In automatic MAC mode, the bridge normally inherits the MAC address from the port made a member of it, until that port eventually goes away from the bridge. After a reboot, the ports may be added in a different order, hence the MAC address of the bridge may change. During runtime, the address should not change unless the "donor" member port is removed from the bridge.
So by copying the dynamically assigned MAC address to the "admin mac" field, you prevent further changes (or you may assign some completely different MAC address).
Do not assign an address of anything external that is connected to the bridge. Any MAC address of any of the own interfaces of the 'Tik which is a member port of the bridge is a safe choice.
But I don't think the MAC change is the reason of packet loss. IPsec doesn't touch L2 at all (except indirectly, if you'd use EoIP over IPsec, which is not the case).
Hence please describe your problem in deeper detail:
- as at least one of the two 'Tiks must have a public IP. What happens if you ping that public IP from the other 'Tik? Do you also see some losses or not? (Responding to icmp ping must be permitted in the input chain of the firewall on the responding 'Tik)
- when you ping inside the IPsec tunnel, do the losses appear only when you start pinging and later on there are none, or is there a certain share of lost pings all the time? From your wording ("when it begins to have traffic, I have lost packets.") this is not 100 % clear.