I think firewall INPUT chain should contain at at least one rule to allow new connection on WAN, port 500 udp to start initiate IPSec tunnel. What about other rules to allow traffic from road warrior via IPSec to LAN?
You need these to allow outer-tunnel IPsec traffic (you can further restrict them to your WAN interface only):
/ip firewall filter
add chain=input comment=IPsec dst-port=500 protocol=udp
add chain=input protocol=ipsec-esp
add chain=input dst-port=4500 protocol=udp
As to the inner-tunnel traffic, it's a bit more complicated. First, use mangle rules like these to mark (not yet decapsulated) IPsec packets with 'vpn' packet mark:
/ip firewall mangle
add action=mark-packet chain=input dst-port=4500 new-packet-mark=vpn protocol=udp
add action=mark-packet chain=input new-packet-mark=vpn protocol=ipsec-esp
The 'vpn' packet mark will be copied to your inner-tunnel packets during decapsulation, so you can use it in filter rules later.
Also please note that there's a bug in the policy templates configuration, 'dst-address' and 'src-address' are mixed up in 6.6 and earlier version. I was going to write to support about the issue, but have not done that yet.