Given the clear separation between the management addresses (10.200.0.0/16, btw quite an overkill for a "dozen" clients) and the corporate range (192.168.0.0/16), it's nothing extremely complex.
In particular, there is no need for policy routing, just tell me whether you'll be managing the clients from the management L2TP server itself or whether there will be some subnet behind it.
Regarding "seeing" the other VPN, let me elaborate on how I understand the actual requirements:
- from the management tunnel, it should be possible to connect only to the router itself, not to the LAN devices
- from the corporate VPN, it should be the opposite: incoming connections through this tunnel should only be allowed to LAN devices, not to the router itself or to anything behind the management tunnel
- LAN devices should only be able to establish connections through the corporate tunnel, not to the router itself or through the management tunnel.
Do you agree with these requirements? If not, modify them.
What about the general internet access, should the LAN devices reach internet directly via local WAN, via the corporate L2TP server, or not at all?
In any case, a simple zone firewall on each client is sufficient.
What might be useful, but would cause a need for policy routing if the LAN devices should connect to internet via the corporate tunnel, is to let the two L2TP servers connect to an fqdn rather than directly to an IP number. Consider this too.
Once you give me these input data, I can give you the configuration for the client, based on a modification of the default one (am I right to expect that the client devices will be from the hXY product line)?
Also, what is your motivation to use L2TP/IPsec in particular? Will the L2TP servers be CHRs or something non-Mikrotik?