IPSEC hub and spoke problem, tunel established but no traffic

Hello,
I am trying to configure IPSEC IKEv2 tunnel in hub and spoke topology. All sites except the VPN concentrator (wchich is ROS CHR in cloud) doesn’t have public IP.
Site1: 192.168.12.0/24
Site2: 192.168.22.0/24
Site3: 192.168.32.0/24 (planned)

Sites2 and 3 should have connection to Site1. The tunnel establishing, but there is no communication between sites.
Detailed configuration below:

VPN Concentrator:

/ip ipsec proposal add auth-algorithms=sha256 enc-algorithms=aes-256-cbc name=proposal1 pfs-group=modp2048
/ip ipsec peer add address=0.0.0.0/0 dh-group=modp2048 enc-algorithm=aes-256 exchange-mode=ike2 generate-policy=port-strict hash-algorithm=sha256 passive=yes secret=<password>
/ip ipsec policy 
add dst-address=192.168.22.0/24 proposal=proposal1 src-address=192.168.12.0/24 template=yes
add dst-address=192.168.12.0/24 proposal=proposal1 src-address=192.168.22.0/24 template=yes

Site1

/ip ipsec proposal add auth-algorithms=sha256 enc-algorithms=aes-256-cbc name=proposal1 pfs-group=modp2048
/ip ipsec peer add address=<public IP of VPN concentrator> dh-group=modp2048 enc-algorithm=aes-256 exchange-mode=ike2 generate-policy=port-strict hash-algorithm=sha256 secret=<password>
/ip ipsec policy add dst-address=192.168.22.0/24 level=unique proposal=proposal1 sa-dst-address=<public IP of VPN concentrator> sa-src-address=0.0.0.0 src-address=192.168.12.0/24 tunnel=yes

Site2

/ip ipsec proposal add auth-algorithms=sha256 enc-algorithms=aes-256-cbc name=proposal1 pfs-group=modp2048
/ip ipsec peer add address=<public IP of VPN concentrator> dh-group=modp2048 enc-algorithm=aes-256 exchange-mode=ike2 generate-policy=port-strict hash-algorithm=sha256 secret=<password>
/ip ipsec policy add dst-address=192.168.12.0/24 proposal=proposal1 sa-dst-address=<public IP of VPN concentrator> sa-src-address=0.0.0.0 src-address=192.168.22.0/24 tunnel=yes

… as I mentioned above, tunnel is established (PH2 state established), Installed SAs are present, but if I am trying to ping from Site1 to Site2 (or in other way) there is only timeout.
Could you please help me?

As you mention that the remote sites don’t have public addresses, have you noticed in the documentation the need to create an exception from src-nat/masquerade rule for traffic towards the VPN subnets and to prevent traffic tunnelled through the VPN from being fasttracked?

I’m not using fasttrack, and on remote sites I tryied

/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.12.0/24 src-address=192.168.22.0/24
(... and masqarade here)

and

/ip firewall raw
add action=notrack chain=prerouting dst-address=192.168.12.0/24 src-address=192.168.22.0/24

Without success.

In that case, post the output of ****

export hide-sensitive

after systematically replacing all occurrences of each public IP address with a distinctive pattern like my.public.ip.1, my.public.ip.2 etc., for both the central site and one of the remote sites.

Thank you for your time and patience. The problem was missing routes!
Site1:

/ip route add distance=1 dst-address=192.168.22.0/24 gateway=bridge-local

Site2:

 /ip route add distance=1 dst-address=192.168.12.0/24 gateway=bridge-local

Have a nice day