Two things I would like to notice.
First on the guide vpn_rollercoaster says that
Hosts should have same domain as the zeroshell box unless you know what youâ€™re doing with
Kerberos 5 domain/realm trust relationships.
Is that ok with your setup?
Second thing… I am not so sure if the HOST certficate should be downloaded from the ZS log-in page. I haven’t setup an L2TP vpn, but an OpenVPN. When I download a user certificate I do it from the X509 tab of each USER. I suggest you do the same. Go to NETWORK -> HOSTS -> click on the HOST’s bullet and then click on X509. Now export the certificate on the desired format with the KEY ticked. Hope this works.