Hi just wondering as i see it works, but need to be clear on this:
I have P2P Ipsec connection and added with 3 x policy from one subnet to different subsets (in pic) and PH2 is all establish with the same p2p ipsec tunnel and it works.
I did not found any information if i can use like that. Tried to find in official manual (maybe did not see ), but there are no explanation if i can use like that. Every example is one subnet to one subnet and thats it. Can someone explain little about ?

A
/ip ipsec policy
add src-address=10.1.202.0/24 src-port=any dst-address=10.1.101.0/24 dst-port=any tunnel=yes action=encrypt proposal=ike1-site2 peer=ike1-site2

B
/ip ipsec policy
add src-address=10.1.101.0/24 src-port=any dst-address=10.1.202.0/24 dst-port=any tunnel=yes action=encrypt proposal=ike1-site1 peer=ike1-site1

You would find more details in the IPsec RFCs, but this is by design. IPsec is different from all other VPN protocols in terms that it was originally intended to work on top of regular routing and take any traffic it likes. The tool to choose said traffic is a "traffic selector" whose match fields are similar to those of other types of packets match lists - IP protocol (ICMP, TCP, UDP, ...), source and destination addresses and, where applicable, ports; what is unique is that these match lists are negotiated between the peers and they must match in order that the Security Associations used to deliver the traffic that the match lists have chosen would even establish. The traffic selectors are used also as filters of incoming traffic - packets that match a traffic selector but did not come in via the SA associated to that traffic selector are silently dropped.

So you can view it as routing and traffic filtering integrated in a single configuration. For simple topologies, it is an elegant solution; already for moderately complicated ones, it is an unmanageable nightmare and it is better to use IPsec to encrypt the transport packets of a more traditional tunnel and use normal routing to send the desired traffic to that tunnel.

Hi Sindy,

From my tests that what i was thinking about these policies - they are like "traffic selectors or markers"
Also if i use /32 mask on both ends it will be pretty tight p2p between hosts as i guess (no outside access to other IP address).
As for the last part of question as far i understand we can use like this, but when complexity come into play we need to do SVI like with ipsec and route traffic to/out those interfaces ?

when complexity come into play we need to do SVI like with ipsec and route traffic to/out those interfaces ?

No idea what you mean by SVI, but for years, Mikrotik refuses to implement a virtual tunnel interface for IPsec and sticks with this standard traffic selector approach. When connecting two Mikrotiks, an IPsec-encrypted IPIP tunnel is a tiny bit more complicated to configure than a VTI but the size of the transport packets is the same; however, the encapsulation format is not compatible between the two so you cannot connect a Mikrotik device e.g. to Azure cloud this way and you have to use complicated constructs where the traffic selector for the Azure is 0.0.0.0/0 <-> 0.0.0.0/0 and there is a ton of exception traffic selectors before it. Which disqualifies Mikrotik for some applications.

@mdd: Do you mean SVI (Switched Virtual Interface) as a VLAN interface?

Regarding IPsec’s built-in "traffic selectors", I agree with Sindy; it can easily become an overcomplicated mess and is better handled using routing or other filtering mechanisms.

@larsa Yes sorry VTI, as i mixed with switch. Like wise Cisco has and it can be routed through it.
Also i just wondering what better solution would be if we still need to have IPSEC () and have option to routed any network we need ? As L2TP + IPSEC is old. IPIP ?