Hello.

I have such configuration:

Two Mikrotik routers (call them "Router1" and "Router2") with white external IP each. There is IPSEC policy in transport port between them and also IPIP tunnel, so I have interface for dynamic routing and etc.
Of course tunnel's interface on both routers have IP from private LAN address range. Also I add such rule to RAW table: to prevent not encrypted traffic.
VPN_NETS address list contains all networks behind another router and not includes white IPs of both routers.
All is working!

But, there are permanently such log messages (I put here log from Router1):
"firewall,info prerouting: in:ipip_Port out:(unknown 0), proto 4, [Router1 ext. IP]->[Router2 ext. IP], len 20"

Message appears every 10 seconds, so it can be IPIP keepalive packets.

I can't understand why these messages appears (due to Packet Flow Diagram outgoing packets can't be "IN" direction and in PREROUTING chain)!

As far as I've understood you, I've got the same config (for the same purposes).

If your interface list ipip1 contains your ipip tunnels, by adding such drop rule in prerouting chain you're just filtering traffic _inside_ your tunnels, and you have no way to know if the tunnel itself was encrypted in transit or not.

To prevent the tunnel from going unencrypted you have to add (with corresponding interface conditions if you wish to narrow it down): It doesn't have to be in Raw table, as volume of matching traffic is normally very low - the rules prevent tunnels from going up (and effectively shutting them down if they're up) if something happened to IPsec, but hosts are otherwise connected.

Regrading the log message, "in:" denotes ingress interface, not direction. But the direction is still _in_, as all incoming IP packets that were not bridged or MPLS-switched are hitting prerouting chain.

Thanks.

Regrading the log message, "in:" denotes ingress interface, not direction. But the direction is still _in_, as all incoming IP packets that were not bridged or MPLS-switched are hitting prerouting chain.

But how can router LOCALY originating packet hit prerouting chain? It should hit RAW OUTPUT chain. As I sad log message about packet with THIS router IP as source address
and other router IP as destination, so packet outgoing!

The packet may return, it's called "loop"
Normally you shouldn't see neither packets with external addresses (one external is ok is you're routing some external traffic through another node, but not both src and dest) nor ipencap (4) protocol _inside_ your internal tunnel, still you have both (if ipip_Port interface is a tunnel).
Maybe you somehow manged to route ipip packets from host1 back to it (through ipip tunnel itself) on host2?