Hello.
1) I created ip-ip tunnel(look picture and settings under) it works good: I could ping wan ip mikrotik from Cisco -R1: Cisco-R1#ping 10.2.2.2 source 10.1.1.2 and ping 192.168.1.2 source 192.168.1.1 works.
2) Then I enable ip-sec, it work good. But I have problem. Now I can not Cisco-R1#ping 10.2.2.2 source 10.1.1.2 but can Cisco-R1#ping 192.168.1.2 source 192.168.1.1
I don know why, please help me! No ACL or firewall enable.

Cisco-R1#ping 10.2.2.2 source 10.1.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 10.1.1.2
.....
Success rate is 0 percent (0/5)

Cisco-R1#ping 192.168.1.2 source 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 21/39/96 ms

SETTINGS:
====================================== Cisco-R1 start =======================================================

crypto isakmp policy 1
encr aes 256
hash sha256
authentication pre-share
group 2
crypto isakmp key TESTKEY address 10.2.2.2

!
crypto ipsec transform-set TRSET-AES-SHA256 esp-aes 256 esp-sha256-hmac
mode transport
!
crypto ipsec profile PROFILE-AES-SHA256
set transform-set TRSET-AES-SHA256

interface Tunnel1
description to Mikrotik
ip address 192.168.1.1 255.255.255.252
tunnel source 10.1.1.2
tunnel mode ipip
tunnel destination 10.2.2.2
tunnel protection ipsec profile PROFILE-AES-SHA256
!
interface Ethernet0/0
ip address 10.1.1.2 255.255.255.252

ip route 0.0.0.0 0.0.0.0 10.1.1.1

====================================== Cisco-R1 end =======================================================

====================================== Cisco-R2 start =======================================================
interface Ethernet0/0
ip address 10.1.1.1 255.255.255.252
!
interface Ethernet0/1
ip address 10.2.2.1 255.255.255.252

====================================== Cisco-R2 end =======================================================

======================================MikroTik start =======================================================
# mar/24/2019 06:15:15 by RouterOS 6.44.1
# software id =
#
#
#
/interface ipip
add local-address=10.2.2.2 name=Tunnel1 remote-address=10.1.1.2
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec peer
add address=10.1.1.2/32 local-address=10.2.2.2 name=peer1
/ip ipsec profile
set [ find default=yes ] dh-group=modp1024 enc-algorithm=aes-256,camellia-256 \
hash-algorithm=sha256 nat-traversal=no
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256 enc-algorithms=\
aes-256-cbc,aes-256-ctr,aes-256-gcm
/ip address
add address=10.2.2.2/30 interface=ether1 network=10.2.2.0
add address=192.168.1.2/30 interface=Tunnel1 network=192.168.1.0
add address=10.10.0.2/30 interface=ether5 network=10.10.0.0
/ip dhcp-client
add disabled=no interface=ether1
/ip ipsec identity
# Suggestion to use stronger pre-shared key or different authentication method
add peer=peer1 secret=TESTKEY
/ip ipsec policy
set 0 disabled=yes dst-address=0.0.0.0/32 src-address=0.0.0.0/32
add dst-address=10.1.1.2/32 src-address=10.2.2.2/32
/ip route
add distance=1 gateway=10.2.2.1 pref-src=10.2.2.2
====================================== MikroTik end =======================================================