hello, i have site A, B, C, (3 x mikrotik chr) ipsec is working on A-B, B-C, what is best config to get working connection from A to C site? Shoud i use static route or NAT what NAT rules neet to add?
Thank you
When you want to resolve this without going into insanity, convert your config from a static IPsec tunnel into a GRE or IPIP tunnel with IPsec.
Then you can use static routing or an autorouting protocol to get the routing correct.
To resolve this while going insane (just copy the existing policies and change accordingly):
On device A: Add policy (src) A - (dst) C - (peer) B
On device B: Add policy (src) A - (dst) C - (peer) C
On device B: Add policy (src) C - (dst) A - (peer) A
On device C: Add policy (src) C - (dst) A - (peer) B
Make sure the firewall filter rules are updated to reflect the additional subnets. No NAT required (IPSEC should excluded from NAT in defconf).
… and then he’ll need to add a peer D 
slowly this will become an intangible mess.
also, it assumes all traffic from A to C has to pass via B. maybe it is possible to make a direct tunnel from A to C?
thank you i will check that
well, in practice we have 6 sites ip sec tunels all with all.. it is lot of config already, the idea was to had ip sec from all to one central site
The crucial difference between a “plain IPsec tunnel” as you have now, and a GRE or IPIP tunnel with IPsec transport, is that the plain IPsec tunnel at all systems needs to know all other IP subnets.
A GRE or IPIP tunnel can just route any traffic, also traffic from A that you send to B but that B would have to forward to C, without having to configure the IP subnets in the IPsec policies.
Of course that burden then moves to the routing table. But you can have that managed automatically by installing BGP or OSPF.
In RouterOS this is all very simple, because the user interface takes care of all underlying configuration e.g. when you configure a GRE tunnel and enter an IPsec key.