But just for information, i can't configure any policiy rules on the modem, so hofully it's enough if i do this in the MK?Thanks
Some platforms require the policy to match, Cisco does this. I'm not sure about your modem. It's best practice to match security on both sides.
Alternatively, allow all traffic through the tunnel and restrict it inbound to the MikroTik back to the VPN client. The interfaces and IP addresses would be persistent and it would be a reliably point in the network to apply an ACL. The policy is far more ideal from a CPU and bandwidth perspective.
TLDR; try the policy first. If the IPSec connection has trouble establishing then revert to allowing the whole connection and restricting by a normal forward ACL with the inbound interface selected to match traffic coming from the server to the client.