Are you currently in HeadOffice or you are doing it externally ? It has a lot of stuff related to the route entries since when you are using Internet WAN links its your choice to make a default route on the edge device which would ultimately make it globally available for tracing and other purposes or there could be a point to point route .
HeadOffice - 220.127.116.11/30
Branch - 18.104.22.168/30
If the entries on HO is
ip route 22.214.171.124 255.255.255.252 126.96.36.199
You wont be able to access this device from outside not just because its a security issue , its actually connectivity thing .
If the entry says
ip route 0.0.0.0 0.0.0.0 188.8.131.52
Then you are gona get access to this device from outside world .
So there are a lot of things to consider when you are tracing stuff . If you provide me with a larger picture I might be able to help you .
Also is the RA VPN on demand by user along with XAUTH or the RTR is responsible for dialing ?
I hope you are doing it legally .
It has become appallingly obvious that our technology has exceeded our humanity.