The answer really depends of what your exact requirements are. Are you going to use Mikrotik devices on both sides of your site-to-site tunnel?
IPsec implementation in RouterOS supports RSA authentication (i.e. with certificates), so L2TP over IPsec supports it also. However it may not be compatible with other vendors' implementations. For instance, when you configure L2TP/IPsec with certificates in Microsoft Windows, Windows assumes that IKEv2 should be used, which is not currently supported in RouterOS.