Things get more bizzare!

I hooked up my factory reset 605 running 2.3.1, running it totally in standalone mode

Default MTU of 1500 - all VPNs work to Omada and Draytek Gateways (pure IPsec only VPNs though)

WAN MTU of 1352 - optimal for my ISP and was broken on ER8411 - all vpns work properly

Remote ER605 running 2.3.1 pure IPsec dial in VPNs - working on all WAN MTU

Remote ER605 running 2.3.1 L2TP VPNs - not working with any WAN MTU, at either end

I think we have 2 issues

ER605 2.3.1 - broken L2TP VPN MTU size

ER8411 1.3.3/1.3.6 - WAN MTU settings effect VPNs on clients

  @GRL 

Well, I'm a little confused here now, I'm behind a UX7 from Unifi, so it, like the ER8411 and ER605, can't connect, but I set up an L2TP server on an ER706w which also has an MTU of 1380. but I can connect to it, I can't connect to the ER707-M2 with an MTU of 1380. so I don't really understand what's going on.
I have disabled SD-WAN and all other VPNs on the routers I'm testing with.
I think I'll wait until you're done with your test :-)

but I think an MTU of 1400 would have been a better choice for the Omada routers L2TP Server

L2TP to a ER706W

High strangeness indeed!

I think its safe to say that ER605 2.3.1 has a broken L2TP implementation though, definitely something wrong with it...

ER8411 has a Broken WAN MTU implementation since i dont see the same issue on ER605....

  @GRL 

I'm sure there is something. But for me it's not a problem. I stopped using L2TP many years ago, but it might be good to report our findings to the Omada team.

There is another VPN issue specific to ER605 2.3.1

It is unreliable in re-establishing site-to-site IPSec VPN where it is the initiator.

We had an ISP issue today at main site causing loss of connection for several hours - after which both ER605v2 based remote sites failed to re-establish their outgoing VPN back to main sire and are now sat in "disconnected" state on controller and unreachabe as they havent established the tunnel again.  One site i can manage, the other i will have to physically go to to reboot it

My ER8411 at home re-established its outgoing VPN to the main site just fine

All my Site-to-Site VPNs are configured with DPD and PFS key lifetime so should have detected the dead peer and kept trying.  Didnt see this behavior prior to 2.3.1

  @Ethan-TP 

According to your tests, the problem is specific to the ER8411: changing the ISP-side MTU size affects VPN operation—when the MTU is set below 1,378 bytes, VPN (including both IPsec and L2TP) stops working.

-- Correct.  On client PC/Mac they will connect, but no data flow at all

For the ER605 running firmware 2.3.1, IPsec VPN functions normally regardless of the WAN MTU value

-- Correct

whereas L2TP VPN never works, no matter how the WAN MTU is adjusted.

-- It depends on the gateway it is connecting to .  Another ER605 - No.  A different brand router - sometimes yes - it depends what VPN MTU size the tunnel uses as per MR.S's findings

Additionally, you mentioned that on the ER605, when it acts as the initiator of a site-to-site VPN, the tunnel does not recover automatically after an outage; a manual router reboot is required.

-- Correct.  It recovers after a short outage (say a router reboot at either end) but after several hours, both remote sites using ER605 as the gateway failed to reestablish the IPsec VPN and a manual reboot was required.  My home ER8411 auto-recovered fine and connected by itself normally as is expected.  I still have one remote site "disconnected" as its accessibility is limited.  According to main site logs, its not even trying.  No DPD timeouts, connection attempts, no logs of any kind relating to IPsec from that sites public IP

@Ethan-TP 

Attached video of ER8411 MTU Size effecting client computer VPNS