I'm trying to set up a L2TP/IPsec VPN from Windows, to Omada AX3000.

The device is not replying to the Windows Client.

The device does reply to ike-scan, the device accepts with proposal MD5/3DES.

So yes, I appear to be on the same network, I can ping the device, I can open local management, I can get a secuirity proposal accepted from a command-line utility on the client machine, I can see the log entry on the device with the security proposal is accepted.

There is a very explicit FAQ document on How to configure PPTP/L2TP client on remote PC | TP-Link , but it doesn't say that anything special is required in the way of configuration of the Windows Client: just turn it on, add the name and password and pre-shared-key.

But when I do that, the negotiation isn't even getting to the PSK stage, let alone the L2TP stage: it's failing on the first step: the key exchange proposal is not just getting rejected, it's getting silently dropped.

I've got WireShark on the client PC, and I can see the network packets going from the Windows Machine to the ER709W.  When the packet is generated by ike-scan, the ER709W replies with an acceptance packet. When the packet is generated by Windows, there is no reply.

Windows is using source port 500, destination port 500

ike-scan is using source port (random), destination port (500 or 4500)

Wireshark is not reporting a mal-formed packet: the ipsec analyzer is describing the packets without reporting any errors. Both 500 and 4500 work correctly.

(ike-scan is using a random source port because Windows is holding onto 500: ike-scan is using destination port 500, or 4500 if I add NAT traversal.)

(ike-scan has poor support for quick/aggressive mode, but when I try it, I get a correct AUTHENTICATION_FAILED response. The packet is not dropped)

(If ike-scan proposes only an an odd transform, I get a correct NO-PROTOCAL-CHOSEN response. The packet is not dropped)

I'm almost at a dead end. I don't know why the ER709W is dropping the IPsec negotiation packet from Windows.