I have picked a number off the 5 of a block and it works fine.

Instead of a direct IPsec tunnel, use GRE over IPsec or L2TP over IPsec to establish a tunnel, and
route your LAN traffic via that tunnel. That will end all your problems with NAT avoidance etc.

You need to set the "prefered source" on the route - it will set the outbound router ip address.

Dumb questions -just to be sure:
Did you specify that desired address as local-address in the peer definition?
Is that address actually really assigned to the router?

I have a couple of IPsec tunnels running here with multiple WAN addresses and they're running just fine as expected...

-Chris

Not back in the office, but I have an idea to check in the mean time:

Do you have any masquerade rules configured in /ip firewall nat?
I could bet you have.
Masquerade always uses the lowest address on the interface, no matter what is defined beforehand.
Convert this rule to src-nat (and to-address to your desired address on that interface you wish to use for regular traffic) and then it should work.

-Chris

We're using src-nat but I don't think it matters since you have to define "accept srcnat src.address dst.adress" as the first entry for the tunnel to disable any further NAT-translations.

/ip address
add address=172.17.17.1/24 interface=ether9 network=172.17.17.0
add address=172.17.17.2/24 interface=ether9 network=172.17.17.0
add address=172.17.18.1/24 interface=bridge2 network=172.17.18.0

/ip ipsec peer
add address=172.17.17.4/32 local-address=172.17.17.2 my-id=address:172.17.17.2 \
    secret=test
/ip ipsec policy
add dst-address=172.17.19.0/24 sa-dst-address=172.17.17.4 sa-src-address=\
    172.17.17.2 src-address=172.17.18.0/24 tunnel=yes

/ip address
add address=172.17.17.3/24 interface=ether9 network=172.17.17.0
add address=172.17.17.4/24 interface=ether9 network=172.17.17.0
add address=172.17.19.1/24 interface=bridge2 network=172.17.19.0

/ip ipsec peer
add address=172.17.17.2/32 local-address=172.17.17.4 my-id=address:172.17.17.4 \
    secret=test
/ip ipsec policy
add dst-address=172.17.18.0/24 sa-dst-address=172.17.17.2 sa-src-address=\
    172.17.17.4 src-address=0.0.0.0/0 tunnel=yes

[admin@routerB] > /ip ipsec remote-peers pr 
Flags: R - responder, N - natt-peer 
 #    ID                   STATE             
 0                         established       
[admin@routerB] > /ip ipsec installed-sa pr
Flags: A - AH, E - ESP 
 0 E spi=0x12CA5BF src-address=172.17.17.2 dst-address=172.17.17.4 state=mature 
     auth-algorithm=sha1 enc-algorithm=3des enc-key-size=192 
     auth-key="6e05dcf8e9dcaa9233b76962b5427ad1e109d1b7" 
     enc-key="8380b7f94995137fcf9d6ea021776e68888fd95e6832f2fa" 
     add-lifetime=24m/30m replay=128 

 1 E spi=0x5ACCAAD src-address=172.17.17.4 dst-address=172.17.17.2 state=mature 
     auth-algorithm=sha1 enc-algorithm=3des enc-key-size=192 
     auth-key="8856ab852815c05857b119dd3b2e70c705aae721" 
     enc-key="2fe96ffadcb2413f4c216f71a49110d10e22e2a457278258" 
     add-lifetime=24m/30m replay=128 

Now you mention it... that makes sense. Thanks.
And I second the proposal for GRE/IPsec
-Chris

Packet flow diagram will illustrate why you need route for destination even if gateway of that route will not be used:

• Define each ip address in the WAN subnet as /32 that automatically gets it's own routing path and pref source.
• Set a static route i.e "ip route dst-address=x.x.x.x/32 gateway=y.y.y.y pref-src=x.x.x.x"

Sorry for the delay- I was a bit more than just busy.
So I tested everything again and it is definitely working and I am passing traffic through the tunnel.

What I noticed is that the tunnel breaks if one or both of the routers do not have a default route. That was new to me too.

-Chris

I concur, but even if you put GRE/L2PT on top of the tunnel you'll probably get the same issue with the outbound address as before...

Don't do it that way!
Delete the IPsec Peer and Policy you have now, create a GRE interface, specify source and destination address (the public IPs of the routers) and set an IPsec secret.
Then put a /30 network on the GRE interfaces (e.g. 10.0.0.1/30 and 10.0.0.2/30) and route the networks on each side via that gateway.

dead peer detection should be enabled by default (interval 120 tries 5)