IPSec IKE VPN: response packets are managed automatically?

I was thinking on a rather simple question:

After buliding up an IKE VPN (from Android to Mikrotik v6.49.7), it seems my Android phone can browse the internet just like if it was joined to this Mikrotik locally.
IPSec’s policy defines a range for dst-address and it’s mode config sets an address pool. This way, android gets an address from the pool, and everything is working correctly.

What I don’t understand is how response packets find back to my android: I didn’t have to add any mangles or firewall or nat rules to make this work.

Are IPSec peers’ addresses considered the same as other “physically” connected clients’ when Mikrotik searches for the response’s dst? Is it that simple?

Thank you!

NAT is a L3 (IP) function and when firewall does it, it doesn’t matter how a particular local IP is connected to router regarding L2. So if a packet arrives via IPSec to router and that packet has to leave router via interface that has SRC-NAT active, then connection tracking machinery makes note of the fact and when (return) packet arrives at that same interface, SRC-NAT un-does the NAT. The resulting packet is then pushed into routing machinery which determines that packet should leave through IPSec tunnel. This part is the same as if packet arrived to router via a LAN interface …