I have ZyXEL ZyWALL 2 Plus from one side and MikroTik 751G-2HnD from another side. In the ZyXEL there is an option "nailed up connection". How I can create nailed up connection from MikroTik's side?

On RouterOS the IKE daemon tries to maintain valid SAs for the link. If for any reason all SAs become invalid then the appearance of traffic for the link would again cause the IKE daemon to initiate generation of a valid SA.

In practice you may find that the above arrangement meets your needs. If not, you could always use Netwatch to ensure that there is some traffic trying to use the link therefore causing IKE to generate a valid SA.

On RouterOS the IKE daemon tries to maintain valid SAs for the link. If for any reason all SAs become invalid then the appearance of traffic for the link would again cause the IKE daemon to initiate generation of a valid SA.

In practice you may find that the above arrangement meets your needs. If not, you could always use Netwatch to ensure that there is some traffic trying to use the link therefore causing IKE to generate a valid SA.

Can you give an example of a script?

If I understood correctly this feature, it tries to make and keep SAs even if there is not traffic.
Such feature will be implemented in ROS v7.
Currently you can force to generate SAs with a script (as mentioned in post above)
/ping x.x.x.x src-address=y.y.y.y
Where x.x.x.x and y.y.y.y matching addresses of ipsec policy.