LAN
set ether4 comment=LAN
set ether5 comment=LAN
/interface wireless security-profiles
add authentication-types=wpa-psk,wpa2-psk eap-methods="" group-ciphers=\
tkip,aes-ccm management-protection=allowed mode=dynamic-keys name=expert \
supplicant-identity="" unicast-ciphers=tkip,aes-ccm wpa-pre-shared-key=\
12345678 wpa2-pre-shared-key=12345678
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce \
disabled=no l2mtu=1600 mode=ap-bridge security-profile=expert ssid=
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des,aes-256-cbc,aes-256-ctr
add enc-algorithms=aes-256-cbc lifetime=8h name=3.3.3.3
add enc-algorithms=aes-256-cbc lifetime=8h name=4.4.4.4
add enc-algorithms=aes-256-cbc lifetime=8h name=5.5.5.5
/ip pool
add name=192.168.1.0/24 ranges=192.168.1.64-192.168.1.168
/ip dhcp-server
add address-pool=192.168.1.0/24 disabled=no interface=bridge_lan lease-time=\
3d name=192.168.1.0/24
/ppp profile
set *0 local-address=192.168.1.1 remote-address=192.168.1.0/24
/interface bridge port
add bridge=bridge_lan interface=ether2
add bridge=bridge_lan interface=ether3
add bridge=bridge_lan interface=ether4
add bridge=bridge_lan interface=ether5
add bridge=bridge_lan interface=wlan1
/interface pptp-server server
set default-profile=default enabled=yes
/ip address
add address=192.168.1.1/24 interface=bridge_lan network=192.168.1.0
add address=8.8.8.8/30 interface=ether1 network=8.8.8.6
/ip dhcp-client
add default-route-distance=0 dhcp-options=hostname,clientid disabled=no \
interface=ether1
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=80.89.128.5,81.1.192.5 gateway=\
192.168.1.1 netmask=24
/ip firewall filter
add chain=input comment=to_192.168.2.0/24 src-address=3.3.3.3
add chain=output comment=to_192.168.2.0/24 dst-address=.3.3.3.3
add chain=forward comment=to_192.168.2.0/24 src-address=192.168.2.0/24
add chain=forward comment=to_192.168.2.0/24 dst-address=192.168.2.0/24
add chain=input comment=to_192.168.3.0/24 src-address=4.4.4.4
add chain=output comment=to_192.168.3.0/24 dst-address=4.4.4.4
add chain=forward comment=to_192.168.3.0/24 src-address=192.168.3.0/24
add chain=forward comment=to_192.168.3.0/24 dst-address=192.168.3.0/24
add chain=input comment=to_192.168.4.0/24 src-address=5.5.5.5
add chain=output comment=to_192.168.4.0/24 dst-address=5.5.5.5
add chain=forward comment=to_192.168.4.0/24 src-address=192.168.4.0/24
add chain=forward comment=to_192.168.4.0/24 dst-address=192.168.4.0/24
add chain=input port=1701,500,4500 protocol=udp
add chain=input protocol=ipsec-esp
/ip firewall mangle
add action=change-mss chain=forward new-mss=1360 protocol=tcp tcp-flags=syn \
tcp-mss=1381-65535
/ip firewall nat
add chain=srcnat comment=to_192.168.2.0/24 dst-address=192.168.2.0/24 \
src-address=192.168.1.0/24
add chain=srcnat comment=to_192.168.3.0/24 dst-address=192.168.3.0/24 \
src-address=192.168.1.0/24
add chain=srcnat comment=to_192.168.4.0/24 dst-address=192.168.4.0/24 \
src-address=192.168.1.0/24
add action=masquerade chain=srcnat out-interface=ether1
/ip ipsec peer
add enc-algorithm=3des,aes-128,aes-256 exchange-mode=main-l2tp \
generate-policy=port-override passive=yes secret=--------
add address=3.3.3.3/32 enc-algorithm=aes-128 hash-algorithm=md5 \
nat-traversal=no secret=----------
add address=4.4.4.4/32 enc-algorithm=aes-128 hash-algorithm=md5 \
nat-traversal=no secret=----------
add address=5.5.5.5/32 enc-algorithm=aes-128 hash-algorithm=md5 \
nat-traversal=no secret=----------
/ip ipsec policy
add dst-address=192.168.2.0/24 proposal=3.3.3.3 sa-dst-address=\
3.3.3.3 sa-src-address=8.8.8.8 src-address=192.168.1.0/24 \
tunnel=yes
add dst-address=192.168.3.0/24 proposal=4.4.4.4 sa-dst-address=\
4.4.4.4 sa-src-address=8.8.8.8 src-address=192.168.1.0/24 \
tunnel=yes
add dst-address=192.168.4.0/24 proposal=5.5.5.5 sa-dst-address=\
5.5.5.5 sa-src-address=8.8.8.8 src-address=192.168.1.0/24 \
tunnel=yes
/ip route
add distance=1 gateway=8.8.8.7
/ppp secret
add name=admin password=
/system clock
set time-zone-name=Asia
/system leds
set 0 interface=wlan1
/system routerboard settings
set protected-routerboot=disabled
/tool romon port
add
July 2nd 19 at 17:34
3 answers
July 2nd 19 at 17:36
Solution
If understand correctly, you just picked up the VPN, but have not set up the routing? Try adding a route to 192.168.0.0/21 via gateway 192.168.1.1
nothing gives... As an option you may consider with a new subnet specifically for the VPN? - alysha_Becker36 commented on July 2nd 19 at 17:39
"you should put a tick in properties of the VPN gateway to use a remote branch, it works" - when you put a checkmark adds the default route through VPN here this is not important exactly how the routes are assigned dynamically or statically. If it works with checkbox, works with static route. Add the necessary route in the routing table on the side of the VPN client. Apparently, we are talking about Windows, at a command prompt running with administrator privileges you need to enter:
route add 192.168.0.0 mask 255.255.248.0 192.168.1.1
To ensure that the route persists after a reboot you need to run this command with the key -p

If it doesn't work - check the "use gateway on remote network", select the VPN connection, look in the routing table which the gateway is assigned in the new dynamic default route and specify it as the gateway in the static route. Maybe for VPN addressing you use a separate subnet, although judging by your configuration is 192.168.1.1 - helga80 commented on July 2nd 19 at 17:42
: Probably Yes, this will be the only valid solution... I Think topic can be closed! - alysha_Becker36 commented on July 2nd 19 at 17:45
July 2nd 19 at 17:38
As I understand it, the branch(X) sees office, branch(Y) also sees the office, and two branch traffic exchanged over the office, and you want directly?
There is a proprietary technology, called DMVPN, though I don't know if something like that from Mikrotik.
Almost so ) when I'm VPN connected I see only the subnet to which I have connected. and it is necessary to see all of the subnets. - alysha_Becker36 commented on July 2nd 19 at 17:41
July 2nd 19 at 17:40
Crutch I see is this:
serverfault.com/questions/574121/is-it-possible-fo...

Or, you will have to manually set the route on your computer to all subnets.

Find more questions by tags VPNNetwork administrationMikrotik