Hmm it looks like if you check use IPSEC in routerOS 6.33.3 on an RB450 and the remote end also allows plain L2TP it’s possible to get into a situation where the IPSEC doesn’t come up and the L2TP ends up connected without encryption.
I would have thought it would be sensible if the IPSEC option is ticked on the outgoing dialer to stop/block non encrypted L2TP for that dialer? (Possibly auto create a f/w rule?)