How can I set up a point-to-point IPv6 GRE tunnel encrypted with ipsec between my Mikrotik CCR2004 router and a Linux host running Strongswan?

We're going to use PSK identities for this, because it's a point to point link and there's no reason to complicate it with certificates. This works on Ubuntu 20.04 and RouterOS 6.48.1.

On the Mikrotik side, just do this (the real challenge is in getting Strongswan aligned). If you're using the default IPSec profiles for something else, you can't configure this the way I did unless everyone can use the same security spec.

/ip ipsec proposal change 0 auth-algorithms=sha512 enc-algorithms=aes-256-cbc pfs-group=ecp521
/ip ipsec profile change 0 hash-algorithm=sha512 enc-algorithm=aes-256 dh-group=ecp521 nat-traversal=no
/interface gre6 add name=gre-whatever local-address=2002:1234::1 remote-address=2002:4321::1 ipsec-secret=changeme

Put up your GRE tunnel in Linux:

ip -6 tunnel add gre.wat remote 2002:1234::1 local 2002:4321::1

For strongswan, set up /etc/ipsec.secrets:

2002:1234::1 2002:4321::1 : PSK changeme

For /etc/ipsec.conf:

conn sea1
        fragmentation=yes
        keyexchange=ike
        authby=secret
        ike=aes256-sha2_512-ecp521!
        esp=aes256-sha2_512-ecp521!
        left=2002:4321::1
        leftid=2002:4321::1
        leftsubnet=%dynamic[gre]
        right=2002:1234::1
        rightid=2002:1234::1
        rightsubnet=%dynamic[gre]
        auto=route
        type=transport

Now you can configure IPv4 addresses on either end of your tunnel, and they will be tunneled through with an MTU of 1390 (unless you go enable MTU=9000).

Similar to what was posted above by Falcom Momot, you can find an entire wiki page I've done up on various VPN programs and linking them here https://wiki.pttlink.org/wiki/VPN

I have a section under IPSEC that covers strongSwan to MikroTik links.

The following is from this section:

strongSwan config

The following configuration will work on FreeBSD or Linux systems with strongSwan installed.

Note: You can use this config to connect two non-MikroTik systems as well. Just replicate the config below for each system you wish to connect.

ipsec.conf

/etc/ipsec.conf:

  conn <name>
            authby=secret
            auto=route
            keyexchange=ike
            left=<your local IP>
            right=<remote IP of Mikrotik system>
            leftikeport=500
            rightikeport=500
            type=transport
            ike=aes256-sha1-modp1024!
            esp=aes256-sha1!
            dpddelay=5
            dpdtimeout=20
            dpdaction=clear

ipsec.secrets

/etc/ipsec.secrets:

<your local IP> <remote IP of Mikrotik system> :  PSK "<Put your preshared key here>"

MikroTik Config

The following config is best done from the terminal on a MikroTik device.

Note: You can use the following config to connect two MikroTik systems. Just replicate the config below on each system you wish to connect.

 /ip ipsec policy
 add src-address=0.0.0.0/0 dst-address=<remote IP of strongswan system> proposal=ike2 ipsec-protocols=esp
 
 /ip ipsec proposal
 add name="ike2" auth-algorithms=sha256,sha1 enc-algorithms=aes-256-cbc,aes-128-cbc lifetime=30m pfs-group=none
 
 /ip ipsec peer
 add name="<name of strongswan system>" address=<local IP> profile=ike2 exchange-mode=main send-initial-contact=yes
 
 /ip ipsec identity
 add peer=<remote IP of strongswan system> auth-method=pre-shared-key secret="<Put your preshared key here>" generate-policy=no
 
 /ip ipsec profile
 add name="ike2" hash-algorithm=sha1 enc-algorithm=aes-256,aes-192,aes-128,3des,des dh-group=modp2048,modp1024 lifetime=8h proposal-check=obey nat-traversal=no dpd-interval=2m dpd-maximum-failures=5