When IPSEC is used in tunnel mode , a nat rule is needed to avoid source address change (by default masquerade nat rule if I have correctly understood..)
I noted it is no more needed when IPSEC is used as transport for other tunnel protocols ( I have GRE over IPSEC working without any nat rule)
Is this correct ?
You are correct. When using IPSec transport mode, there is no address translation happening.
The reason for the NAT rule with IPSec Tunnel mode has to do with how RouterOS routes packets through its internal system. If you look at one of their packet flow diagrams in the wiki, you’ll see why.
If you use GRE, then a packet going on the VPN isn’t technically leaving via the WAN interface, it’s leaving via the tunnel interface. The tunnel interface has its own rules for forwarding, NAT, etc. When not using a tunnel under the IPSec, the traffic leaves via the wan interface, so it must not be NAT translated in order for the IPSec policy to see the packet as a VPN packet, encrypt it, and send the encrpyted packet to the peer.
Using GRE, you are sending packets over VPN, your network dont need any kind of translation. For IPSEC its important to see true IP’s so it can encrypt it and establish tunnel between peers. IP address destined for IPSEC tunnel matched with ACL, for example.