We've observed L2TP implementations both insert and omit the HDLC address & control octets from the start of the PPP frames sent over L2tp. RP l2tp's behaviour with these bytes is a bit odd:
In l2tp_dgram_take_from_wire() in dgram.c:
/* Forget the 0xFF, 0x03 HDLC markers */
payload += 2;
framelen -= 2;
This is done unconditionally. Then in handle_frame() in handlers/sync-pppd.c, the bytes are unconditionally re-inserted:
/* Add framing bytes */
*--buf = 0x03;
*--buf = 0xFF;
len += 2;
It turns out that pppd doesn't really care if the bytes are there or not, however the code in dgram.c skips over them even if they aren't there -- in which case it skips over the protocol number instead. Oops. Worse, the code in dgram.c then squashes the protocol number with new address & control values..
The attached patch changes l2tp_dgram_take_from_wire()'s behaviour so that the address and control octets are only skipped if they contain the standard 0xff 0x03 values.
Patch (context diff)