I have set up VPN's from my cisco router to the RouterOS box. Because I want to access each of the 3 separate IP networks on the ROS box I had to set up 3 sets of address matching ACLs (policies in ROS world). It wasn't working well as the first VPN to establish would work OK but then the next one would establish but not pass traffic - I could see packets arrving at the ROS box but no replies went down the retun SA for that connection. In fact the return packets seemed to be going down the ORIGINAL SA... This also led to "decrypted packet failed sa identity check" on the cisco. Eventually found a solution - set 'level' to unique on the policy / action tab rather than the default 'require'. This seems to force each policy to associate with the correct SA....
Hope this helps someone!
David