depends on my understanding a basic premise: is it so that IPSec+L2TP is a standard that I can reasonably expect to be understood/supported by most operating systems
No. It's only somewhat of a de facto standard because Microsoft Windows comes with it.
Can any IPSec client connect to any IPSec server?
Not always. For one thing, there are at least two versions of the core connection protocol, IKEv1 and IKEv2. Modern IPsec daemons (strongSwan, LibreSwan) support both – but e.g. Raccoon never quite got updated for IKEv2, OpenBSD has two separate services (isakmpd and iked) for the two versions, and so on.
The two peers might not necessarily support the same authentication mechanisms, e.g. PSK but not public-key; XAuth but not EAP; public-key but not X.509 certificate; and so on.
The above applies to manual/static tunnel configuration. If you're setting up a "client" VPN (with user accounts, automatic IP configuration, etc.) everything gets much more complex because IKEv1 simply did not have that functionality built in – it was made for static configuration – so various vendors expanded it in their own ways.
For example, Cisco "IPSec VPN" is technically IKEv1 but uses the custom "Xauth" username & password authentication method, as well as Cisco extensions to provide the client's IP address and other network parameters.
Later on, many of those extensions were adopted as built-in functionality in IKEv2, so it is now possible to have a fully standards-based "IKEv2 VPN" without any addons.
Meanwhile, Microsoft's "IPSec/L2TP VPN" is also IKEv1 but adds an extra layer inside the VPN connection, using (I believe) a form of PPP for user authentication on top of IKEv1's regular 'host' authentication.
These three are completely incompatible: you can't connect to a IPSec/L2TP server using a Cisco client, nor the other way around. And you can't use either to connect to an IKEv2 VPN.
but this tech seems to live a bit on the side of other standard VPN technology, needing special client software
At least most of such "special client software" tends to be more consistent... Even if you use only IPsec, you'll still find yourself needing an app because some built-in clients are a major pain.
(For example, Android claims to support Cisco-IKEv1, but I could never get it working, not to mention it's using quite obsolete software under the hood – so I use the strongSwan app instead.
Similarly, Windows 10 now has a built-in IKEv2 VPN client, so you could use that instead of L2TP... but it ignores half the settings that the server provides.)
Could the same server serve clients with different connection types, or does it enforce the same settings for everyone? Say, one client connecting using IKEv2, talking to another client that has connecting using IPSec L2TP? – oligofren – 2020-01-30T12:16:02.027
Yes, that's technically possible, but can be troublesome as authentication in IPSec/L2TP is different, ciphers are probably different, etc. At least strongSwan does allow configuring two separate connection blocks (ikev1 and ikev2) for roaming clients, but I couldn't quite get IKEv1 to work and decided it wasn't worth it. (Of course, you could have two VPN servers, one handling each protocol...) – user1686 – 2020-01-30T14:10:22.253
In particular, the server needs a way to choose the correct connection profile for each client, e.g. by protocol version, or by leftid/rightid, or by IP addresses... For example, if you tried to have two different IKEv1 configurations (e.g. Cisco-style and Microsoft-style), IIRC that's a situation where leftid= can't do the job, so you might need two IP addresses on the server. – user1686 – 2020-01-30T14:14:39.257