road warrior client: cli.cli.cli.cli
server external address: ext.ext.ext.ext
server internal address: int.int.int.int

debian openswan (2.3.0-2) unstable
with http://www.jacco2.dds.nl/networking/patches/openswan-2.3.0-NATserver.patch

I've looked at http://lists.strongswan.org/pipermail/users/2004-September/000397.html 
and it does look like the debian code already has this patch (it's hiding in an ifdef NAT_TRAVERSAL, but I'm sure it's being compiled)

May  5 09:30:03 darkflame pluto[20723]: packet from cli.cli.cli.cli:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
May  5 09:30:04 darkflame pluto[20723]: packet from cli.cli.cli.cli:500: ignoring Vendor ID payload [FRAGMENTATION]
May  5 09:30:04 darkflame pluto[20723]: packet from cli.cli.cli.cli:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106 
May  5 09:30:04 darkflame pluto[20723]: packet from cli.cli.cli.cli:500: ignoring Vendor ID payload [Vid-Initial-Contact]
May  5 09:30:04 darkflame pluto[20723]: "L2TP-PSK-orgWIN2KXP"[25] cli.cli.cli.cli #97: responding to Main Mode from unknown peer cli.cli.cli.cli
May  5 09:30:04 darkflame pluto[20723]: "L2TP-PSK-orgWIN2KXP"[25] cli.cli.cli.cli #97: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
May  5 09:30:04 darkflame pluto[20723]: packet from cli.cli.cli.cli:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
May  5 09:30:04 darkflame pluto[20723]: packet from cli.cli.cli.cli:500: ignoring Vendor ID payload [FRAGMENTATION]
May  5 09:30:04 darkflame pluto[20723]: packet from cli.cli.cli.cli:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106 
May  5 09:30:04 darkflame pluto[20723]: packet from cli.cli.cli.cli:500: ignoring Vendor ID payload [Vid-Initial-Contact]
May  5 09:30:04 darkflame pluto[20723]: "L2TP-PSK-orgWIN2KXP"[25] cli.cli.cli.cli #98: responding to Main Mode from unknown peer cli.cli.cli.cli
May  5 09:30:04 darkflame pluto[20723]: "L2TP-PSK-orgWIN2KXP"[25] cli.cli.cli.cli #98: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
May  5 09:30:04 darkflame pluto[20723]: "L2TP-PSK-orgWIN2KXP"[25] cli.cli.cli.cli #97: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: i am NATed
May  5 09:30:05 darkflame pluto[20723]: "L2TP-PSK-orgWIN2KXP"[25] cli.cli.cli.cli #97: discarding packet received during DNS lookup in STATE_MAIN_R1
May  5 09:30:06 darkflame pluto[20723]: "L2TP-PSK-orgWIN2KXP"[25] cli.cli.cli.cli #97: WARNING: compute_dh_shared(): for OAKLEY_GROUP_MODP2048 took 433248 usec
May  5 09:30:06 darkflame pluto[20723]: "L2TP-PSK-orgWIN2KXP"[25] cli.cli.cli.cli #97: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
May  5 09:30:06 darkflame pluto[20723]: "L2TP-PSK-orgWIN2KXP"[25] cli.cli.cli.cli #97: Main mode peer ID is ID_IPV4_ADDR: 'cli.cli.cli.cli'
May  5 09:30:07 darkflame pluto[20723]: "L2TP-PSK-orgWIN2KXP"[25] cli.cli.cli.cli #97: I did not send a certificate because I do not have one.
