mikrotik
address=46.28.xxx.xxx local-address=31.134.xxx.xxx passive=no port=500
auth-method=pre-shared-key
secret="xxxxxxxxxxxxxxxxxxxxxxxx" generate-policy=no
policy-template-group=default exchange -mode=main-l2tp
send-initial-contact=no nat-traversal=no hash-algorithm=sha1
enc-algorithm=3des,aes-128,aes-256 dh-group=modp1024 lifetime=8h
dpd-interval=disable- dpd dpd-maximum-failures=5
src-address=31.134.xxx.xxx/32 src-port=any dst-address=46.28.xxx.xxx/32
dst-port=any protocol=all action=encrypt level=require
ipsec -protocols=esp tunnel=yes sa-src-address=31.134.xxx.xxx
sa-dst-address=46.28.xxx.xxx proposal=default priority=0
ipsec.conf
version 2 # conforms to second version of ipsec.conf specification
config setup
dumpdir=/var/run/pluto/
#in what directory should things started by setup (notably the Pluto daemon) be allowed to dump core? protostack=netkey #decide which protocol stack is going to be used. force_keepalive=yes keep_alive=60
nat_traversal=yes
#whether to accept/offer to support NAT (NAPT, also known as "IP Masqurade") workaround for IPsec
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16 .0.0/12,%v6:fd00::/8,%v6:fe80::/10
#contains the networks that are allowed as subnet= for the remote client. In other words, the address ranges that may live behind a NAT router through whi$
# Send a keep-alive packet every 60 seconds.
conn L2TP-PSK-noNAT
authby=secret
#shared secret. Use rsasig for certificates.
pfs=no
#Disable pfs
auto=add
#the ipsec tunnel should be started and routes created when the ipsec daemon itself starts.
keyingtries=3
#Only negotiate a conn. 3 times.
ikelifetime=8h
keylife=1h
ike=aes256-sha1,aes128-sha1,3des-sha1
phase2alg=aes256-sha1,aes128-sha1,3des-sha1
# https://lists.openswan.org/pipermail/users/2014-Ap ...
# specifies the phase 1 encryption scheme, the hashing algorithm, and the diffie-hellman group. The modp1024 is for Diffie-Hellman 2. Why 'modp' instead o$
type=transport
#because we use l2tp as tunnel protocol
left=46.28.xxx.xxx
#fill in server IP above
leftprotoport=17/1701
right=%any
rightprotoport=17/%any
dpddelay=10
# Dead Peer Dectection (RFC 3706) keepalives delay
dpdtimeout=20
# length of time (in seconds) we will idle without hearing either an R_U_THERE poll from our peer, or an R_U_THERE_ACK reply.
dpdaction=clear
# When a DPD enabled peer is declared dead, what action should be taken. clear means the route and SA with both be cleared.
I can't find openswan logs, I'll post them later.

Already recently: Mikrotik+Softether: L2TP over IPsec - how to set up Mikrotik?
The server is different, but the problem was also solved by the Mikrotik settings.
Did not help?