hi
I try to make a tunnel between mikrotik-mikrotik
Gre over Ipsec
according to this pic
is it correct?

Ip public(2.185.1.1 - 2.185.2.2)
Lan (192.168.1.0 --192.168.226.0)
Gre (172.16.16.1 - 172.16.16.2)

after gre config Ip Peer is gre-ip or public-ip , In Policy Public or gre

Why are you specifically using GRE

why don't you just use L2TP with IPSEC over that.

Hi
Why L2TP ?
L2TP or Gre or IPIP?
I try to connect 8 org in different cities by Public IP on internet?

The only thing that looks off to me is the local/remote traffic selectors for IPSec. Those should match GRE src=localWan dst=remoteWan

IPSec won't see the packets inside the GRE tunnel - only the GRE itself.

The nice thing about GRE over IPSec is that you can route any IP across the tunnel you like without having to change the IPSec traffic selectors. You can even run OSPF over the tunnels and all sites will automatically know how to reach all other sites. Easily supports hub-and-spoke topology - less configuration whenever a new site comes online.
etc.

IPIP tunnel is better or Gre tunnel over ipsec (for security)

all 8 point have mik.rb

internet : 2mb speed with ip public

2mb is enough?

now ping with 230ms..? why (by ipip/ipsec) very slow

Which model routerboard do you have? IPSEC can eat a lot of CPU.

RB 750gl ic cities + RB2011UAS in main office

I could see a 2011 not being powerful enough if you have much traffic going between 8 sites at the same time, especially if all 8 sites are tunneling through the main site for Internet access.
Check your CPU utilization in system resources.

HI
I try to complete my design
but in my cities in left mik. routerboarad cannot ping cisco
i describe in below pic

HI
I try to complete my design
but in my cities in left mik. routerboarad cannot ping cisco

I bet the Cisco has a default GW other than 192.168.226.11, and no static route for 195.132.57.0/24

Any host using 192.168.226.9 as the default GW will also be unable to reach PC1 if this is true.

Fix in cisco:
config t
ip route 195.132.57.2 255.255.255.0 192.168.226.11
ip route 172.151.1.0 255.255.255.252 192.168.226.11
end
(or use the correct netmask for the IPIP tunnel if it's not a /30)

Any hosts on the other side of the Cisco will need correct routes as well.