Mikrotik

Internet reservation on two Mikrotik, IPSEC tunnel. How?

Hello.
There are two offices with Mikrotik Rb951 in each. The first router has an external address of 1.1.1.1, an internal one of 10.10.10.1. The second one has 2.2.2.2 and 10.20.20.1 respectively.
Both routers have an IPSEC tunnel configured up to 3.3.3.3.
In order for users in offices to work with resources at the other end of the tunnel (30.30.30.0), both routers have corresponding rules that do not allow traffic to be “disguised”:

/ip firewall nat chain=srcnat action=accept src-address=10.10.10.1/24 dst-address=30.30.30.0.0/24 log=no log-prefix=""

and

/ip firewall nat chain=srcnat action=accept src-address=10.20.20.1/24 dst-address=30.30.30.0.0/24 log=no log-prefix=""

respectively.
Both routers are interconnected, traffic between subnets goes normally. There are no problems with this.
It is necessary to organize the possibility of work of both offices in case of loss of the Internet in any of them.
Suppose the Internet in the first office is gone. So that users in this office do not notice the problem with the lack of Internet, it is enough to make a route for all traffic (0.0.0.0) on the first router, specifying the second mikrotik as the gateway. This works fine.
With the route indicated above, all traffic goes towards the provider. I can't figure out what to do with the traffic that should go into the tunnel. Tell me how to do it right?