I was thinking on a rather simple question:
After buliding up an IKE VPN (from Android to Mikrotik v6.49.7), it seems my Android phone can browse the internet just like if it was joined to this Mikrotik locally.
IPSec's policy defines a range for dst-address and it's mode config sets an address pool. This way, android gets an address from the pool, and everything is working correctly.
What I don't understand is how response packets find back to my android: I didn't have to add any mangles or firewall or nat rules to make this work.
Are IPSec peers' addresses considered the same as other "physically" connected clients' when Mikrotik searches for the response's dst? Is it that simple?
Thank you!