use-ipsec=yes permits use of IPsec to protect L2TP sessions, but does not enforce it, so if the client tries to establish the L2TP connection without previously establishing an IPsec security association, Mikrotik accepts that unprotected session.

By default, the Windows native VPN client has the same setting - it prefers an IPsec-protected connection but if it cannot be established, it connects using bare L2TP anyway.

Now there are two possible reasons - either the encryption and authentication algorithm sets (proposals) are incompatible between the client and the server, or your ISP is blocking IPsec ports (the dialect of English you use suggests it could be the case). But let's be optimistic and belive it is just a configuration issue. As you say that "client does not connect from any Windows", does it mean Android, Mikrotik, iOS, or Linux clients do connect successfully even if use-ipsec is set to required?

What encryption settings on Mikrotik will be compatible with Windows 10/11 ?

What encryption settings on Mikrotik will be compatible with Windows 10/11 ?

The default ones (which the L2TP server uses to generate the IPsec settings dynamically if use-ipsec is set to yes or required) normally do. So you have probably changed them to make the Android happy?

/ip ipsec profile:
dh-group=modp2048,modp1024 dpd-interval=2m dpd-maximum-failures=5 enc-algorithm=aes-128,3des hash-algorithm=sha1 lifetime=1d name=default nat-traversal=yes proposal-check=obey

/ip ipsec proposal:
auth-algorithms=sha1 disabled=no enc-algorithms=aes-256-cbc,aes-192-cbc,aes-128-cbc lifetime=30m name=default pfs-group=modp1024

You should enable logging and see what is the strongest encryption and authentication algorithm offered by Windows. Also something is telling me that WIndows do not support pfs by default and you need PowerShell to tell them otherwise.

/system logging add topics=ipsec,!packet

Then run /log print follow-only file=ipsec-start where topics~"ipsec", make a single connection attempt from the client, stop the /log print ..., download the file ipsec-start.txt and look for "proposal" in it.

Unfortunately you have to open the terminal window and use the text commands I gave. The GUI will not show you what you need as too many lines of log are generated to fit into the memory buffer.

I'm trying to connect but no new entries appear

I'm trying to connect but no new entries appear

Now press Ctrl-C and open the file ipsec-start.txt that has appeared in the file list.

In that case, @chechito is right and you haven't configured the Windows to use IPsec (while still assuming that the ISP doesn't interfere given that Android connects allright).

Well, rather you tell me how you've managed to configure it without IPsec

When I add a VPN connection the "new" (Win10) way, I can choose between "L2TP/IPsec with certificate" and "L2TP/IPsec with pre-shared key" (plus a few other possibilities not related to L2TP), but there's no choice of bare L2TP. So I choose the "L2TP/IPsec with PSK", fill in the PSK, and that's it.

Is the Android client connecting from the same network like the Windows? I.e. could it be that connections to port 500 and 4500 are indeed blocked somewhere on the path between the Windows and the Mikrotik, but not on the path between the Android and the Mikrotik?

Can you run Wireshark on the Windows to see whether they are sending packets to UDP port 500 on the Mikrotik address?

Is the Android client connecting from the same network like the Windows? I.e. could it be that connections to port 500 and 4500 are indeed blocked somewhere on the path between the Windows and the Mikrotik, but not on the path between the Android and the Mikrotik?

Can you run Wireshark on the Windows to see whether they are sending packets to UDP port 500 on the Mikrotik address?