l2tp/ipsec fails on 2nd connection

I had a prior thread which I closed.  Turns out I was running firmware 1.6.  Now I'm running 1.85.  However, the basic failure mode(s) have not changed.   The logging has seemingly gotten less verbose.  I connect with one PC and get this in /var/log/messages:

Aug 1 19:59:42 ubnt xl2tpd[3142]: Connection established to 70.35.108.118, 1701. Local: 11787, Remote: 11 (ref=0/0). LNS session is 'default'
Aug 1 19:59:42 ubnt xl2tpd[3142]: Call established with 70.35.108.118, Local: 20997, Remote: 1, Serial: 0
Aug 1 19:59:42 ubnt pppd[3790]: pppd 2.4.4 started by root, uid 0
Aug 1 19:59:42 ubnt pppd[3790]: Connect: ppp0 <--> /dev/pts/1
Aug 1 19:59:43 ubnt pppd[3790]: Unsupported protocol 'Compression Control Protocol' (0x80fd) received
Aug 1 19:59:43 ubnt pppd[3790]: local IP address 10.255.255.0
Aug 1 19:59:43 ubnt pppd[3790]: remote IP address 192.168.1.200

And this with show vpn debug:

show vpn debug
Status of IKE charon daemon (strongSwan 5.2.2, Linux 3.10.20-UBNT, mips64):
uptime: 51 seconds, since Aug 01 20:16:31 2016
malloc: sbrk 373904, mmap 0, used 274024, free 99880
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 1
loaded plugins: charon ldap sqlite pkcs11 aes des sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs8 pem openssl agent xcbc cmac ctr ccm gcm curl attr kernel-netlink resolve socket-default stroke vici updown eap-identity eap-md5 eap-mschapv2 eap-radius eap-tls xauth-generic xauth-eap addrblock
Listening IP addresses:
70.35.96.66
192.168.1.1
10.255.255.0
Connections:
remote-access: 70.35.96.66...%any IKEv1, dpddelay=15s
remote-access: local: [70.35.96.66] uses pre-shared key authentication
remote-access: remote: uses pre-shared key authentication
remote-access: child: dynamic[udp/l2f] === dynamic[udp] TRANSPORT, dpdaction=clear
Security Associations (1 up, 0 connecting):
remote-access[1]: ESTABLISHED 28 seconds ago, 70.35.96.66[70.35.96.66]...70.35.108.118[192.168.0.128]
remote-access[1]: IKEv1 SPIs: 156036947973863f_i 3743ad6ab595b4a4_r*, rekeying disabled
remote-access[1]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_384
remote-access{1}: INSTALLED, TRANSPORT, ESP in UDP SPIs: c78e181c_i 039a10a9_o
remote-access{1}: 3DES_CBC/HMAC_SHA1_96, 52400 bytes_i (243 pkts, 0s ago), 23393 bytes_o (144 pkts, 0s ago), rekeying disabled
remote-access{1}: 70.35.96.66/32[udp/l2f] === 70.35.108.118/32[udp/l2f]

Then I connect with a 2nd PC and in the /var/log/messages file I get one additional line:

Aug 1 20:18:23 ubnt xl2tpd[3142]: Maximum retries exceeded for tunnel 29815. Closing.

and in the show vpn debug output I get this:

show vpn debug
Status of IKE charon daemon (strongSwan 5.2.2, Linux 3.10.20-UBNT, mips64):
uptime: 2 minutes, since Aug 01 20:16:30 2016
malloc: sbrk 373904, mmap 0, used 280088, free 93816
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 1
loaded plugins: charon ldap sqlite pkcs11 aes des sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs8 pem openssl agent xcbc cmac ctr ccm gcm curl attr kernel-netlink resolve socket-default stroke vici updown eap-identity eap-md5 eap-mschapv2 eap-radius eap-tls xauth-generic xauth-eap addrblock
Listening IP addresses:
70.35.96.66
192.168.1.1
10.255.255.0
Connections:
remote-access: 70.35.96.66...%any IKEv1, dpddelay=15s
remote-access: local: [70.35.96.66] uses pre-shared key authentication
remote-access: remote: uses pre-shared key authentication
remote-access: child: dynamic[udp/l2f] === dynamic[udp] TRANSPORT, dpdaction=clear
Security Associations (2 up, 0 connecting):
remote-access[2]: ESTABLISHED 22 seconds ago, 70.35.96.66[70.35.96.66]...70.35.108.118[192.168.0.191]
remote-access[2]: IKEv1 SPIs: 6cd37d8ab91cd55e_i f61592905043f643_r*, rekeying disabled
remote-access[2]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_384
remote-access[1]: ESTABLISHED 105 seconds ago, 70.35.96.66[70.35.96.66]...70.35.108.118[192.168.0.128]
remote-access[1]: IKEv1 SPIs: 156036947973863f_i 3743ad6ab595b4a4_r*, rekeying disabled
remote-access[1]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_384
remote-access{1}: INSTALLED, TRANSPORT, ESP in UDP SPIs: c78e181c_i 039a10a9_o
remote-access{1}: 3DES_CBC/HMAC_SHA1_96, 140757 bytes_i (730 pkts, 0s ago), 110639 bytes_o (590 pkts, 0s ago), rekeying disabled
remote-access{1}: 70.35.96.66/32[udp/l2f] === 70.35.108.118/32[udp/l2f]

but then it fails, and the remote-access[2] lines all go away.

Here's my vpn config:

ipsec {
auto-firewall-nat-exclude disable
ipsec-interfaces {
interface eth0
}
nat-networks {
allowed-network 0.0.0.0/0 {
}
}
nat-traversal enable
}
l2tp {
remote-access {
authentication {
mode radius
radius-server 192.168.1.20 {
key RADIUS_KEY
}
}
client-ip-pool {
start 192.168.1.200
stop 192.168.1.210
}
dns-servers {
server-1 192.168.1.20
}
ipsec-settings {
authentication {
mode pre-shared-secret
pre-shared-secret PRE_SHARED_SECRET_STRING
}
ike-lifetime 3600
}
mtu 1024
outside-address 70.35.96.66
}
}

Anyone?  I had tried having a 'outside-nexthop' value of 70.35.96.65 (the gateway), but it didn't seem to help.