Yes, both ends.
One final question, what do I do with my existing masquerade policy? Do I put your before mine, after mine or simply delete mine?
Answer: replace yours masq with new one or add "ipsec-policy=out,none" to the existing masq rule.
l2tp+ipsec are creating dynamic policies and dynamic routes. In case of successful VPN connection - you should see dynamic records in the ipsec policy list and in the route list.
If PH2 State = established and you cannot reach remote network - usually firewall blocks packets with "drop everything" rule which is last one in forward chain.
Also following approach is possible:
# Allow packets from remote site to LAN
/ip firewall filter
add action=accept chain=forward comment="remote -> local" src-address=192.168.2.0/24 dst-address=192.168.1.0/24
# Allow packets from LAN to remote site
/ip firewall nat
add action=accept chain=srcnat comment="local -> remote" src-address=192.168.1.0/24 dst-address=192.168.2.0/24
192.168.1.0/24 = local
192.168.2.0/24 = remote
Replaces addresses according your setup.
Mentioned approach do not require exclude ipsec packets from masq (because accept occurs before masq or before drop).
Firewall rule position is very important, in both chains place rule at the top.
You can trace issues by enabling logging (with some prefix) in "drop everything" or other rule. Prefix allows quickly find records in log window.
You should see in log window detailed info about packets (/system logging info - should be enabled).
Proper firewall rules have to be set on both routers.
Each setup is different, what I have wrote here do not means that this is the truth of the last instance