Give Permission Where Due
The fish are jumping, and everybody's got a pole, but nobody can put a line in the water until they get a license to fish. At the simplest level, a user trying to make a VPN connection needs dial-up permission on the computer he's connecting to. Pertinent VPN ports must be open to VPN traffic, despite what your router or ISP may think. Be sure to add the server to the RAS and IAS Servers security group and restart the server for the new (or renewed) membership to take effect. If desired, enable routers to "respond to ping"; some are disabled by default.
You may need to enable IP routing on the RAS serverand even RAS may not be enabled on the RAS server! If clients are coming in on L2TP IPsec, make sure that they have machine certificates.
With every piece of hardware and software, under every operating system involvedon both ends, and between modems and ISPlook at what's there, and see where something might need permission, authorization, certification, or a "Mother may I," and make sure that the appropriate green light is not only present, but up to date.