L2TP/IPSec Problem

[Paul]

I have two Windows 2000 SP4 (Hosts A&B) configured
identically
to do L2TP/IPSec to a Windows 2003 (Host-C) box.
(Yes, I installed the 128-bit encryption pack and NAT-T
patches on both)

Host-A works.
Host-B does not.
Host-B gets stuck on Oakley.
It sends the first Oakley packet successfully, but the
responder (Host-C) does not reply.

Looks like a filter is stopping it.
I have no idea why one host works and another one does not.
I tried Flushing the NAT tables every time.
I tried searching IPSec Policies for any filters.
I tried searching RRAS for any filters.

Has anyone seen this behavior?

Diagram:

Host-A &
B Host-C
Initiator <---> NAT Box <---> Internet <---> NAT Box <-
-> Responder
68.227.86.101
192.168.23.132

Here is Oakley.log on the Responder (Host-C, Windows 2003):
This stanza just repeats over and over until the
negotiation times out.

12-30: 21:08:01:859:fcc Receive: (get) SA = 0x00000000
from 68.227.86.101.500
12-30: 21:08:01:859:fcc ISAKMP Header: (V1.0), len = 292
12-30: 21:08:01:859:fcc I-COOKIE e7731123ba0f3a44
12-30: 21:08:01:859:fcc R-COOKIE 0000000000000000
12-30: 21:08:01:859:fcc exchange: Oakley Main Mode
12-30: 21:08:01:859:fcc flags: 0
12-30: 21:08:01:859:fcc next payload: SA
12-30: 21:08:01:859:fcc message ID: 00000000
12-30: 21:08:01:859:fcc Filter to match: Src 68.227.86.101
Dst 192.168.23.132
12-30: 21:08:01:859:fcc MatchMMFilter failed 13013
12-30: 21:08:01:859:fcc Responding with new SA 0
12-30: 21:08:01:859:fcc HandleFirstPacketResponder failed
3601

 

[Stephen Cartwright [MSFT]]

host a and b do need to have different ip addresses though, it reads as if
they have the same [from the diagram] else b would not be able to
negotioiate a MM with c because a already has one using the same address.

check the policy on host b is correct and has the correct ip identification
for b unless me <> any has been used.