Hello.
There are two Mikrotik, several tunnels are raised between them, GRE, IPIP. The tunnels are working, everything is fine. A rule has been created for a table separate from the mains, where default routing is to the peer at the end of the tunnel.
The task is to direct all traffic from ipsec to the vrf table instead of the main table. But traffic from IPsec simply does not get into the second routing table. Packets go to the main table
R1
/ip route rule
add dst-address=0.0.0.0/0 interface=IPIP routing-mark=second src-address=10.3.200.0/24
/ip route vrf
add interfaces=IPIP routing-mark=second
/ip route
add distance=1 gateway=172.16.2.2 routing-mark=second vrf-interface=IPIP
/ip addr
…
5 172.16.2.1/30 172.16.2.0 IPIP
/ip firewall mangle
add action=mark-connection chain=prerouting connection-state=new dst-address=0.0.0.0/0 new-connection-mark=cust_a_conn passthrough=no src-address=10.3.200.0/24
add action=mark-routing chain=prerouting connection-mark=cust_a_conn dst-address=0.0.0.0/0 in-interface=ether1 new-routing-mark=cust_a src-address=10.3.200.0/24
/ip firewall nat
add action=masquerade chain=srcnat dst-address=0.0.0.0/0 out-interface=IPIP routing-mark=cust_a routing-table=second src-address=10.3.200.0/24
R2
/ip addr
…
7 172.16.2.2/30 172.16.2.0 IPIP
/ip route
…
3 A S 10.3.200.0/24 172.16.2.1 1