Hi,
If you are using a windows laptop to connect to your l2tp server, it won't work.
Windows doesn't like natted L2TP server endpoints. (unless using certificates)
There is a registry hack to make it work.
If there is only one person (or less good a very trusted few) know the ipsec password/key it should be fine.
https://learn.microsoft.com/en-us/troub ... t-t-device
You don't need to forward port 1701 from the ISP router it is wrapped in the port 4500 ipsec traffic,
(and the default ipsec policy firewall rules should allow it into the mikrotik when it gets extracted from the ipsec )