Depending on the exact set-up of your network, L2TP via IPSec requires UDP ports 500, 1701 and 4500 and the IP-ESP protocol, which is IP protocol 50; ESP; that's the full-on L2TP / IPSec when behind NAT. Other than ESP (which is protocol 50 and not port 50), these are all UDP ports, and not TCP ports. (Specifically, IPSec expects UDP port 500 and ESP (protocol 50) for site to site non-NAT. L2TP expects UDP port 500, UDP port 1701 and UDP port 4500 when behind NAT.)
Some gateway devices have a VPN passthrough setting, which can help. (Not all have a way to enable pass through for protocols.)
TCP 1723 is used for PPTP. Not for L2TP / IPSec.
As compared with L2TP / IPSec, PPTP is less secure, but usually easier to get going and particularly around NAT.
If you have Back To My Mac enabled on your gateway device, then you can't use a VPN. With AirPort Extreme and Time Capsule, you have to turn off Back To My Mac.
As for whether FiOS firewall blocks might be involved, probe each of the ports with the following Terminal.app netcat (nc) command:
nc -zu 10.20.30.40 target-udp-port
where your public static IP address is substituted for 10.20.30.40 in that command.
FWIW, I've been in a few of these discussions, and this forum search should get you some additional reading material.
My config is iPhone 5s LTE to Verizon FIOS with OS X 10.8.5 Sever 2.2.2 on MacBook Pro
(awaiting success reported with V3.0 on 10.9)
nc -zu seams confusing
Stated on 10.9 Developer man nc(1)
CAVEATS UDP port scans will always succeed (i.e. report the port as open), rendering the -uz combination of flags relatively useless.
Also myforwarding rules are SOURCE 500
Found on Verizon FIOS Actiontec MI424Wr Rev C Firmware 18.104.22.168.22.214.171.124.4
at Advanced under Port Forwarding Rules
IPSec UDP 500 -> 500 ESP AH
when using Actiontec MI424-WR rules from factory for IPSec against recomended definition at
10.The "Source Ports:" default setting of "ANY" should not be changed
(The source port setting of ANY is absolutely required for all port forwarding)
What will this do ?
DMZ works so I assume it must be somewhere in Forwarding Rules ?
Another possibility ?
More data at Server V3.0
I sent feedback to have it explained more clearly !
I am lost with out a picture of the systems.
The words get in the way.
Ask users to change their intranet addressesYou can ask VPN users to change the IP addresses on their home networks so the first three numbers of their IP address are different from the ones on your intranet.
For example, if your intranet IP addresses begin with 192.168.1, ask VPN users to use IP addresses beginning with 192.168.2 on their home networks.
How do I "Ask VPN Users" when I am the only VPN user who just travels with a laptop to another location ?