May  5 09:30:07 darkflame pluto[20723]: "L2TP-PSK-orgWIN2KXP"[25] cli.cli.cli.cli #97: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
May  5 09:30:07 darkflame pluto[20723]: | NAT-T: new mapping cli.cli.cli.cli:500/4500)
May  5 09:30:07 darkflame pluto[20723]: "L2TP-PSK-orgWIN2KXP"[25] cli.cli.cli.cli:4500 #97: sent MR3, ISAKMP SA established
May  5 09:30:07 darkflame pluto[20723]: "L2TP-PSK-orgWIN2KXP"[25] cli.cli.cli.cli:4500 #97: retransmitting in response to duplicate packet; already STATE_MAIN_R3
May  5 09:30:07 darkflame pluto[20723]: "L2TP-PSK-orgWIN2KXP"[25] cli.cli.cli.cli:4500 #99: responding to Quick Mode
May  5 09:30:09 darkflame pluto[20723]: "L2TP-PSK-orgWIN2KXP"[25] cli.cli.cli.cli:4500 #99: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
May  5 09:30:09 darkflame pluto[20723]: "L2TP-PSK-orgWIN2KXP"[25] cli.cli.cli.cli:4500 #99: discarding duplicate packet; already STATE_QUICK_R1
May  5 09:30:15 darkflame pluto[20723]: "L2TP-PSK-orgWIN2KXP"[25] cli.cli.cli.cli:4500 #99: route-host output: /usr/lib/ipsec/_updown: doroute `ip route add cli.cli.cli.cli/32 via cli.cli.cli.cli dev eth0 ' failed (RTNETLINK answers: Network is unreachable)
May  5 09:30:15 darkflame pluto[20723]: "L2TP-PSK-orgWIN2KXP"[25] cli.cli.cli.cli:4500 #99: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
May  5 09:30:15 darkflame pluto[20723]: "L2TP-PSK-orgWIN2KXP"[25] cli.cli.cli.cli:4500 #99: IPsec SA established {ESP/NAT=>0x4fc5999c <0x087fad6f NATOA=0.0.0.0}
May  5 09:31:15 darkflame pluto[20723]: "L2TP-PSK-orgWIN2KXP"[25] cli.cli.cli.cli:4500 #98: max number of retransmissions (2) reached STATE_MAIN_R1



May  5 10:25:37 darkflame pluto[20723]: "L2TP-PSK-orgWIN2KXP"[25] cli.cli.cli.cli:4500 #100: initiating Main Mode to replace #97
May  5 10:25:37 darkflame pluto[20723]: | no IKE algorithms for this connection 
May  5 10:25:37 darkflame pluto[20723]: "L2TP-PSK-orgWIN2KXP"[25] cli.cli.cli.cli:4500 #100: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
May  5 10:25:38 darkflame pluto[20723]: "L2TP-PSK-orgWIN2KXP"[25] cli.cli.cli.cli:4500 #100: ignoring Vendor ID payload [FRAGMENTATION]
May  5 10:25:38 darkflame pluto[20723]: "L2TP-PSK-orgWIN2KXP"[25] cli.cli.cli.cli:4500 #100: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106 
May  5 10:25:38 darkflame pluto[20723]: "L2TP-PSK-orgWIN2KXP"[25] cli.cli.cli.cli:4500 #100: enabling possible NAT-traversal with method RFC XXXX (NAT-Traversal)
May  5 10:25:38 darkflame pluto[20723]: "L2TP-PSK-orgWIN2KXP"[25] cli.cli.cli.cli:4500 #100: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
May  5 10:25:38 darkflame pluto[20723]: "L2TP-PSK-orgWIN2KXP"[25] cli.cli.cli.cli:4500 #100: I did not send a certificate because I do not have one.
May  5 10:25:39 darkflame pluto[20723]: "L2TP-PSK-orgWIN2KXP"[25] cli.cli.cli.cli:4500 #100: NAT-Traversal: Only 0 NAT-D - Aborting NAT-Traversal negociation
May  5 10:25:39 darkflame pluto[20723]: "L2TP-PSK-orgWIN2KXP"[25] cli.cli.cli.cli:4500 #100: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
May  5 10:25:39 darkflame pluto[20723]: "L2TP-PSK-orgWIN2KXP"[25] cli.cli.cli.cli:4500 #100: Main mode peer ID is ID_IPV4_ADDR: 'cli.cli.cli.cli'
May  5 10:25:39 darkflame pluto[20723]: "L2TP-PSK-orgWIN2KXP"[25] cli.cli.cli.cli:4500 #100: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
May  5 10:25:39 darkflame pluto[20723]: "L2TP-PSK-orgWIN2KXP"[25] cli.cli.cli.cli:4500 #100: ISAKMP SA established
May  5 10:25:40 darkflame pluto[20723]: "L2TP-PSK-orgWIN2KXP"[25] cli.cli.cli.cli:4500 #100: discarding duplicate packet; already STATE_MAIN_I4
