Mon Aug 06, 2018 3:22 pm
One clear point is that the rule permitting access to UDP port 1701 should contain an additional condition, ipsec-policy=in,ipsec, otherwise the port is open also for plain L2TP access not tunnelled via IPsec (I'm not sure how exactly use-ipsec=required modifies the behaviour of the l2tp server itself).
Other than that, the security of the L2TP/IPsec mainly depends on the IPsec part, so it depends on the strength of permitted authentication and encryption algorithms; the strongest algorithms supported by the built-in clients of Windows and Android are weaker than the strongest ones supported by Mikrotik.
You may want to implement some "ban on failed login attempt" logic into the firewall, consisting in banning access for some time for source addresses which do not send a packet to UDP/1701 within a few seconds after sending a packet to UDP/500 and/or UDP/4500, which indicates that they failed to authenticate at IPsec level.