- (optional for clarity) add a bridge interface with no member ports
- attach the public IP of the NAT behind which the server Mikrotik lives to an interface on the Mikrotik as a /32 one (normally to the portless bridge one created above, but you can use any interface)
- /ip firewall nat
print chain=dstnat where !dynamic
add chain=dstnat place-before=0 action=dst-nat protocol=udp dst-port=500,4500 in-interface=your-wan-interface
to-addresses=the.public.ip.mentioned.above - enjoy
With this “forth and back dst-nat” setup, the local address of the IPsec responder is the same like the source address from which the packets actually arrive to the initiator, the NAT-T concludes that there is no NAT at server side. Therefore, if there is no NAT at initiator side either, the peers conclude they can use ESP, which is an issue if you cannot configure forwarding of ESP to the Mikrotik at the NAT at the Mikrotik end.
If you need to be able to connect several L2TP/IPsec clients from behind the same client-side NAT, read this.