May  5 10:25:42 darkflame pluto[20723]: "L2TP-PSK-orgWIN2KXP"[25] cli.cli.cli.cli:4500 #100: discarding duplicate packet; already STATE_MAIN_I4
May  5 10:25:45 darkflame pluto[20723]: "L2TP-PSK-orgWIN2KXP"[25] cli.cli.cli.cli:4500 #101: initiating Quick Mode PSK+ENCRYPT+TUNNEL to replace #99 {using isakmp#100}
May  5 10:25:45 darkflame pluto[20723]: "L2TP-PSK-orgWIN2KXP"[25] cli.cli.cli.cli:4500 #100: ignoring informational payload, type INVALID_ID_INFORMATION
May  5 10:25:45 darkflame pluto[20723]: "L2TP-PSK-orgWIN2KXP"[25] cli.cli.cli.cli:4500 #100: received and ignored informational message
May  5 10:26:55 darkflame pluto[20723]: "L2TP-PSK-orgWIN2KXP"[25] cli.cli.cli.cli:4500 #101: max number of retransmissions (2) reached STATE_QUICK_I1
May  5 10:26:55 darkflame pluto[20723]: "L2TP-PSK-orgWIN2KXP"[25] cli.cli.cli.cli:4500 #101: starting keying attempt 2 of at most 3
May  5 10:26:55 darkflame pluto[20723]: "L2TP-PSK-orgWIN2KXP"[25] cli.cli.cli.cli:4500 #102: initiating Quick Mode PSK+ENCRYPT+TUNNEL to replace #101 {using isakmp#100}
May  5 10:26:55 darkflame pluto[20723]: "L2TP-PSK-orgWIN2KXP"[25] cli.cli.cli.cli:4500 #100: ignoring informational payload, type INVALID_ID_INFORMATION
May  5 10:26:55 darkflame pluto[20723]: "L2TP-PSK-orgWIN2KXP"[25] cli.cli.cli.cli:4500 #100: received and ignored informational message
May  5 10:28:05 darkflame pluto[20723]: "L2TP-PSK-orgWIN2KXP"[25] cli.cli.cli.cli:4500 #102: max number of retransmissions (2) reached STATE_QUICK_I1
May  5 10:28:05 darkflame pluto[20723]: "L2TP-PSK-orgWIN2KXP"[25] cli.cli.cli.cli:4500 #102: starting keying attempt 3 of at most 3
May  5 10:28:05 darkflame pluto[20723]: "L2TP-PSK-orgWIN2KXP"[25] cli.cli.cli.cli:4500 #103: initiating Quick Mode PSK+ENCRYPT+TUNNEL to replace #102 {using isakmp#100}
May  5 10:28:05 darkflame pluto[20723]: "L2TP-PSK-orgWIN2KXP"[25] cli.cli.cli.cli:4500 #100: ignoring informational payload, type INVALID_ID_INFORMATION
May  5 10:28:05 darkflame pluto[20723]: "L2TP-PSK-orgWIN2KXP"[25] cli.cli.cli.cli:4500 #100: received and ignored informational message
May  5 10:29:15 darkflame pluto[20723]: "L2TP-PSK-orgWIN2KXP"[25] cli.cli.cli.cli:4500 #103: max number of retransmissions (2) reached STATE_QUICK_I1
May  5 10:29:37 darkflame pluto[20723]: "L2TP-PSK-orgWIN2KXP"[25] cli.cli.cli.cli:4500 #100: cannot respond to IPsec SA request because no connection is known for ext.ext.ext.ext/32===int.int.int.int:4500:17/1701...cli.cli.cli.cli:4500:17/1701
May  5 10:29:37 darkflame pluto[20723]: "L2TP-PSK-orgWIN2KXP"[25] cli.cli.cli.cli:4500 #100: sending encrypted notification INVALID_ID_INFORMATION to cli.cli.cli.cli:4500
May  5 10:29:37 darkflame pluto[20723]: "L2TP-PSK-orgWIN2KXP"[25] cli.cli.cli.cli:4500 #100: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0xd7dd694f (perhaps this is a duplicated packet)
May  5 10:29:37 darkflame pluto[20723]: "L2TP-PSK-orgWIN2KXP"[25] cli.cli.cli.cli:4500 #100: sending encrypted notification INVALID_MESSAGE_ID to cli.cli.cli.cli:4500
May  5 10:29:39 darkflame pluto[20723]: "L2TP-PSK-orgWIN2KXP"[25] cli.cli.cli.cli:4500 #100: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0xd7dd694f (perhaps this is a duplicated packet)
May  5 10:29:39 darkflame pluto[20723]: "L2TP-PSK-orgWIN2KXP"[25] cli.cli.cli.cli:4500 #100: sending encrypted notification INVALID_MESSAGE_ID to cli.cli.cli.cli:4500
May  5 10:29:43 darkflame pluto[20723]: "L2TP-PSK-orgWIN2KXP"[25] cli.cli.cli.cli:4500 #100: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0xd7dd694f (perhaps this is a duplicated packet)
