I can't connect to the L2TP VPN of VPN Plus Server. What can I do?

Symptoms

You set up an L2TP VPN using Synology Router's VPN Plus Server, but your client device cannot connect to it.

Go to SRM > VPN Plus Server > Overview. Make sure the L2TP section is displayed.
Go to Permission > Services. Make sure your SRM account has sufficient privileges to set up an L2TP VPN connection to your Synology Router.
Go to Standard VPN > L2TP. Make sure the option Enable SHA2-256 compatible mode (96 bit) is unselected if your client has iOS14/macOS Big Sur and above installed.¹
Check if you have correctly entered the following information on your client device:
- SRM account credentials.
- Pre-shared key² (To check, go to SRM > VPN Plus Server > Standard VPN > L2TP).
Check if your network environment is as follows. If yes, refer to this article for further troubleshooting instructions.
- Your client device is running Windows.
- The built-in Windows VPN client service is used for VPN connections.
- Your Synology Router hosting the L2TP VPN server (hereinafter "Synology Router") is behind a NAT device, e.g., another router.

If the issue persists, continue with the following section.

Connect via another device
Try connecting to the L2TP VPN via another device, e.g., a mobile phone. This is to check if the issue results from the client device you previously used.
Connect via another VPN client service
Try connecting to the L2TP VPN via another VPN client software or application. This is to check if the issue results from the VPN client service you previously adopted.
Connect via another network
Try connecting to the L2TP VPN from another network, e.g., the 4G network shared by a mobile phone. This is to check if the issue results from the network where your client device was previously located.
Connect from the VPN server's local network
Try connecting to the L2TP VPN from the local network of Synology Router by entering its private IP address.³ This is to check if the issue results from your Synology Router or its network environment. Refer to the following for details:
- If the connection is successful, go to SRM > Network Center > Security > Firewall. Check if the IP address of the previously used client device is blocked by the firewall rules on your Synology Router⁴ (refer to this article for detailed instructions).
- If the connection still fails, please contact Synology Technical Support for further diagnosis.

Notes:

Starting with iOS 14 and macOS Big Sur, iOS and macOS no longer support SHA2-256 compatible mode (96 bit). For more information, refer to this article.
The pre-shared key for your L2TP VPN should be different from that for Site-to-Site VPN.
The private IP address of Synology Router can be found at the paths below:
- SRM 1.3: Go to Network Center > Local Network > Network. Select the network where L2TP VPN is set up, and click Edit > General to check the Local IP.
- SRM 1.2: Go to Network Center > Local Network > Local IP > IP address.
If there is a parent router in the local network of your Synology Router, configure the following on the parent router:
1. Set up port forwarding rules for your Synology Router. Forward ports 500, 1701, and 4500 (UDP) on the parent router to your Synology Router.
2. Make sure no firewall rules are blocking the IP address of the previously used client device.
3. Make sure there are no port forwarding rules configured by other devices via UPnP.
4. Disable DMZ.
5. Enable L2TP VPN Pass-through if it is supported by the parent router.
6. Try enabling or disabling L2TP/IPSec ALG if it is supported by the parent router.