here is the configuration
/ip ipsec profile
add dh-group=modp1024 enc-algorithm=aes-256 name=profilename
/ip ipsec peer
add address=ostrava_public name="ostrava" profile=profilename
add address=brno_public name="brno" profile=profilename
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-256-cbc,aes-256-ctr,aes-256-gcm
add enc-algorithms=aes-256-cbc,aes-256-ctr,aes-256-gcm name=proposalname
/ip pool
add name="dhcp lan" ranges=192.168.40.150-192.168.40.254
add name=OVPNpool ranges=10.1.2.100-10.1.2.110
/ip dhcp-server
add address-pool="dhcp lan" disabled=no interface=bridge1 name=lan
/ppp profile
add local-address=OVPNpool name=OVPNprofil remote-address=OVPNpool
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
sword,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=eth2-lan
/ip neighbor discovery-settings
set discover-interface-list=discover
/interface list member
add interface=bridge1 list=discover
add interface=ether3 list=discover
add interface=ether4 list=discover
add interface=bridge1 list=mactel
add interface=bridge1 list=mac-winbox
/interface ovpn-server server
set auth=sha1 certificate=SERVER cipher=aes256 default-profile=OVPNprofil \
enabled=yes require-client-certificate=yes
/ip address
add address=192.168.40.1/24 interface=bridge1 network=192.168.40.0
add address=10.6.163.10/24 interface=eth1-wan network=10.6.163.0
/ip dhcp-server network
add address=192.168.40.0/24 dns-server=192.168.10.10,8.8.8.8 domain=\
localdomain gateway=192.168.40.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.40.1 name=router type=A
/ip firewall filter
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=input protocol=ipsec-ah
add action=accept chain=input dst-port=500 protocol=udp
add action=accept chain=forward dst-address=192.168.10.0/24 src-address=\
192.168.40.0/24
add action=accept chain=forward dst-address=192.168.40.0/24 src-address=\
192.168.10.0/24
add action=accept chain=forward dst-address=192.168.20.0/24 src-address=\
192.168.40.0/24
add action=accept chain=forward dst-address=192.168.40.0/24 src-address=\
192.168.20.0/24
add action=accept chain=input comment=OVPN dst-port=1194 in-interface=\
eth1-wan protocol=tcp
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept established,related" \
connection-state=established,related
add action=drop chain=input comment="defconf: drop all from WAN" \
in-interface=eth1-wan
add action=accept chain=forward comment="defconf: accept established,related" \
connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface=eth1-wan
/ip firewall nat
add action=accept chain=srcnat comment="tunel liberec-brno" dst-address=\
192.168.10.0/24 src-address=192.168.40.0/24
add action=accept chain=srcnat comment="tunel liberec-ostrava" dst-address=\
192.168.20.0/24 src-address=192.168.40.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" \
out-interface=eth1-wan
/ip ipsec identity
add peer="brno"
add peer="ostrava"
/ip ipsec policy
add dst-address=192.168.10.0/24 peer="brno" proposal=proposalname \
sa-dst-address=brno_public sa-src-address=10.6.163.10 src-address=\
192.168.40.0/24 tunnel=yes
add dst-address=192.168.20.0/24 peer="ostrava" proposal=proposalname \
sa-dst-address=ostrava_public sa-src-address=10.6.163.10 src-address=\
192.168.40.0/24 tunnel=yes
/ip route
add distance=1 gateway=10.6.163.1