Thanks tippenring,
I think I managed to stumble of all the bits. Its good to know I still needed the powershell to get windows 10 working.
I'm confused with "ipsec-policy=in,ipsec" that I read about to secure IPSEC/L2TP server.
My aim is to have a secure setup, which only allows for need IPSEC ports and ssh.
[admin@MikroTik] > export
# mar/21/2020 16:13:37 by RouterOS 6.46.4
# software id =
#
# model = RB1100Dx4
/interface ethernet
set [ find default-name=ether2 ] name=LAN speed=100Mbps
set [ find default-name=ether1 ] name=WAN speed=100Mbps
set [ find default-name=ether3 ] disabled=yes speed=100Mbps
set [ find default-name=ether4 ] disabled=yes speed=100Mbps
set [ find default-name=ether5 ] disabled=yes speed=100Mbps
set [ find default-name=ether6 ] disabled=yes speed=100Mbps
set [ find default-name=ether7 ] disabled=yes speed=100Mbps
set [ find default-name=ether8 ] disabled=yes speed=100Mbps
set [ find default-name=ether9 ] disabled=yes speed=100Mbps
set [ find default-name=ether10 ] disabled=yes speed=100Mbps
set [ find default-name=ether11 ] disabled=yes speed=100Mbps
set [ find default-name=ether12 ] disabled=yes speed=100Mbps
set [ find default-name=ether13 ] disabled=yes speed=100Mbps
/ip ipsec mode-config
set [ find default=yes ] src-address-list=local-RW
/ip ipsec profile
set [ find default=yes ] dh-group=ecp256,modp4096,modp2048 enc-algorithm=aes-256,camellia-256 hash-algorithm=sha256
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256 enc-algorithms=aes-256-cbc,aes-256-ctr,aes-256-gcm,camellia-256 pfs-group=ecp256
/ip pool
add name=pool1-L2TP_users ranges=192.168.255.2-192.168.255.254
/ppp profile
set *0 dns-server=1.1.1.1 local-address=192.168.255.1 remote-address=pool1-L2TP_users use-compression=yes use-encryption=required use-mpls=no use-upnp=no
/tool user-manager customer
set admin access=own-routers,own-users,own-profiles,own-limits,config-payment-gw
/ip neighbor discovery-settings
set discover-interface-list=none
/interface l2tp-server server
set authentication=mschap2 default-profile=default enabled=yes ipsec-secret=XXXXXXXXXX use-ipsec=required
/ip address
add address=192.168.0.27/24 comment=defconf interface=WAN network=192.168.0.0
add address=10.0.0.10/24 comment="Internal Network Interface" interface=LAN network=10.0.0.0
/ip cloud
set update-time=no
/ip dns
set allow-remote-requests=yes servers=1.1.1.1
/ip firewall address-list
add address=192.168.255.0/24 list=local-RW
/ip firewall filter
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept established,related" connection-state=established,related
add action=accept chain=input comment="Allow ssh" dst-port=22 protocol=tcp
add action=accept chain=input comment="Allow l2tp" dst-port=1701 ipsec-policy=in,ipsec protocol=udp
add action=accept chain=forward comment="defconf: accept established,related" connection-state=established,related
add action=accept chain=input comment="Allow IPsec NAT" dst-port=4500 log=yes log-prefix=pass-ipsec protocol=udp
add action=accept chain=input comment="IPSec incoming" dst-port=500,4500 in-interface=WAN log=yes log-prefix=pass-ipsec protocol=udp
add action=accept chain=input comment="IPSec incoming" in-interface=WAN log=yes log-prefix=pass-ipsec protocol=ipsec-esp
add action=fasttrack-connection chain=forward connection-mark=!ipsec connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid log=yes log-prefix=drop-invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface=WAN log=yes log-prefix=drop-no-dstnat
add action=drop chain=input comment="defconf: drop all from WAN" in-interface=WAN log=yes log-prefix=drop-from-wan
/ip firewall mangle
add action=mark-connection chain=forward comment="mark ipsec connections to exclude them from fasttrack" ipsec-policy=out,ipsec new-connection-mark=ipsec
add action=mark-connection chain=forward comment="mark ipsec connections to exclude them from fasttrack" ipsec-policy=in,ipsec new-connection-mark=ipsec
/ip firewall nat
add action=masquerade chain=srcnat out-interface=WAN
/ip route
add distance=1 gateway=192.168.0.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip ssh
set forwarding-enabled=remote host-key-size=4096 strong-crypto=yes
/ppp secret
add name=tom password=tom service=l2tp
add name=sam password=sam service=l2tp
add name=joe password=joe service=l2tp
add name=tim password=tim service=l2tp
add name=gil password=gil service=l2tp
/system clock
set time-zone-name=Europe/London
/system logging
add topics=ipsec
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
/tool mac-server ping
set enabled=no
/tool user-manager database
set db-path=user-manager