Hello long time watcher first time post fortigate to mikrotik

Hello

So atm I have an IPsec tunnel between my home and my friend’s home mikrotik here FortiGate there

atm my config looks like this

Flags: T - TEMPLATE; A - ACTIVE; * - DEFAULT
Columns: PEER, TUNNEL, SRC-ADDRESS, DST-ADDRESS, PROTOCOL, ACTION, LEVEL, PH2-COUNT
#     PEER        TUNNEL  SRC-ADDRESS       DST-ADDRESS  PROTOCOL  ACTION   LEVEL    PH2-COUNT
0 T *                     ::/0              ::/0         all                                  
1  A  to-rotorua  yes     192.168.19.0/24   10.0.0.0/24  all       encrypt  require          1
2  A  to-rotorua  yes     192.168.200.0/24  10.0.0.0/24  all       encrypt  require          1
3  A  to-rotorua  yes     192.168.20.0/27   10.0.0.0/24  all       encrypt  require          1
4  A  to-rotorua  yes     10.8.0.0/24       10.0.0.0/24  all       encrypt  require          1

I have vlans at home for some little NUCs
Wifi vlan
servers vlan
MGMT vlan

then my Mikrotik config below

at my friend’s house, I have an IBM server and VMS just on 10.0.0.0/24 subnet no vlans

the FortiGate config below

now this works I can ping end-to-end from the hosts and whatnot, but the routers can’t ping each other unless I pick a source address to ping from

But I would like to make this better I would like it to be able to have all subnets at both sites
I don’t think this is possible with the IPsec tunnel as it says to get here come through us

but I have been learning about GRE tunnels and Junos have the option to do layer 2 tunnels so my question is this a better way to do it have my IPsec tunnel then and the GRE tunnel going on top of this

I am open to any ideas just using this as a way to learn how it all works

the end goal is to have my Mikrotik router be the source of everything and have the devices in Rotorua talk to the Mikrotik for DHCP leases and everything forward all their traffic that way

I just want to learn and know the best way to set this up

thanks for any help
alex

I rarely use an MikroTik but in general if you span broadcast domain across a VPN it’s a bad idea and does not work well.