I feel that something is missing in the picture at my side or at yours.
First, if you use L2TP over IPsec, you can forget about policies as they only handle the L2TP transport packets and the ROS creates them automatically. Using ppp profiles and l2tp server bindings, you can configure fixed private IPs and fixed interface names for the local ends of the tunnels to remote sites, so you'll use usual routing. So you "only" need to deal with the fact that at least the native Win10 client sends everything via the L2TP once it establishes it, which may not be what you want, and that it doesn't re-establish the connection fast enough when it expires (this may have changed in past weeks).
Second, what do you mean by "too open proposal"? Do you intend to keep proposals as strict as possible per client type, so you are looking for a way to have several local peers with different Phase 2 proposals, all open to unknown-in-advance remote peers, on a single public IP address?
Third, if you plan several road warriors to ever connect from behind the same public address, check this
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.