I have two router boards that I am trying to setup IPIP tunnels with IPsec running across with OSFP. I get the tunnels up and able to pass traffic. I am able to reach both sides of the tunnel and behind the routers too. The problem is that the SA are only installed and the remote peers connection show up in IPSEC when you ping between the end of the tunnel. If I ping from private to private it doesn't create or encrypt the tunnel. Any Ideas? Config is below.

Site A

/ip ipsec proposal
set default auth-algorithms=md5 disabled=no enc-algorithms=3des lifetime=1d \
name=default pfs-group=modp1024
/ip ipsec peer
add address=10.255.255.6/32 auth-method=pre-shared-key dh-group=modp1024 \
disabled=no dpd-interval=disable-dpd dpd-maximum-failures=1 enc-algorithm=\
3des exchange-mode=main generate-policy=no hash-algorithm=md5 lifebytes=0 \
lifetime=1d my-id-user-fqdn="" nat-traversal=no port=500 proposal-check=\
obey secret=l00ker send-initial-contact=yes
/ip ipsec policy
add action=encrypt disabled=no dst-address=10.255.255.6/32 dst-port=any \
ipsec-protocols=esp level=require priority=0 proposal=default protocol=all \
sa-dst-address=10.255.255.6 sa-src-address=10.255.255.5 src-address=\
10.255.255.5/32 src-port=any tunnel=no
/interface ipip
add disabled=no local-address=2.2.2.2 mtu=1480 name=TO_I240 remote-address=1.1.1.2

/ip route> print
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 A S 0.0.0.0/0 2.2.2.1 1
1 ADC 10.255.255.4/30 10.255.255.5 TO_I240 0
2 ADC 2.2.2.0/30 2.2.2.2 Eth2- WAN 0
3 ADo 172.15.0.0/24 10.255.255.6 110
4 ADC 172.18.0.0/24 172.18.0.1 LAN 0


Site B

/ip ipsec proposal
set default auth-algorithms=md5 disabled=no enc-algorithms=3des lifetime=1d \
name=default pfs-group=modp1024
/ip ipsec peer
add address=10.255.255.5/32 auth-method=pre-shared-key dh-group=modp1024 \
disabled=no dpd-interval=disable-dpd dpd-maximum-failures=1 enc-algorithm=\
3des exchange-mode=main generate-policy=no hash-algorithm=md5 lifebytes=0 \
lifetime=1d my-id-user-fqdn="" nat-traversal=no port=500 proposal-check=\
obey secret=l00ker send-initial-contact=yes
/ip ipsec policy
add action=encrypt disabled=no dst-address=10.255.255.5/32 dst-port=any \
ipsec-protocols=esp level=require priority=0 proposal=default protocol=all \
sa-dst-address=10.255.255.5 sa-src-address=10.255.255.6 src-address=\
10.255.255.6/32 src-port=any tunnel=no
/interface ipip
add disabled=no local-address=1.1.1.2 mtu=1480 name=TO_DEALERS remote-address=2.2.2.2

/ip route> print
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 A S 0.0.0.0/0 1.1.1.1 1
1 ADC 10.255.255.4/30 10.255.255.6 TO_DEALERS 0
2 ADC 1.1.1.0/32 1.1.1.2 Eth2 - WAN 0
3 ADC 172.15.0.0/24 172.15.0.1 Eth1 - LAN 0
4 ADo 172.18.0.0/24 10.255.255.5 110

So to summarize again. I am able to pass traffic fine I just don't think packets from 172.15.0.0 to 172.18.0.0 are being encrypted as I don't show a SA at all until I ping between the 10.255.255.x interfaces then the SA is installed.

Did you found answer for your question? I think you are encrypting only communication between two routers. I was attempted to do the same, but then realized that IPIP tunnel can pass much more than those few IP-s I used to set up routing between the tunnel. So your /24 subnets are bypassing encryption since there is no encryption policy set for them.

The solution is to encrypt whole tunnel first.
So your policy should looks like:

/ip ipsec policy
add action=encrypt disabled=no dst-address=1.1.1.2/32 dst-port=any \
ipsec-protocols=esp level=require priority=0 proposal=default protocol=ip-encap \
sa-dst-address=1.1.1.2 sa-src-address=2.2.2.2 src-address=\
2.2.2.2/32 src-port=any tunnel=no
...

protocol=ip-encap will encrypt the whole tunnel, while leave other traffic unencrypted. So you will be able to communicate with both routers as you did it before this setup.

Greg Sowell http://gregsowell.com/?p=1290 has a good tutorial for this.

I'm surprised nobody answered you until now. I hope my findings will help you to found the right way.