OS X: how to figure out what prevents L2TP/IPSec from running correctly
Ok, I figured it out. It wasn't ports and sockets. Turns out that something (possibly CiscoAnyconnect) has unloaded racoon on startup. To fix (with Anyconnect uninstalled) do the following:
launchctl load -w /System/Library/LaunchDaemons/com.apple.racoon.plist
You may also start racoon manually by:
sudo /usr/sbin/racoon