No route found on Windows 10 side
The embedded VPN client of Windows does not handle multiple policies, there must be a single policy with a /32 address assigned by the responder (your Mikrotik) at the Windows side and with
0.0.0.0/0 at the peer (Mikrotik) side. So the policy template for the Windows clients at the Mikrotik must say
src-address=0.0.0.0/0 dst-address=10.11.12.0/24. The actual subnets to be routed via the tunnel are pushed to the Windows client using DHCP Option 249 in a DHCPINFORM exchange - in another words, Windows break the IPsec standard mandating that policies supersede any results of routing. So on the
mode-config row(s) for the Windows clients, you have to state
split-include=10.11.11.0/24,192.168.1.0/24, and the policy template group for them must contain a single policy template as above; as a result, routes to 10.11.11.0/24 and to 192.168.1.0/24 will be pushed to the Windows clients. If they are not, the DHCPINFORM requests from the clients may be blocked in chain
input of
/ip firewall filter, or your WAN interface is unusual (a VLAN, a PPPoE client - I don't remember in which of these cases it fails, and it may have changed since I've tried last time). If the latter turns out to be the case, the only way is to use powershell on every single Windows client to assign these routes to that VPN connection.
Should I create additional IPSec policy with src-address 10.11.12.0 and dst-address 192.168.1.0 ?
Yes, there must be a policy with src-address=10.11.12.0/24 and dst-address=192.168.1.0/24 (from the Mikrotik perspective) in order to forward the traffic between the Windows clients and the Draytek site. Given that the Draytek is apparently on a dynamic address, you have to add a corresponding policy template at Mikrotik side, and a static policy at the Draytek side. I'd recommend to create a dedicated policy template group for the Draytek to keep things cleanly separated.
Or, if you don't mind that the hosts on the Draytek site do not get the actual addresses of the Windows clients connecting to them, you can also use a src-nat rule at the Mikrotik to translate the source addresses of these connections to an address from 10.11.11.0/24.