The root cause was here:

Completely dead:

Just verified that install_routes = no has no adverse effect on L2TP/IPsec.

Downgraded packages are in the latest nightly build.

Correction: 5.5, not 5.2.

No amount of messing up with the config in 5.6 fixed this, but when I downgraded strongswan to 5.2 (from stretch-security), it just worked. I'm downgrading it in the repositories.

Should be working now in the code rewritten for pdns, and dnsmasq is gone so issues specific to it will not be a problem anymore.

Should be working now that we've added syslog forwarding to journald.

@aopdal I agree it would be nice to have RFC compatibility, but when it was introduced, it relied upon a kernel hack that never made it into the mainline. If mainline keepalived and kernel do not support it, and we cannot add support for it that can be merged into the mainline, then it's more trouble than it's worth I think.
Cross-vendor VRRP is more of a hypothetical situation than a common setup.

The fault was in XorpConfigParser, whose "set" function behaves as if all nodes were multi nodes, so it was adding a value where none was needed (that's on top of the fact that it didn't properly check if it exists).

The new task should be to make 1.2.0-rc1. :)

I've setup a minimal WLB config and it worked for me.

Serial is, sadly, a hard problem, especially on machines that need it most, i.e. those without any graphical console. Since it's impossible to automatically find out the correct port and speed/parity settings, it will always need some manual configuration I suppose.

I have reservations about actually using it though. The whole point of the vyos-1x package is to stop multiplying submodules and consolidate everything instead. ;)

Without the new sysctl options:

intfwatchd is no more (T669), so if it had any other memory leaks, they are also not a problem now.

Even simpler way to reproduce:

Inserting FQDN seems reasonable, but we need to think carefully when FQDN should come from, and if we use the "system domain-name" option, what should we do if it's not present.

Needs to be re-tested in recent images.

Needs to be tested in 1.2.0

I suppose it's clear enough by now.

It does work now.

It's already in use.

I'm not sure if HTML encoding is really the best thing to do, but I agree the problem exists.

This is a bit of ubunt's bug #1 by now. ;)

Do you think we should replace "+" with +-"?

@EwaldvanGeffen Good point. Do you have ideas how to implement it?

Curiously, the rewrite introduced exactly the problem @UnicronNL warned against. Entering an invalid interface at set time is only one part of the story — the worst case no set-time or commit-time check can protect against is when a once valid interface is removed, e.g. by pulling a physical or virtual NIC out of the router. Then that validation becomes a time bomb because the config will stop loading.

I did test NTP in 1.2.0 and it works now.