quick and dirty, по мотивам https://wiki.mikrotik.com/wiki/Manual:IP/IPsec :
/ip ipsec peer
add name=mobile passive=yes
/ip ipsec profile
set [ find default=yes ] enc-algorithm=camellia-192,aes-128,3des
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=camellia-192,aes-128-cbc,3des
/ip pool
add name=ipsec ranges=private.ip.range/mask #ip range, "выдаваемый" подключенным клиентам
/ip ipsec mode-config
add address-pool=ipsec name=responder split-include=net1/mask1,net2/mask2 #сети, которые доступны из туннеля
/ip ipsec identity
add auth-method=pre-shared-key-xauth generate-policy=port-strict mode-config=responder password=pwd1 peer=mobile secret=secretkeyword username=uname1
/ip address
add address=net1.ip/mask1 interface=ether1 network=net1
add address=net2.ip/mask2 interface=ether1 network=net2
add address=external.ip/mask interface=ether1 network=external.net
/ip dns
set servers=ns1,ns2,ns100
/ip firewall filter
add action=accept chain=input comment="ESTABLISHED, RELATED" connection-state=established,related
add action=accept chain=input src-address=x.x.x.x/xx
add action=accept chain=input protocol=icmp
add action=accept chain=input comment=ipsec dst-port=4500,500 protocol=udp
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=input protocol=ipsec-ah
add action=accept chain=forward
add action=drop chain=input
/ip firewall nat
add action=src-nat chain=srcnat dst-address=net1/mask1 src-address=private.ip.range/mask to-addresses=net1.ip
add action=src-nat chain=srcnat dst-address=net2/mask2 src-address=private.ip.range/mask to-addresses=net2.ip
/ip route
add distance=1 gateway=gw1
add distance=1 dst-address=netX/maskX gateway=gwX
Android-side я опущу, ибо там всё очевидно