It's possible to make Layer 2 VPN with IPSEC, for carry 802.1q trunk over Internet in site to site mode ?
I know it is possible to use L2TP mode for this purpose, but I need a detailed example for a working solution .
I want to use IPSEC due to possibility hardware acceleration feature on some devices.

You can use L2TP with BCP, or you can use EoIP. In both cases a Mikrotik device must be used at both ends of the tunnel. With BCP, vlan-filtering on the bridges interconnected using the tunnel must be set to no; with EoIP, this is not necessary.

Assuming you've got a working L2 tunnel, what would the rest of the bridge configuration at both ends look like?

Assuming you've got a working L2 tunnel, what would the rest of the bridge configuration at both ends look like?

I need L2 tunnel for carry PPPoE traffic from one endpoint tunnel to another, where is BRASS localized.

You can use L2TP with BCP

I's there a a hardware acceleration for bridging L2TPclient interface with Ethernet interface in ROS
or maybe all traffic will be going trough CPU in this configuration ?
How much performance I can expect with RB750Gr3 to RB750Gr3 end to end VPN L2TP IPSEC ?

I need L2 tunnel for carry PPPoE traffic from one endpoint tunnel to another, where is BRASS localized.

If so, it's not clear to me why you need to transport VLAN-tagged frames through the tunnel. Plus it will be a bandwidth waste since to have a decent frame size (aka MTU at the PPPoE client), you'll have to carry each larger frame as two packets. It might be better to use a PPPoE server locally and use the IPsec tunnel to deliver the IP traffic of the clients as well as the RADIUS authentication traffic.

But anyway, post the current exports of the two machines with working IPsec setup, I'll show you how to add EoIP to them.

And nothing except IPsec encryption will be hardware-accelerated. So if you reach 300 Mbit/s between two RB750Gr3 I guess it will be a great success.

If so, it's not clear to me why you need to transport VLAN-tagged frames through the tunnel.

Due to performance issue is better to carry PPPoE traffic to centrall localized BRASS
with hardware acceleration for PPPoE session opposite to many local software BRASS-es.
Another problem is duplicate other elements network infrastructures
eg. QoS engine, syslog, NAT engine on many remote locations.
In my network, each large building is connected to a separate VLAN.

in my network, each large building is connected to a separate vlan.

OK, so there will be a single VLAN on each spoke device and multiple vlans on the hub one, and the BRAS expects all of them to come as a trunk via a single physical interface, correct? In such case, depending on the power of the spoke devices and of the hub one, it may make more sense to do the tagging/untagging at the spoke devices or to do it at the hub one.

Waiting for the configurations then. Either post them inline, each among [code] and [/code] tags, or attach them as .rsc files.