@GRL 

IPsec ALG is on by default I think, you can try disabling it to see if it makes a difference

 Nope, no difference

I have also confirmed the other posters thread that L2TP isnt passing through either

  @GRL 

yes I saw that post, I've tested a bit here, I have an L2TP/IPsec client on a Windows 11 pc that connects to a Mikrotik router, it connects just fine and everything works as it should from LAN on ER8411 and ER605, It is a full VPN so all traffic goes through the L2TP server.

no difference if I disable ipsec ALG works anyway, I can't test against ipsec server from the windows pc so I don't know if it would work.

  @MR.S 

I have also tried:

Disable DPI

Disable ALGs

Disable DNS Cache

Disable DNS Proxy

Disable all firewall attack defense settings

I have a bunch of colleagues who cannot usilise our second site client-to-site L2TP or IPSec VPNs now (hosted on a Draytek router), they are all on standalone ER605 v2s on 2.3.1 as well which havent had any other changes

  @GRL 

strange stuff, I'm going to set up an L2TP server on an ER605 that is remote to test a little more. I'll give you feedback :-)

  @GRL 

ok, this was even weirder, I set up L2TP/Ipsec on an ER605v2, my pc connects fine to this router when I'm behind an ER707-M2 or ER706W. , but when I'm behind an ER8411 or ER605v2 it doesn't work. but L2TP to the Mikrotik router works from all Omada routers.

  @MR.S 

Yep, weird, but thanks for confirming the issue

All my omada gateway and 1 draytek gateway hosted client-to-site VPNs dont work behind the ER8411 or ER605 v2

I set up a test vpn on a friends gateway (asus home router) and that works fine

Also, my mobile banking app - which i think sets up a secure tunnel - doesnt work now, i have to go on 4/5G on my phone for it to work now

  @GRL 

yes it seems like something is wrong, I tested my bank app on my phone and it worked for me :-) ok, then we'll have to wait for feedback from the Omada team..

I have finished my testing, rebuilding everything from scratch, and made the discovery of what is breaking VPNs, on my system at least

Things i did, in sequence

Factory reset Gateway, Switch, EAP pin-hole method

Forgot devices and deleted site on controller

Created new, unedited site on controller, set gateway as ER8411 only - no other changes

Adopted Factory reset Gateway

Adopted Factory reset switch

Adopted Factory reset EAP

Set Default LAN to 172.16.1.X Gateway 254, Switch 253, EAP 252

Set Default LAN DHCP gateway to switch SVI for Switch Routing

Set Gateway Static Route hopping traffic to Switch SVI

Enabled IDS/IPS Full

Enabled DNS Proxy and DNS Cache

Enabled DPI with logging

Disabled IGMP Proxy

Added my usual Site-to-site IPsec VPN to office

Enabled Second 1gig WAN port (WAN/LAN5) with gateway auto-reboot when enabled

Connect WAN5 to another network with DHCP

Enable policy routing to force all internet traffic over WAN4

Add a second Network, and enable Switch Interface for it, add it to gateway static route hopping traffic to switch

Enabled flow control on ER8411 WAN ports and SFP+ WAN/LAN 2 to switch

Set up switch ports profiles / spanning tree and apply to switch ports

Add reboot schedule for gateway and switch

Add a third network - switch only, set up switch interface and DHCP, add to gateway static route hopping traffic to switch

Configured custom gateway Echo Server and “Remember this Device”

Configured Site settings - DST, Mesh and Fast Roaming disable, Airtime Fairness

-----VPNs still working at this point-----

Now, i wanted to re-verify what my maximum MTU size was over my ISP at home (5G) - result - packet size of 1324 does not fragment

Setting MTU to 1352 (1324+header bytes) - VPNs Broken - BINGO

Setting MTU to 1378 - VPNs working

Setting MTU to 1500 - VPNs Working

Anything less than 1378 - Not Working

  @GRL 

thanks you for investigating the problem  and forwarding us a solution!

But, where did you get 1.3.6 for er8411? I only see 1.3.5 as latest RC