Regarding Windows IKEv2 server policy - here are settings:
These are encryption settings, not ones that control how the policy will look like.
Only thing for me to figure out would be how to make sure that only traffic to and from 10.0.0.0/16 gets via this tunnel and all the other internet traffic goes via whatever ISP mikrotik has, either cable or LTE.
The thing is that the guys who have defined IPsec have created a quite unique approach - instead of creating a virtual tunnel interface, like other VPN types do, and using regular routing to choose traffic to be sent via this interface, they use so-called traffic selectors that match traffic after it has been routed the regular way, and intercept matching traffic for delivery via the tunnel rather than via its originally chosen route.
So what should happen is that the
src-address of the policy at Mikrotik side should be just the /32 address assigned by the responder. And to make a packet match that policy, you have to use an
action=src-nat rule that changes the source address of the traffic that should be intercepted by the policy and sent via the tunnel. If you want to decide by dst-address, restricting the dst-address of the policy template is one possibility, but the Windows responder may not accept such a restriction; if it indeed doesn't, you have to configure the
connection-mark property of the
mode-config row. Doing so will cause an
action=src-nat rule matching on
connection-mark=the-name-from-mode-config to be created dynamically. And you'll have to add a mangle/prerouting rule assigning that
connection-mark value to packets whose destination address is 10.0.0.0/16.