So there are two ways to achieve ipsec server behind nat? One using ESP with NAT traversal (as mentioned also by @sindy) and also by using protocol 50? If yes, are both options supported by mikrotik?
ESP
is IP protocol 50. As it has no notion of ports, there would be a problem if two initiators connecting to the same responder ("server") would get NATed to the same IP address, as the NAT device would not be able to find out to which of the two initiators to forward a packet from the responder. So the peers (the initiator and the responder) use the NAT-T extension to IKE(v1), or the same procedure embeddded in IKEv2, to find out that there is one or more NATs on the path between them, and if they detect that, they start encapsulating the ESP datagrams into UDP packets rather than directly into just IP packets, reusing the NAT pinholes already created for the IKE/IKEv2 control session.
The setting you can see on the "cheap router" is related to the scenario where that router
itself acts as an IPsec peer - it permits the IPsec peer running on that router to use the NAT detection & traversal mechanism described above.
A router that is doing the NAT but is not an IPsec peer itself handles
transit IPsec traffic just as any other one, without any special measures. Only if you wanted that in cases where there is no NAT between the remote peer and the local NATing router, the peers would use ESP (e.g. because the extra overhead of the UDP-encapsulated ESP would bother you), you could make a trick - port-forward incoming traffic to UDP ports 500 and 4500 as well as incoming ESP traffic to the private address of the IPsec responder at the private side of the NAT, but let the IPsec server undo the dst-nat and behave as if it had the public IP on itself, so the NAT-T mechanism would not notice that a NAT is there.