The Book

Check the differences between IPsec tunnel and IPsec transport.

http://wiki.mikrotik.com/wiki/IPSec_VPN_/_Mikrotik_and_Linksys_BEFVP41

Internet router RB450 is faking Internet connection and does the basic routing between public networks 1.1.1.0, 2.2.2.0 and 3.3.3.0. NAT is configured on all routers and they also provide DHCP for respective networks.

/ip address
add address=1.1.1.254/24 disabled=no interface=ether1 network=1.1.1.0
add address=2.2.2.254/24 disabled=no interface=ether2 network=2.2.2.0
add address=3.3.3.254/24 disabled=no interface=ether3 network=3.3.3.0

1.IP addressess

/ip address
add address=10.10.1.254/24 disabled=no interface=ether1 network=10.10.1.0
add address=1.1.1.1/24 disabled=no interface=ether4 network=1.1.1.0

2.Default route

/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=1.1.1.254 scope=30 \
    target-scope=10

3.NAT - Note that NAT bypass for IPsec tunnels rule is on the top of the list !!! It is set for all 10.10.x.x networks but you can specify subnets individually.

/ip firewall nat
add action=accept chain=srcnat disabled=no dst-address=10.10.0.0/16 src-address=\
   10.10.1.0/24
add action=masquerade chain=srcnat disabled=no out-interface=ether4

4.IPsec

/ip ipsec proposal
set default auth-algorithms=sha1 disabled=no enc-algorithms=3des lifetime=30m name=\
   default pfs-group=modp1024
/ip ipsec peer
add address=2.2.2.2/32 auth-method=pre-shared-key dh-group=modp1024 disabled=no \
   dpd-interval=2m dpd-maximum-failures=5 enc-algorithm=3des exchange-mode=main \
   generate-policy=no hash-algorithm=md5 lifebytes=0 lifetime=1d my-id-user-fqdn=\
   "" nat-traversal=yes port=500 proposal-check=obey secret=!secret! \
   send-initial-contact=yes
/ip ipsec policy
add action=encrypt disabled=no dst-address=10.10.2.0/24 dst-port=any \
   ipsec-protocols=esp level=require priority=0 proposal=default protocol=all \
   sa-dst-address=2.2.2.2 sa-src-address=1.1.1.1 src-address=10.10.1.0/24 \
   src-port=any tunnel=yes