Honoured VPN guru, help needed very much (Openswan IPsec, l2tpd, pppd )

Problem description:

There are 3 remote LAN is present.

This LANs connected between using VPN, also each VPN gateway running
l2tpd for win XP "roadwarriors".
..
Configuration of OS and software for VPN are identical.

But on one of VPN gateways (configs and logs listed below) after IPSec
tunnel is on (Windows XP L2TP client) ppp connection NOT given up
(connection l2tp-cert-org).
Certificate exchange passed ОК, eroute shows that tunnel is up, but
after 20-30 seconds connection go down.

I spend 2 days for resolving this - but f*'n nothing.

Thanks to All for future advices.

System & settings :

ОS: Slackware GNU/Linux 10.2

root@host:~#uname -a
Linux host.domain.com 2.4.32-ow1-ipsec #2 SMP Thu Jun 1 17:00:58 CEST
2006 i686 unknown unknown GNU/Linux

Version of Openswan: openswan-2.4.5
Add. patches:
openswan-2.4.5.kernel-2.4-klips.patch.gz
openswan-2.4.5.kernel-2.4-natt.patch.gz

root@host:~# lsmod
Module Size Used by Not tainted
ppp_async 7168 0 (unused)
ppp_generic 23208 0 [ppp_async]
slhc 4800 0 [ppp_generic]
ipsec 333984 2
ipt_LOG 3544 1 (autoclean)
ipt_recent 8772 3 (autoclean)
ipt_state 536 5 (autoclean)
ipt_multiport 664 17 (autoclean)
iptable_mangle 2168 0 (autoclean) (unused)
iptable_nat 19294 1 (autoclean)
ip_conntrack 22464 0 (autoclean) [ipt_state iptable_nat]
iptable_filter 1740 1 (autoclean)
ip_tables 13056 9 [ipt_LOG ipt_recent ipt_state
ipt_multiport iptable_mangle iptable_nat iptable_filter]


-----------------------------------------------
Openswan IPSec Config
-----------------------------------------------

root@host:~# cat /etc/ipsec.conf
# /etc/ipsec.conf - Openswan IPsec configuration file
# RCSID $Id: ipsec.conf.in,v 1.15.2.2 2005/11/14 20:10:27 paul Exp $
version 2.0 # conforms to second version of ipsec.conf
specification

# basic configuration
config setup
forwardcontrol=yes
interfaces="ipsec0=eth0"
nat_traversal=yes

virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/24,%4:172.16.0.0/12
#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf
# Connections for "roadwarriors"
include /etc/ipsec.d/connections/l2tp-cert-org.conf

conn host1-host
auto=start
left=123.456.788
leftid=@host1.domain1.com
leftnexthop=123.456.789
leftrsasigkey=0sA....
leftsubnet=192.168.0.0/24
right=789.654.322
rightid=@host.domain.com
rightnexthop=789.654.321
rightrsasigkey=0sA.....
rightsubnet=192.168.1.0/24
type=tunnel

conn host-host2
auto=start
left=789.654.322
leftid=@host.domain.com
leftnexthop=789.654.321
leftrsasigkey=0slf......
leftsubnet=192.168.1.0/24
right=159.357.752
rightid=@host2.domain.com
rightnexthop=159.357.751
rightrsasigkey=0sA....
type=tunnel

-----------------------------------------------------
l2tp-cert-org.conf ("roadwarriors" ) connection config
------------------------------------------------------

root@mordor:~# cat /etc/ipsec.d/connections/l2tp-cert-org.conf
conn l2tp-cert-org
#
# Configuration for one user with the non-updated Windows
2000/XP.
#
#
# Use a certificate. Disable Perfect Forward Secrecy.
#
authby=rsasig
pfs=no
auto=add
# we cannot rekey for %any, let client rekey
rekey=no
# Do not enable the line below. It is implicitely used, and
# specifying it will currently break when using nat-t.
# type=transport. See http://bugs.xelerance.com/view.php?id=466
type=tunnel
#
left=80.26.120.236
# or you can use: left=YourIPAddress
leftrsasigkey=%cert
leftcert=/etc/ipsec.d/certs/mordor.siliciosolar.es.pem
# Work-around for original (non-updated) Windows 2000/XP
clients,
# to support all clients, use leftprotoport=17/%any
leftprotoport=17/0
#
# The remote user.
#
right=%any
rightca=%same
rightrsasigkey=%cert
rightprotoport=17/1701
rightsubnet=vhost:%priv,%no

