Mikrotik L2TP-IPSec Server

/ppp profile add name=ipsec_vpn local-address=192.168.11.1 dns-server=DNS1,DNS2
/interface l2tp-server server set enabled=yes default-profile=ipsec_vpn authentication=mschap1,mschap2
/ip ipsec policy set [ find default=yes ] src-address=0.0.0.0/0 dst-address=0.0.0.0/0 protocol=all proposal=default template=yes
/ip ipsec peer add exchange-mode=main passive=yes name=l2tpserver
/ip ipsec identity add generate-policy=port-override auth-method=pre-shared-key secret="STRONGSECRET1" peer=l2tpserver                   
/ip ipsec proposal set default auth-algorithms=sha256,sha1 enc-algorithms=aes-256-cbc,aes-192-cbc,aes-128-cbc,3des pfs-group=modp1024
/ppp secret add name="USER" password="STRONGSECRET2" service=l2tp profile=ipsec_vpn remote-address=192.168.11.2                        
/ip firewall filter add chain=input action=accept protocol=udp port=1701,500,4500
/ip firewall filter add chain=input action=accept protocol=ipsec-esp

The 192.168.11.x ip addresses are an arbitary, NOT-in-use IP address range for use by the VPN. Remember to add an appropriate route in the connecting user client to get to the 'real/normal' internal network LAN with the gateway being the above specified local-address ip address (in the above case, 192.168.11.1). Each /ppp secret (user login) needs a unique ip address in the same range. 
 
Move the firewall filter rules to the top (first) of the firewall rules using:  /ip firewall filter print all, /ip firewall filter move from_number to_number.
 
DNS1,DNS2 are the DNS servers used on the normal LAN - I normally include any LAN server running a DNS server and the gateway router itself. Separate IP addresses with a comma. You can have just one.
 
STRONGSECRET1 is typically a nice long password.
STRONGSECRET2 is typically something an end user might know or remember (but not necessarily).
Remember these DO show up in any 'export'ed file config.