After configuring the NAT and L2TP over IPSec tunnel all traffic to that particular server is tranlsated by the NAT module of the USG and no traffic in transported through the tunnel.
This can be solved in 2 ways:
1. by using PAT (not the best solution because in many cases all public ports need to be opened to all hosts)
2. by configuring a security ACL that denies the port numbers used by the L2TP over IPSec tunneling protocols .
By using the second method only traffic from that particular host towards the server will be transported through the tunnel and any other packets will be translated by NAT and routed according to the firewall's local routing table
Configuration of the ACL below:
acl number 3001
rule 5 deny udp destination-port eq 1701
rule 10 deny udp destination-port eq 500
rule 15 deny udp destination-port eq 4500
rule 20 permit ip
Other than this acl destination NAT needs to be configured for that specific server in the untrust zone:
[USG5550-zone-untrust]destination-nat 3111 address 192.168.90.254
This happens because traffic is not separated based on the port numbers.
My suggestion is to use the second method presented although the 1st one could apply to some scenarios.