We're using src-nat but I don't think it matters since you have to define "accept srcnat src.address dst.adress" as the first entry for the tunnel to disable any further NAT-translations.
I wasn't talking about excluding the tunneled subnets from srcnat but about how outbound traffic is handled by the router - and this does matter.
Anyway - I won't make it back to my desk before Monday, so I built a working config from scratch here with two routers I have lying around.
And I can confirm that it's 100% working.
This is router A
/ip address
add address=172.17.17.1/24 interface=ether9 network=172.17.17.0
add address=172.17.17.2/24 interface=ether9 network=172.17.17.0
add address=172.17.18.1/24 interface=bridge2 network=172.17.18.0
/ip ipsec peer
add address=172.17.17.4/32 local-address=172.17.17.2 my-id=address:172.17.17.2 \
secret=test
/ip ipsec policy
add dst-address=172.17.19.0/24 sa-dst-address=172.17.17.4 sa-src-address=\
172.17.17.2 src-address=172.17.18.0/24 tunnel=yes
This is router B:
/ip address
add address=172.17.17.3/24 interface=ether9 network=172.17.17.0
add address=172.17.17.4/24 interface=ether9 network=172.17.17.0
add address=172.17.19.1/24 interface=bridge2 network=172.17.19.0
/ip ipsec peer
add address=172.17.17.2/32 local-address=172.17.17.4 my-id=address:172.17.17.4 \
secret=test
/ip ipsec policy
add dst-address=172.17.18.0/24 sa-dst-address=172.17.17.2 sa-src-address=\
172.17.17.4 src-address=0.0.0.0/0 tunnel=yes
As you can see, on router B, it's perfectly established:
[admin@routerB] > /ip ipsec remote-peers pr
Flags: R - responder, N - natt-peer
# ID STATE
0 established
[admin@routerB] > /ip ipsec installed-sa pr
Flags: A - AH, E - ESP
0 E spi=0x12CA5BF src-address=172.17.17.2 dst-address=172.17.17.4 state=mature
auth-algorithm=sha1 enc-algorithm=3des enc-key-size=192
auth-key="6e05dcf8e9dcaa9233b76962b5427ad1e109d1b7"
enc-key="8380b7f94995137fcf9d6ea021776e68888fd95e6832f2fa"
add-lifetime=24m/30m replay=128
1 E spi=0x5ACCAAD src-address=172.17.17.4 dst-address=172.17.17.2 state=mature
auth-algorithm=sha1 enc-algorithm=3des enc-key-size=192
auth-key="8856ab852815c05857b119dd3b2e70c705aae721"
enc-key="2fe96ffadcb2413f4c216f71a49110d10e22e2a457278258"
add-lifetime=24m/30m replay=128
So, this is a working IPsec tunnel between two routers with two addresses each on the IPsec-facing interface, peering each other through the higher IPs.
Hope, that helps.
-Chris