You’ve written a lot in your OP but you’ve also left out a lot.
So do I guess properly that the 3011 getting a private WAN address from a NATing router is the L2TP/IPsec server and the L2TP/IPsec client that fails to connect is the Windows embedded VPN client?
If so, see this topic.