It's basically like this:
Two routers:
R1 (HQ) <---------GRE----------> R2 (Remote branch)
R1 WAN IP: 81.29.10.2
R1 GRE IP: 172.17.1.1/30
R2 WAN IP: 77.232.60.34
R2 GRE IP: 172.17.1.2/30
LAN at remote branch: 10.222.0.0/16
Many different hosts located in different networks are routed through the HQ router and use the GRE tunnel to access the remote network 10.222.0.0/16 at the remote branch.
Currently the GRE tunnel is not encrypted, which is bad.
I am trying to secure the GRE and the GRE only (not just any traffic between R1 and R2)
Right now this config works:
HQ:
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256 lifetime=1h
/ip ipsec peer
add address=77.232.60.34/32 comment=HQ enc-algorithm=aes-128 local-address=81.29.10.2 nat-traversal=no secret=megasecret
/ip ipsec policy
add comment=Branch dst-address=77.232.60.34/32 sa-dst-address=77.232.60.34 sa-src-address=81.29.10.2 src-address=81.29.10.2/32
Branch:
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256 lifetime=1h
/ip ipsec peer
add address=81.29.10.2/32 comment=HQ enc-algorithm=aes-128 local-address=77.232.60.34 nat-traversal=no secret=megasecret
/ip ipsec policy
add comment=HQ dst-address=81.29.10.2/32 sa-dst-address=81.29.10.2 sa-src-address=77.232.60.34 src-address=77.232.60.34/32
But it secures
ALL traffic between R1 and R2, not just the GRE tunnel.
RouterOS will not let you use transport mode if sa-src/src and/or sa-dst/dst addresses do not match in policy, so in order to use transport mode you have to use the same addresses for src and sa-src and dst and sa-dst settings.