I've got working connections from multiple remotes to my primary router via IPSEC. Each remote peer is defined in "/ip ipsec" with their signatures, mode config, etc. The exchange modes are all "IKE2" - I don't know if that means my tunnels are IKEv2 or not. But I do seem to have good layer 3 connections.

Now I need the ability for full layer 2 tunneling. There's a lot of options and I don't know which to go with. At the moment the IPSEC nodes are all Mikrotik so I'm not interoperating with anything else - today. Possibly with a Windows or Android client - no other networking gear will be involved.

Looking at some of the tunnel interface options I see configuration choices for IPSEC. Does this mean such tunnels establish their own IPSEC connections independent of the configuration of "/ip ipsec"? What method should I start with given my current configuration?

If you need L2 Tunneling and all devices are Mikrotik user EoIP.

Thank you - I'll look at EoIP again. What is the difference between using the existing IPSEC connections and configuring the EoIP interfaces with internal IP's compared with explicitly setting IPSEC secrets and external IP's in the EoIP interfaces?

If you need L2 Tunneling and all devices are Mikrotik user EoIP.

But for IPSEC on particular devices is possible to use hardware acceleration as opposed to EoIP.