Hi,
I have a 2830 ADSL router, in NAT mode (subnet 192.168.0.x). Connected to this is a 2926ac Wifi router, also NAT (subnet 192.168.1.x). A variety of clients connect to the 2926ac via wifi and all work fine for typical Internet access.

However, one Windows 10 system needs to make an L2TP/IPsec (preshared key) connection to a work VPN. This works very occasionally, but mostly fails with Windows error 809 :

https://docs.microsoft.com/en-us/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/always-on-vpn-deploy-troubleshooting
which states:

Error description. The network connection between your computer and the VPN server could not be established because the remote server is not responding. This could be because one of the network devices (e.g., firewalls, NAT, routers) between your computer and the remote server is not configured to allow VPN connections. Please contact your administrator or your service provider to determine which device may be causing the problem.

Possible cause. This error is caused by blocked UDP 500 or 4500 ports on the VPN server or the firewall.

Possible solution. Ensure that UDP ports 500 and 4500 are allowed through all firewalls between the client and the RRAS server.

I have used wireshark between the ADSL and Wifi routers and can see the client making UDP requests on port 500, then port 4500 to the VPN endpoint. I see some data coming back from the VPN endpoint. (ISAKMP, ESP, UDPENCAP frames) But the tunnel does not successfully establish.

I've tried opening these ports on the ADSL router, forwarding them through the Wifi router to the Windows 10 system (whose MAC address is bound to a fixed IP address in the 192.168.1.x range, outside the DHCP pool). No luck.

I've tried connecting the Windows 10 system directly into the ADSL router via Ethernet and also via Wifi - so there's only one level of NAT going on - but no luck.

Are there any settings I have to make to allow IPsec VPN connections 'out' through these routers?

Note: I am not connecting 'in' to any VPN served by my Draytek routers - it's all outbound to a work VPN.
Also: If the Windows 10 system is connected to a mobile broadband network via a tethered phone, the VPN connection works - so the software/configuration on the PC isn't the problem.

Kind regards, and thanks in advance for any assistance you may be able to provide,
Matt Gumbley

Further attempts:
I've set the Windows 10 PC as the DMZ host.
I've set up a NAT Open Ports list for UDP 500, UDP 4500, UDP 1701, TCP 1701 - forwarding to the Windows 10 PC.
I've used the telnet interface to srv nat ipsecpass on.
No luck.

I've also tried changing the WAN MTU to 1400 as suggested in https://www.networkworld.com/article/2224654/mtu-size-issues.html - did not fix the problem.