Take a look at
http://forum.mikrotik.com/t/ipsec-l2tp-vpn-on-mikrotik-behind-nat-but-with-fqdn/65755/1
http://forum.mikrotik.com/t/l2tp-ipsec-is-driving-me-crazy/96404/1
Mikrotik L2TP/IPSEC server behind nat (mikrotik wan interface without public IP address) doesn’t work or, at least, nobody suggest me how to make it work.
There is a mismatch in public/private address when the dynamic ipsec policy is created
It works if a static ipsec policy is created, but this needs the L2TP client address has to be ALWAYS the same.