-Why is it not needed to activate IPsec on this second tunnel? (remote IP adresses on the tunnels are public IP adresses)
...
- in Winbox when I look at IP>IPSec, I only see one policy, one identity, one peer... -the ones that were created when I build the first tunnel-. Is this normal?
Your second question is the answer to the first one. For most use cases, it is enough to have a single "control" IPsec session between two devices, hence a single active peer. And the EoIP tunnels use GRE as transport protocol, so the source and destination addresses as well as IP protocol are the same for transport packets of both tunnels; the
tunnel-id that differentiates the two tunnels from one another is transported in the GRE headers. So as far as the traffic selector of the IPsec policy can say, there is no difference between the transport packets of the two tunnels, because it is unable to look into the GRE headers.
-Why should I run this tunnel over Wireguard ?
I'll disagree a bit with @anav here - the complexity of IPsec settings is not the reason here.
No complexity whatsoever is associated with using IPsec to encrypt EoIP as long as you are happy with the automatically generated settings, which use IKE(v1), pre-shared key authentication, and default encryption and message authenticity algorithms - it is enough to fill in a single field with a decently random secret. However, things turn more complex as soon as you want more.
First, probably the most interesting one for most Mikrotik users, Wireguard uses a cipher that is very efficient CPU-wise, so even on weak devices with no hardware encryption engines, you can get decent speeds of the tunnel while there's still CPU power left for the other tasks. For some reason, this encryption algorithm is not available for IPsec, at least in RouterOS 6.x.
Second, a pre-shared key has an intrinsic vulnerability - you have to set it up using an already encrypted channel, otherwise someone may intercept it. So nothing wrong about it if you configure both devices on your table before sending them to the actual place of deployment, but if you configure the devices remotely, there is a theoretical chance someone might decipher the configuration session and extract the key from it. You can use non-symmetric cryptography for IPsec authentication, but it requires use of certificates for IKEv2; for the original IKE (v1), the private/public key pair can be used directly too but this way is not widely supported. In Wireguard, a direct private/public key pair is the default authentication method.
Third, Wireguard can deal with change of the transport IP address at one peer without any renegotiation, which is computationally complex for a good reason. So if one of your devices is on a dynamic address, you have shorter dropouts with Wireguard. IPsec can do this too but unless something has changed recently, not on Mikrotik.
Last, configuration of Wireguard indeed requires less knowledge because almost nothing is variable. So the less options available, the less configuration needed. Of course, this lack of options can be considered both an advantage (simpler configuration) and a drawback (game over as soon as someone breaks the only ciphering algorithm available).