I have 2 identical 2820's.

From the LAN side of router 'A' I can L2TP IPSec into the VPN server running on router 'B' but if I try the other way round the connection never establishes.

Both clients are Windows 7 machines with identical configs.
Both routers have identical firmware & configs

The failing connection logs this over and over till it finally fails with an L2 error

Jun 2 18:44:27 gateway: IKE <==, Next Payload=ISAKMP_NEXT_SA, Exchange Type = 0x2, Message ID = 0x0
Jun 2 18:44:27 gateway: Responding to Main Mode from <WAN IP OF ROUTER B>

I've also tried from a different Windows client; with a 3G connection it works as expected, when on the router B LAN it fails. IF I take it to a 3rd location behind another draytek it also works so its clearly something at this end on this router...

Any ideas before I go mad? (Or have to replace the hardware)

Maybe the ISP is blocking VPN traffic (in one direction, at one end)? ...

... you could try swapping the routers around, to prove it is site-specific or (and I think this works on the 2820) - try connecting to Router A's WAN IP from Router A's LAN and ditto for Router B.

My money is on this test working in both cases ...

Not the ISP - there all within the same network and same gateways. and PPTP works.

I can't really swap the routers out (there running live sites). I suspect there is either something stuck in the config this end I can't see. Google also hints that Windows 7 may not play well without NAT-T (Even though the laptop worked at another site)

I've had a bit more of a look and on the working setup I also see the following lines;

Jun 5 10:55:34 gatekeeper: NAT-Traversal: Using RFC 3947, peer is NATed
Jun 5 10:55:34 gatekeeper: Matching General Setup key for dynamic ip client...

So could this be some odd NAT-T issue with one of my devices?

I've been downgrading an old laptop from Windows 10 -> Windows 7 and needed to re-add my VPN connections ... so I've done a bit of playing with this.

I assume you're using the Smart VPN client to define the VPN connections?

This appears to successfully add the "ProhibitIPSEC" Registry entry (which makes Windows use a Pre-shared Key, rather than a certificate), but it doesn't seem to add the "AssumeUDPEncapsulationContextOnSendRule" value (though this seems to be for when the VPN Server is behind NAT - which yours isn't).

The Windows Firewall seems to be pre-configured to allow L2TP/IPsec (though I can't find any specific rules; it seems to be 'built-in').

In my case, I fell foul of Draytek Firewall rules ... I'd blocked all unsolicited inbound traffic, apart from things I had NAT port mapping entries for. I needed to add UDP Ports 500 & 4500 to get it work - and have subsequently added protocols 50, 51 and UDP port 1701 for good measure, since this is the accepted wisdom of sites such as this . (Actually 1701 is not mentioned there, but I saw it referenced in the Windows Firewall under Monitoring | Security Associations | Quick Mode) :? .

From your SYSLOG entries, I would suspect Router B's firewall, since the validation of the Pre-shared key doesn't seem to be happening.

Nop - just the stock windows client. Can't run 3rd party software for something as simple as VPN access (Especially when it works everywhere else! and may break my vpn connections to other places.)
I was aware of the 'AssumeUDPEncapsulationContextOnSendRule' which I've done to one of my test machines (But funny how the laptop will work without that setting from behind several other drayteks/firewalls)

I'll have a look into 'ProhibitIPSEC' - again I thought windows did what it was told when you set the PSK you untick the certificate option...
As and when I get some more time (and downtime) I will try and play some more and see what I can find. I am debating upgrading this router anyway since its that old to a 2860.