If you use different addresses for incoming and outgoing connections and policy reflects that, it would work. Either give those addresses to servers directly, or you can use NAT on router.
I want servers to also go via VPN but only for server-initiated connections. So when user accesses server then server responds without VPN but when server downloads eg. updates then they should go via VPN (without PBR and two IPs on servers themselves).
But yeah it should be doable with NAT since I can do such NAT only for outgoing connections. That said I'm afraid policy matching is performed before
NAT so I doubt that it would work when NAT and IPSec would be made by the same MikroTik. And when we're talking about two MikroTiks then I could just as well use standard PBR and redirect outgoing traffic to second MikroTik gateway that would only do IPSec. But I hoped for one-box solution. I already use two MikroTiks on the path (because I'm doing QoS on edge router and PBR on core. And since both use mangle it's pain in the ass to do both PBR and QoS on one box). I really don't want to introduce third one.