An EdgeRouter firmware update from 1.8.5 to 1.9 broke my L2TP based VPN. After the update my l2tp connection to local subnets was no longer working. Note that I have a load balancing setup with eth0 and eth1 being the load balanced WAN interfaces.
It seems that due to the changes done for the l2tp in firmware 1.9 the way the routing is done changed a bit.
[L2TP/IPsec] Use kernel mode support for L2TP/IPsec server. This includes adding pppd plugin and xl2tpd kernel mode support, and it should provide significant performance improvements for L2TP/IPsec server. Discussed with @mdu113 @NVX @stralex @pstolpe @train_wreck @DemonX @rsully @jbeez @PaulCarlucci @hyphenatic stasv 6keazik7 for example in these threads: 1 2 3 4.
I had a thread opened for this issue at UBNT forum: Update to 1.9 broke my l2tp/ipsec
The solution was to manually re-add the default routes to the routing tables associated to the load balancing interfaces. This can be done by using the script
/usr/sbin/ubnt-add-connected.pl
In my case running it solved the problem:
ubnt@ubnt:~$ /usr/sbin/ubnt-add-connected.pl
Connected routes found = 9
Route tables found = 2
Adding routes to table 201
Adding routes to table 202
load-balance member [G-eth1]
status = inactive
route table 202
blackhole default metric 256
10.255.255.0 dev l2tp0 scope link
40.0.0.0/30 dev vti0 scope link
x.x.x.0/23 dev eth0 scope link
127.0.0.0/8 dev lo scope link
172.16.44.111 dev l2tp0 scope link
192.168.5.0/24 dev eth5 scope link
192.168.6.0/24 dev eth6 scope link
192.168.7.0/24 dev eth7 scope link
192.168.11.0/24 dev eth2 scope link
load-balance member [G-eth0]
status = active
route table 201
default via x.x.x.1 dev eth0
blackhole default metric 256
10.255.255.0 dev l2tp0 scope link
40.0.0.0/30 dev vti0 scope link
x.x.x.0/23 dev eth0 scope link
127.0.0.0/8 dev lo scope link
172.16.44.111 dev l2tp0 scope link
192.168.5.0/24 dev eth5 scope link
192.168.6.0/24 dev eth6 scope link
192.168.7.0/24 dev eth7 scope link
192.168.11.0/24 dev eth2 scope link