Cisco TAC helped us, here are the relevant parts:
!
vpdn enable
vpdn multihop
vpdn history failure table-size 50
!
vpdn-group 1
accept-dialin
protocol l2tp
virtual-template 2
source-ip x.x.x.x
lcp renegotiation always
l2tp tunnel hello 15
no l2tp tunnel authentication
l2tp tunnel timeout no-session 5000
l2tp tunnel framing capabilities all
l2tp tunnel bearer capabilities all
l2tp ip udp checksum
ip pmtu
ip mtu adjust
!
!
!
crypto keyring l2tp
pre-shared-key address 0.0.0.0 0.0.0.0 key yyyyyyyy
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp profile l2tp
keyring l2tp
match identity address 0.0.0.0
!
!
crypto ipsec transform-set phone-trans esp-3des esp-sha-hmac
mode transport
!
crypto dynamic-map SDM_DYNMAP_1 1
set transform-set ESP-3DES-SHA
set isakmp-profile VPN_clients
reverse-route
crypto dynamic-map SDM_DYNMAP_1 2
set transform-set phone-trans
set isakmp-profile l2tp
!
!
!
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
!
!
!
!
!
interface FastEthernet0/0
description OUTSIDE$$ETH-LAN$
ip address x.x.x.x 255.255.255.0
...
crypto map SDM_CMAP_1
!
!
interface Virtual-Template2
ip unnumbered FastEthernet0/1
no ip redirects
no ip unreachables
no ip proxy-arp
ip virtual-reassembly in
ip verify unicast source reachable-via rx
ip tcp header-compression
peer default ip address pool SDM_POOL_1
ntp disable
keepalive 5 2
ppp mtu adaptive
ppp authentication pap ms-chap ms-chap-v2 chap
ppp ipcp header-compression ack
ppp ipcp address required
ppp ipcp address unique
no clns route-cache
!
ip local pool SDM_POOL_1 192.168.1.201 192.168.1.211