VPN connection

UDP 500, UDP 1701 (L2TP) or TCP 1723 (PPTP), and UDP 4500 (Not 45000) at the firewall.
Try both L2TP and PPTP. And yes, the latter is less secure than the former.

Are both networks using the same subnet in 192.168.0.0/16 block? (That's one common trigger for IP routing problems; coffee shops and libraries often use the same 192.168.0.0/24 or 192.168.1.0/24 as many home networks, for instance.)

Issues with L2TP VPNs and Airport router devices have been posted around the forums. Try without that device in the path (such as with a server-grade VPN-capable firewall), or see if PPTP works through the Airport. Or if your router supports VPN servers, use that device as the end-point.

Please start another thread for ftp (separate question) and have a look at [configuring ftp on Mac OS X|http://labs.hoffmanlabs.com/node/942].

Trust your ISP. But verify. Test the ports (remotely).

And that you have two parallel connections from your ISP arriving in two subnets? Interesting. That's double the complexity of the usual ISP configuration. But as for testing the ports, that's easy. Shut one down and configure the remaining "primary" router to be your gateway, and test with just the "primary" connection and the other external addressing.

Don't get parallel routing into the mix until you're ready for it, as that'll server to add complexity and errors. Mac OS X doesn't do IP routing without some extra work, and you're trying to get the Mac to use two subnets and a VPN and you're smack in the middle of the two worst subnets to get a VPN going and you have at least one layer of NAT at the ISP routers.

I'd probably get a BGP-capable firewall router (which is what can do load balancing across LANs), and move the Mac inside your own perimeter. But that might require some coordination with your ISP, and of removing those two ISP routers. In your current configuration, one of those two routers is going to be the primary, and only traffic you designate (via static routes and subnet routing) is going over the secondary connection. Which is why (at least for testing) you'll want to get just one connection working, and get your VPN working over that.

Better yet, get somebody in on-site to have a look at this stuff, and to get subnet routing going.

What router are you using and is there a VPN server in it?

Some routers/firewalls can't forward UDP 500 because they contain a built-in IPSec VPN server.

Also if there is VPN passthrough config in any routers on the way from client to server try turning it on, this can sometimes help PPTP because it needs GRE protocol forwarding through all routers.

You didn't say what router/firewall you are using or what VPN client you now got working to it.
(I guess it contains a PPTP VPN server? SSL based VPN?)

Well, you could perhaps use the free VPN client/GUI IPSecuritas if it's a IPSec VPN server.
OS X IPSec server/client is Racoon (-based) and can be used for IPSec site-2-site connections too.

But the OS X L2TP client needs a L2TP VPN server and I guess the Apple VPN client Cisco compatibility builds on that too.

Otherwise if you have more than one public IP from either ISP and your router/firewall is capable of 1-1 NAT, you could perhaps forward necessary ports/protocols to the OS X server IP even if it got a IPSec server built-in.

For clarity:

L2TP server behind NAT needs 500, 1701 and 4500 forwarded - all UDP ports.

And PPTP needs TCP 1723 and GRE protocol forwarded.

If it works or not often depends on router/firewall capabilities (can it forward ports/protocols correctly).

If connecting (one or especially when) more than one remote VPN clients from behind the same router/firewall (remote office) to a VPN server especially when it also is behind NAT could mean other kinds of problems.

Your router is seemingly the same (?) as a Thomson TG585n

http://www.thomsonbroadbandpartner.com/dsl-modems-gateways/products/product-deta il.php?id=162

It seems it contains a IPSec VPN server and that's why you can have trouble getting L2TP through it (to a NATed server on it's LAN) because UDP port 500 could be "reserved" for the built-in IPSec server.

And you successfully connected a Windows XP built-in VPN client using PPTP to your OS X Server?

I would expect PPTP passthrough might work but maybe not L2TP, especially if IPSec VPN is on/running in the router.

It's a bit hard to follow your description of what works and what doesn't.

Also beware of the UPnP capability if one machine sends temporary alterations to the router it might not work as expected for others. I would probably turn it off, if possible.