It is a bit more complex than it seems.
First regarding PPTP which is a simpler case (but PPTP is anything but secure so better don't use it). There, TCP/1723 is used to authenticate the client and negotiate the connection, GRE is used as transport for the actual tunnel packets. GRE is a dinosaurus protocol which doesn't have the notion of ports, so in NAT environment, ony one device on the private side of the NAT can talk to the same device on the public side of the NAT no matter how clever the NAT device would be. Some NAT devices cannot forward GRE at all, some will open a pinhole if the private side device sends a packet to the public side one but no public->private forwarding is configurable.
With L2TP, the behaviour changes depending on the overall situation. If there is no NAT at all, neither at "server" (responder) nor at "client" (initiator) side, IPsec indeed uses ESP as transport. Like GRE, ESP has no notion of ports, so the same type of limitations applies, except that the NAT device may support ESP forwarding but not GRE forwarding or vice versa. But an ESP packet is only sent when there is a payload packet which needs to be sent, so even if the NAT device supports ESP forwarding, the packet from client will not be let in until the server sends its own packet to the client.
If there is NAT at client or server side (or both), IPsec detects that and starts encapsulating ESP into UDP to allow NAT traversal. However, the embedded VPN client in Windows by default doesn't accept a situation where the NAT exists at server side, so although technically the IPsec would deal with it, the Windows client refuses to establish such connection. One possibility is to change this default behaviour in Windows' registry, but I have no idea whether the howto for Win7 which you can google out is applicable also for newer versions of Windows. Another possibility is to make the Mikrotik think it has the public IP on itself
, but in that case ESP will be used if the client has a public address (i.e. no NAT on its end), so the ISP's box may not let it through.
And last, to have several L2TP/IPsec clients behind the same public IP at their end, you need to do some black magic
at the server end.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.