----------------------------------------------------
l2tpd config
---------------------------------------------------


root@host:~# cat /etc/l2tpd/l2tpd.conf
[global]
;listen-addr =

[lns default]
ip range = 192.168.1.140-192.168.1.150
local ip = 192.168.10.202
require chap = yes
refuse pap = yes
require authentication = yes
name = VPNserver
ppp debug = yes
pppoptfile = /etc/ppp/options.l2tpd
length bit = yes

--------------------------------------------------------

root@host:~# cat /etc/ppp/options.l2tpd
ipcp-accept-local
ipcp-accept-remote
ms-dns 192.168.1.3
ms-wins 192.168.1.3
noccp
auth
crtscts
idle 1800
mtu 1410
mru 1410
nodefaultroute
debug
lock
proxyarp
connect-delay 5000

----------------------------------------------------------
iptables rules
---------------------------------------------------------


################################################## #
#
# IPSec VPN section starting here
#
# Allow IPSec connections
iptables -A INPUT -p udp -m udp -s 0/0 --sport 500 --dport 500 -j
ACCEPT
iptables -A OUTPUT -p udp -m udp -d 0/0 --sport 500 --dport 500 -j
ACCEPT
iptables -A INPUT -p udp -m udp -s 0/0 --sport 4500 --dport 4500 -j
ACCEPT
iptables -A OUTPUT -p udp -m udp -d 0/0 --sport 4500 --dport 4500 -j
ACCEPT
iptables -A INPUT -p 50 -s 0/0 -j ACCEPT
iptables -A OUTPUT -p 50 -d 0/0 -j ACCEPT
iptables -A INPUT -p 51 -s 0/0 -j ACCEPT
iptables -A OUTPUT -p 51 -d 0/0 -j ACCEPT
iptables -A INPUT -s 0/0 -i $OPEN_SWAN_VIRT -j ACCEPT
iptables -A OUTPUT -d 0/0 -o $OPEN_SWAN_VIRT -j ACCEPT
#
# Ports for l2tpd
iptables -A INPUT -p udp -m udp -s 0/0 --dport 1701 -i $OPEN_SWAN_VIRT
-j ACCEPT
iptables -A OUTPUT -p udp -m udp -d 0/0 --sport 1701 -o $OPEN_SWAN_VIRT
-j ACCEPT
iptables -t nat -A PREROUTING -p udp -m udp -i $OPEN_SWAN_VIRT --sport
1701 --dport 1701 -j DNAT --to-destination $LAN_IP
#
# Packet forwarding for "road warriors" network
iptables -A FORWARD -p all -s $RW1 -d $LAN_SUBNET -j ACCEPT
iptables -A FORWARD -p all -s $LAN_SUBNET -d $RW1 -j ACCEPT
iptables -A FORWARD -p all -s $RW2 -d $LAN_SUBNET -j ACCEPT
iptables -A FORWARD -p all -s $LAN_SUBNET -d $RW2 -j ACCEPT
iptables -A FORWARD -p all -s $RW3 -d $LAN_SUBNET -j ACCEPT
iptables -A FORWARD -p all -s $LAN_SUBNET -d $RW3 -j ACCEPT
iptables -A FORWARD -p all -s $RW4 -d $LAN_SUBNET -j ACCEPT
iptables -A FORWARD -p all -s $LAN_SUBNET -d $RW4 -j ACCEPT
iptables -A FORWARD -p all -s $RW5 -d $LAN_SUBNET -j ACCEPT
iptables -A FORWARD -p all -s $LAN_SUBNET -d $RW5 -j ACCEPT
iptables -A FORWARD -p all -s $RW6 -d $LAN_SUBNET -j ACCEPT
iptables -A FORWARD -p all -s $LAN_SUBNET -d $RW6 -j ACCEPT
iptables -A FORWARD -p all -s $RW7 -d $LAN_SUBNET -j ACCEPT
iptables -A FORWARD -p all -s $LAN_SUBNET -d $RW7 -j ACCEPT
#
# Packet forwarding for COMPANY2 subnet
iptables -A FORWARD -p all -s $COMPANY2_SUBNET1 -d $LAN_SUBNET -j
ACCEPT
iptables -A FORWARD -p all -s $LAN_SUBNET -d $COMPANY2_SUBNET1 -j
ACCEPT

# Packet forwarding for COMPANY1 subnet
iptables -A FORWARD -p all -s $COMPANY1_SUBNET -d $LAN_SUBNET -j ACCEPT
iptables -A FORWARD -p all -s $LAN_SUBNET -d $COMPANY1_SUBNET -j ACCEPT

