Fasttracking only handles forwarded traffic (i.e. potentially, the payload of the IPsec tunnel), but not the own traffic of the router, such as the control session of the IPsec tunnel (IKE/IKEv2) and the IPsec transport packets.
What might be related is connection tracking as such, more likely at the CRS end than at the L2TP server end. Or there may be another L2TP/IPsec client of the same L2TP/IPsec server behind the same public address like the CRS itself, which simply cannot work if you don’t take additional measures - see http://forum.mikrotik.com/t/multiple-road-warrior-l2tp-ipsec-clients-behind-nat-solved/118206/1 Such additional measures are very easy for a Mikrotik client, though.