Whereas IPsec as such doesn’t care where the NAT takes place, the Windows embedded client does - with default settings, it breaks connection if the NAT detector indicates that the actual address of the responder (the private one of your Mikrotik) doesn’t match the one configured at the Windows side (the public IP of the modem).
There are two ways to handle this - either to change registry settings on every single Windows client you use, or to put up the public IP also on the Mikrotik an “un-dst-nat” the incoming IPSec connections back to that IP address, see http://forum.mikrotik.com/t/l2tp-vpn-can-not-connect-on-windows-10/131292/6
The drawback of the latter option is that it doesn’t work if the Windows initiator is on a public IP address unless the DMZ on the modem can forward also ESP traffic.