Hello,
As this is my first post on this forum, please forgive me if I’m making something wrong.
I have two RB2011 routers (6.33 and 6.26 RouterOS installed). I configured GRE over IPSec tunnel between them. And everything is working fine. But… I do not understand, why whole IPSec traffic between these two boxes is handled by such rule:
add chain=input comment="accept established" connection-state=established
Is there any hidden workaround in Mikrotik’s code that silently accept incoming packets when ipsec is configured? 
Regards,
Konrad