Whew!
I just found a little tidbit that I hadn’t noticed before that enabled me to get the VPN L2TP working for me.
I’d been fighting with the configuration manually for a while without success, but had theoretically set everything up properly with the remapped ports and everything.
But I still couldn’t initiate a client connection over L2TP.
Then I fired up the ultra simple Server Preferences (even though I use a fair number of the advanced configuration with the Server Manager). In the VPN tab, there’s a little button to save the VPN configuration.
So I saved it, copied the following internetconnect file to the client MacBook, opened it and it automatically created the configuration in the Networking Control Panel. Next connection failed, but it was a response that I’d seen before that was Kerberos authentication not working. On the server, I switched back to MS-CHAP v2 and now the VPN works perfectly.