Are you currently in HeadOffice or you are doing it externally ? It has a lot of stuff related to the route entries since when you are using Internet WAN links its your choice to make a default route on the edge device which would ultimately make it globally available for tracing and other purposes or there could be a point to point route .
HeadOffice - 22.214.171.124/30
Branch - 126.96.36.199/30
If the entries on HO is
ip route 188.8.131.52 255.255.255.252 184.108.40.206
You wont be able to access this device from outside not just because its a security issue , its actually connectivity thing .
If the entry says
ip route 0.0.0.0 0.0.0.0 220.127.116.11
Then you are gona get access to this device from outside world .
So there are a lot of things to consider when you are tracing stuff . If you provide me with a larger picture I might be able to help you .
Also is the RA VPN on demand by user along with XAUTH or the RTR is responsible for dialing ?
I hope you are doing it legally .
It has become appallingly obvious that our technology has exceeded our humanity.