#
#
# Rules for COMPANY2 internal network
iptables -t nat -A POSTROUTING -s $EXT_IP -d $COMPANY2_SUBNET1 -j SNAT
--to-source $LAN_IP
#
# Rules for COMPANY1 internal network
iptables -t nat -A POSTROUTING -s $EXT_IP -d $COMPANY1_SUBNET -j SNAT
--to-source $LAN_IP

# Make nat a for "road warriors" network (ppp interface)
iptables -t nat -A POSTROUTING -s $LAN_SUBNET -d $RW1 -j SNAT
--to-source $PPP_IP
iptables -t nat -A POSTROUTING -s $PPP_IP -d $RW1 -j SNAT --to-source
$LAN_IP
iptables -t nat -A POSTROUTING -s $LAN_SUBNET -d $RW2 -j SNAT
--to-source $PPP_IP
iptables -t nat -A POSTROUTING -s $PPP_IP -d $RW2 -j SNAT --to-source
$LAN_IP
iptables -t nat -A POSTROUTING -s $LAN_SUBNET -d $RW3 -j SNAT
--to-source $PPP_IP
iptables -t nat -A POSTROUTING -s $PPP_IP -d $RW3 -j SNAT --to-source
$LAN_IP
iptables -t nat -A POSTROUTING -s $LAN_SUBNET -d $RW4 -j SNAT
--to-source $PPP_IP
iptables -t nat -A POSTROUTING -s $PPP_IP -d $RW4 -j SNAT --to-source
$LAN_IP
iptables -t nat -A POSTROUTING -s $LAN_SUBNET -d $RW5 -j SNAT
--to-source $PPP_IP
iptables -t nat -A POSTROUTING -s $PPP_IP -d $RW5 -j SNAT --to-source
$LAN_IP
iptables -t nat -A POSTROUTING -s $LAN_SUBNET -d $RW6 -j SNAT
--to-source $PPP_IP
iptables -t nat -A POSTROUTING -s $PPP_IP -d $RW6 -j SNAT --to-source
$LAN_IP
iptables -t nat -A POSTROUTING -s $LAN_SUBNET -d $RW7 -j SNAT
--to-source $PPP_IP
iptables -t nat -A POSTROUTING -s $PPP_IP -d $RW7 -j SNAT --to-source
$LAN_IP
#
# IPSec VPN section ends
#
################################################## ############################


----------------------------------------------------------
piece of /var/log/secure
---------------------------------------------------------

Jun 22 10:45:26 host pluto[32020]: "l2tp-cert-org"[39] 83.170.250.144
#159: responding to Main Mode from unknown peer 111..222.333.444.
Jun 22 10:45:26 host pluto[32020]: "l2tp-cert-org"[39]111..222.333.444.
#159: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Jun 22 10:45:26 host pluto[32020]: "l2tp-cert-org"[39]111..222.333.444.
#159: STATE_MAIN_R1: sent MR1, expecting MI2
Jun 22 10:45:27 host pluto[32020]: "l2tp-cert-org"[39]111..222.333.444.
#159: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: no
NAT detected
Jun 22 10:45:27 host pluto[32020]: "l2tp-cert-org"[39]111..222.333.444.
#159: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Jun 22 10:45:27 host pluto[32020]: "l2tp-cert-org"[39]111..222.333.444.
#159: STATE_MAIN_R2: sent MR2, expecting MI3
Jun 22 10:45:28 host pluto[32020]: "l2tp-cert-org"[39]111..222.333.444.
#159: Main mode peer ID is ID_DER_ASN1_DN: 'C=ES, ST=My Some , L=My
City, O=My Company., OU=IT Department, CN=host.domain.com,
E=admin@domain.com'
Jun 22 10:45:28 host pluto[32020]: "l2tp-cert-org"[40]111..222.333.444.
#159: deleting connection "l2tp-cert-org" instance with peer
111..222.333.444. {isakmp=#0/ipsec=#0}
Jun 22 10:45:28 host pluto[32020]: "l2tp-cert-org"[40]111..222.333.444.
#159: I am sending my cert
Jun 22 10:45:28 host pluto[32020]: "l2tp-cert-org"[40]111..222.333.444.
#159: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Jun 22 10:45:28 host pluto[32020]: "l2tp-cert-org"[40]111..222.333.444.
#159: STATE_MAIN_R3: sent MR3, ISAKMP SA established
{auth=OAKLEY_RSA_SIG cipher=oakley_3des_cbc_192 prf=oakley_sha
group=modp2048}