OS X: how to figure out what prevents L2TP/IPSec from running correctly

Ok, I figured it out. It wasn't ports and sockets. Turns out that something (possibly CiscoAnyconnect) has unloaded racoon on startup. To fix (with Anyconnect uninstalled) do the following:

launchctl load -w /System/Library/LaunchDaemons/com.apple.racoon.plist

You may also start racoon manually by:

sudo /usr/sbin/racoon