VPN

How to setup Win -> L2TP+IPsec connection through NAT?

Hello.
The essence of the problem:
Two offices, you need to create a L2TPtunnel between the computer in the grid of the first office to the router of the second.
Scheme:

win10 (client) -> gateway (1ый офис) -> интернет -> ubiquite router (2ой офис, server)

Problem:
On Windows, the interface is configured by standard means, when I try, it gives an 809 error. The error is common, measures have been taken in the form of editing the registry:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent

AssumeUDPEncapsulationContextOnSendRule
added value option 1 or 2

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Parameters

added option ProhibitIpSec
value 1
changed option AllowL2TPWeakCrypto
value 1
Packets do not leave without this.
I note that on other computers (home and remote in another city) operations with the registry were not carried out and everything took off without any complaints.
Sniffed wiresharkon win10and tcpdumpon the receiver ubiquite, everything that leaves everything comes.
I found a launch crutch, but this is some kind of nonsense, then there will be magic that I do not understand:
1. We win10raise win10the virtual machine, in the virtual machine (I tried it with linux, a similar success).
2. We configure the interface on the VM, we do not touch the registry.
3. We are trying to connect - the connection is successful.
4. Disconnect
5. We are trying to connect already on the host win10- successfully.
If you disconnect and after some time try again, then again 809 error.
Apparently ESTABLISHEDthe connection allows you to connect from the host Windows, but why it does not work without such a crutch is not clear.
Tell me, please, where to dig?
Do you have clarifying questions?
UPD
Users are mac connected without complaints.
The security policy was redone according to the article: https://habr.com/en/post/210410/
Now it says in the logs vpnthat the connection is being established, but win10it still returns 809:

Mar 29 09:29:42 15[IKE] <1> xxx.xxx.54.116 is initiating a Main Mode IKE_SA
Mar 29 09:29:42 06[IKE] <remote-access|1> IKE_SA remote-access[1] established between yyy.yyy.182.90[yyy.yyy.182.90]..xxx.xxx.54.116[192.168.3.122]
Mar 29 09:29:42 07[IKE] <remote-access|1> CHILD_SA remote-access{1} established with SPIs cd95951a_i f7801e3a_o and TS yyy.yyy.182.90/32[udp/l2f] === xxx.xxx.54.116/32[udp/l2f]