Check my guide: http://forum.mikrotik.com/t/mikrotik-behind-nat-to-mikrotik-ipsec-ike2-with-certs-tunnel-eoip/144952/1
I think you are missing bridge/interface for VPN server as well as NAT rule for internal networks. I’ve mentioned everything there.