it is necessary to encrypt everything, "if" remains somewhere far away. IPSec tunnel or L2TP+IPSec. It all depends on the bandwidth of the provider and the power of the equipment. Mikrotik Mikrotik is different. At least one white, then the second microt will simply be the initiator of the tunnel. I would send a second stream of cameras into the tunnel (worst quality). If someone really wants to, he will go through the tunnel and select the desired camera with the best quality.

For IPsec, it is highly desirable to choose models that can encrypt in hardware. The minimum price options are hEX (rb750gr3), hAP ​​AC2, rb450gx4. You can build a simple IPsec tunnel based on policies, you can use ipip or eoip over ipsec, you just need to make sure that the protocols and ports of the ipsec stack are not blocked by providers. If there is such a blocking, then it is better not to use Mikrotiks, and make an OpenVPN tunnel, Mikrotiks have their own, far from the best and most convenient implementation of OpenVPN. You can, for example, use the pfsense router distribution. In the case of using ipsec, one of the routers must have a white IP address, the second may have a gray one, ipsec can establish a connection through NAT.

The type of tunnel is unprincipled. Two white addresses are not required, one is enough.

If encryption and security is not important - then whatever, even pptp. If important - IPSec.
Two white IPs will simplify the setup, but it is important to have one, then the connection is always established by the second one (which is with a gray IP). If there are two, then do not care who establishes the connection.

In your option, to save router resources, use pptp
Next, or port forwarding, or combine networks by routing

it is fashionable to get by with one white address. Raise to white ip L2TP connection. Then implement an EoIP tunnel on that connection. It is EoIP that will give you one channel environment, that is, L2 between these mikrotiks. Then use whatever you want in L2, vlans, forwarding, etc. The disadvantage of this method is the maximum data transfer rate in the region of 80 Mbps maximum. Why I think it's understandable - a lot of encapsulations.

https://serveradmin.ru/nastrojka-vpn-openvpn-l2tp-...
Here is a comparison of popular vpn implementations in Mikrotik. There is also a comparison of the performance of different channels. It is clear that the speed will depend on the hardware, but the difference in the speed of different implementations can be estimated.

If there is a white IP, then you can do without vpn, you can forward 32 ports (16 cameras - video + Web). If encryption is needed, then ipsec in transport mode is excellent, it races between MiKROTiks, there is no encryption inside networks.
If necessarily limited access to cameras (there are different cases) - then only vpn tunnels! Of the well-supported MiKROTik'om - L2TP / IPSec and EoIP / IPSec.
If it is not possible to do VPN or port forwarding, then we call the providers and ask them to provide a VPLS tunnel through MPLS tags. As a rule, providers are afraid for vpn clients and will provide MPLS L2/L3 connection for free. But there is also a minus - torment yourself to explain the situation to technical support and in the end you will get bored.
Therefore, the best option for you is vpn tunnels - practical, safe and reliable.