Does anyone have a quick "recipe/script" for rolling out an L2TP/IPSec PSK (client-to-server) VPN on a Mikrotik. Apparently it's a little more complicated than my experience level with Mikrotik allows, and I'm just confusing myself more every time I try something and it doesn't work

Some background... initially we have set up a number of remote sites which just had simple PPTP VPN setups for emergency management purposes. The basic requirement was that we could connect from Win10 or Android using the built-in VPN clients in those respective products. To this point this had worked with no issues. Recently we've had a number of circumstances, however, where we didn't have wifi connectivity and attempted to connect using our cellular data (either on the Android phone directly, or via the LTE connection in the Win10 laptop). Unfortunately we've discovered that (from what I've read, for reasons above my pay grade) the cel provider is somehow blocking or not supporting PPTP VPN connections on their network.

From what I've read an L2TP/IPSec PSK vpn should be allowed by the carrier (not confirmed), and should be supported by the built-in VPN clients in Android and Windows so that meets those criteria as well. Unfortunately after trying several articles I've found online, and trying various things to get them working I don't seem to be making any progress. Doesn't seem like it should be so hard but obviously I'm missing something.

What I'm seeing in the logs when I try to connect is the following...
failed to pre-process ph2 packet
peer sent packet for dead phase 2

Happy to either troubleshoot what I have, or wipe it out and try from scratch with someone else's working configuration. I should note that there are L2TP site-to-site VPN's running on some of these sites, so I can't screw that up in the process

Thanks!

I should note that there are L2TP site-to-site VPN's running on some of these sites, so I can't screw that up in the process

There are two issues I can see here.

First, all L2TP/IPsec clients which land at the same peer must support the same peer profile (Phase 1 settings) and the same policy proposal (Phase 2 settings). Which means you have to lower some security requirements as some parameters cannot be negotiated (e.g. the embedded VPN client in Windows doesn't support pfs). So unless at least most of the devices which act as clients in the L2TP/IPsec site-to-site mesh have a public IP, which makes it possible to create dedicated peers with separate profiles and proposals linked to them, you have to live with this.

Second, L2TP/IPsec is known to have a built-in trouble when two clients connect to the server from behind the same IP address. So you cannot use or test the road warrior remote access from the sites which already act as L2TP clients in the site-to-site mesh. There is a workaround, but even though I've created it myself, I prefer to avoid it.

A step-by-step tutorial on how to set up an L2TP/IPsec server from scratch is here, but without knowledge of your existing site-to-site configuration, I can't say which points have to be done otherwise. So the most important part of it for you is the recommendation how to set up logging and use it to find out what needs to be added to the existing profiles and proposals to match the capabilities of the Windows and Android clients.

If you want assistance in troubleshooting, start from following the hint in my automatic signature right below, for the Tik planned to acting as an L2TP/IPsec server for both site-to-site and road warrior clients.

IKEv2 has a few advantages over L2TP/IPsec - it doesn't suffer from the multiple clients behind the same NAT problem, it can use certificate based identity which allows to reliably assign individual policies, including Phase 2 proposals, to each remote peer, and it can push a route list to a Windows client so you don't need to reconfigure all client's persistent routes manually.

And the type of the incoming initial request (IKEv2 or one of three types of IKE(v1) exchange modes) is used to choose the peer at the responder side, so you can also migrate the site-to-site tunnels to IKEv2 and make IKE(v1) free for L2TP/IPsec, or vice versa.

On Android, IKEv2 can be provided using Strongswan for Android.