@HeadCraft be more specific, what you described works:
[admin@rack1_b3] /interface ipip> /ip ipsec policy print
Flags: T - template, X - disabled, D - dynamic, I - invalid, A - active, * - default
0 T * group=default src-address=::/0 dst-address=::/0 protocol=all proposal=default template=yes priority=0x10000
1 D ;;; ipip-tunnel4
src-address=1.1.1.1/32 src-port=any dst-address=1.1.1.2/32 dst-port=any protocol=ipencap action=encrypt
level=require ipsec-protocols=esp tunnel=no proposal=default priority=0x20000 ph2-count=0
[admin@rack1_b3] /interface ipip> print
Flags: X - disabled, R - running, D - dynamic
# NAME MTU ACTUAL-MTU LOCAL-ADDRESS REMOTE-ADDRESS KEEPALIVE DSCP
0 ipip-tu... auto 1480 1.1.1.1 1.1.1.2 10s,10 inherit
[admin@rack1_b3] /interface ipip> set 0 local-address=2.2.2.2
[admin@rack1_b3] /interface ipip> /ip ipsec policy print
Flags: T - template, X - disabled, D - dynamic, I - invalid, A - active, * - default
0 T * group=default src-address=::/0 dst-address=::/0 protocol=all proposal=default template=yes priority=0x10000
1 D ;;; ipip-tunnel4
src-address=2.2.2.2/32 src-port=any dst-address=1.1.1.2/32 dst-port=any protocol=ipencap action=encrypt
level=require ipsec-protocols=esp tunnel=no proposal=default priority=0x20000 ph2-count=0
Sorry, I just found why it is not working correct (may be I doing it incorrect). The reason is that I use mikrotik DDNS as destination address in tunnel. So situation is:
[admin@MikroTik] > /interface ipip
add allow-fast-path=no ipsec-secret=123 !keepalive local-address=1.1.1.1 name=\
ipip-tunnel1 remote-address=google-public-dns-a.google.com
After creating interface with dns there is no ipsec policies at all.
[admin@MikroTik] > ip ipsec policy print
Flags: T - template, X - disabled, D - dynamic, I - invalid, A - active, * - default
0 T * group=default src-address=::/0 dst-address=::/0 protocol=all proposal=default
template=yes
Lets reboot the router, and we see the policy:
[admin@MikroTik] > ip ipsec policy print
Flags: T - template, X - disabled, D - dynamic, I - invalid, A - active, * - default
0 T * group=default src-address=::/0 dst-address=::/0 protocol=all proposal=default
template=yes
1 D ;;; ipip-tunnel1
src-address=1.1.1.1/32 src-port=any dst-address=8.8.8.8/32 dst-port=any
protocol=ipencap action=encrypt level=require ipsec-protocols=esp tunnel=no
proposal=default priority=0 ph2-count=0
Now we will change settings in tunnel interface:
[admin@MikroTik] > /interface ipip set [find name=ipip-tunnel1] local-address=3.3.3.3
But we still see old ip in policies
[admin@MikroTik] > ip ipsec policy print
Flags: T - template, X - disabled, D - dynamic, I - invalid, A - active, * - default
0 T * group=default src-address=::/0 dst-address=::/0 protocol=all proposal=default
template=yes
1 D ;;; ipip-tunnel1
src-address=1.1.1.1/32 src-port=any dst-address=8.8.8.8/32 dst-port=any
protocol=ipencap action=encrypt level=require ipsec-protocols=esp tunnel=no
proposal=default priority=0 ph2-count=0
And in peers
[admin@MikroTik] > ip ipsec peer print
Flags: X - disabled, D - dynamic, R - responder
0 D ;;; ipip-tunnel1
address=8.8.8.8/32 local-address=1.1.1.1 auth-method=pre-shared-key secret="123"
generate-policy=no policy-template-group=default exchange-mode=main
send-initial-contact=yes nat-traversal=yes proposal-check=obey hash-algorithm=sha1
enc-algorithm=aes-128,3des dh-group=modp1024 lifetime=1d dpd-interval=2m
dpd-maximum-failures=5
After rebooting the router we will see new ip.