and I replaced the public IP with "removed"
the Mikrotik is sitting on a public IP and is NOT behind NAT
then the mikrotik has a VPN pool to NAT the VPN Clients
If the Tik sits on public IP, then the restriction of the policy template's src-address to 10.222.22.1 is a nonsense, as the policy needs to be bound to the public IP.
But this mistake is not the reason why the phase 1 packets from Tik's port 500 to client's port 11809 do not get through.
It would be fine if you could use the
/tool sniffer quick port=500 command shown above to see whether these packets (the client port will be different this time) are really sent out or not. Because if they are, the issue is not in the Mikrotik and it may be some super-paranoid firewall between your test client and the Tik's network what doesn't let them through.