May  5 10:29:43 darkflame pluto[20723]: "L2TP-PSK-orgWIN2KXP"[25] cli.cli.cli.cli:4500 #100: sending encrypted notification INVALID_MESSAGE_ID to cli.cli.cli.cli:4500
May  5 10:29:51 darkflame pluto[20723]: "L2TP-PSK-orgWIN2KXP"[25] cli.cli.cli.cli:4500 #100: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0xd7dd694f (perhaps this is a duplicated packet)
May  5 10:29:51 darkflame pluto[20723]: "L2TP-PSK-orgWIN2KXP"[25] cli.cli.cli.cli:4500 #100: sending encrypted notification INVALID_MESSAGE_ID to cli.cli.cli.cli:4500
May  5 10:30:07 darkflame pluto[20723]: "L2TP-PSK-orgWIN2KXP"[25] cli.cli.cli.cli:4500 #100: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0xd7dd694f (perhaps this is a duplicated packet)
May  5 10:30:08 darkflame pluto[20723]: "L2TP-PSK-orgWIN2KXP"[25] cli.cli.cli.cli:4500 #100: sending encrypted notification INVALID_MESSAGE_ID to cli.cli.cli.cli:4500
May  5 10:30:10 darkflame pluto[20723]: "L2TP-PSK-orgWIN2KXP"[25] cli.cli.cli.cli:4500 #99: byte 2 of ISAKMP Hash Payload must be zero, but is not
May  5 10:30:10 darkflame pluto[20723]: "L2TP-PSK-orgWIN2KXP"[25] cli.cli.cli.cli:4500 #99: malformed payload in packet
May  5 10:30:10 darkflame pluto[20723]: "L2TP-PSK-orgWIN2KXP"[25] cli.cli.cli.cli:4500 #99: sending notification PAYLOAD_MALFORMED to cli.cli.cli.cli:4500
May  5 10:30:15 darkflame pluto[20723]: "L2TP-PSK-orgWIN2KXP"[25] cli.cli.cli.cli:4500 #99: IPsec SA expired (LATEST!)
May  5 10:30:16 darkflame pluto[20723]: ERROR: netlink XFRM_MSG_DELPOLICY response for flow int.0@0.0.0.0 included errno 2: No such file or directory
May  5 10:30:39 darkflame pluto[20723]: "L2TP-PSK-orgWIN2KXP"[25] cli.cli.cli.cli:4500 #100: received Delete SA payload: deleting ISAKMP State #100
May  5 10:30:40 darkflame pluto[20723]: "L2TP-PSK-orgWIN2KXP"[25] cli.cli.cli.cli:4500: deleting connection "L2TP-PSK-orgWIN2KXP" instance with peer cli.cli.cli.cli {isakmp=#0/ipsec=#0}
May  5 10:30:40 darkflame pluto[20723]: "L2TP-PSK-orgWIN2KXP": unroute-host output: /usr/lib/ipsec/_updown: doroute `ip route delete cli.cli.cli.cli/32 via cli.cli.cli.cli dev eth0 ' failed (RTNETLINK answers: No such process)
May  5 10:30:41 darkflame pluto[20723]: packet from cli.cli.cli.cli:4500: received and ignored informational message
May  5 10:30:41 darkflame pluto[20723]: packet from cli.cli.cli.cli:4500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
May  5 10:30:41 darkflame pluto[20723]: packet from cli.cli.cli.cli:4500: ignoring Vendor ID payload [FRAGMENTATION]
May  5 10:30:41 darkflame pluto[20723]: packet from cli.cli.cli.cli:4500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106 
May  5 10:30:41 darkflame pluto[20723]: "L2TP-PSK-orgWIN2KXP"[26] cli.cli.cli.cli:4500 #104: responding to Main Mode from unknown peer cli.cli.cli.cli:4500
May  5 10:30:41 darkflame pluto[20723]: "L2TP-PSK-orgWIN2KXP"[26] cli.cli.cli.cli:4500 #104: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
May  5 10:30:41 darkflame pluto[20723]: packet from cli.cli.cli.cli:4500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
May  5 10:30:41 darkflame pluto[20723]: packet from cli.cli.cli.cli:4500: ignoring Vendor ID payload [FRAGMENTATION]
May  5 10:30:41 darkflame pluto[20723]: packet from cli.cli.cli.cli:4500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106 
May  5 10:30:41 darkflame pluto[20723]: "L2TP-PSK-orgWIN2KXP"[26] cli.cli.cli.cli:4500 #105: responding to Main Mode from unknown peer cli.cli.cli.cli:4500
May  5 10:30:41 darkflame pluto[20723]: "L2TP-PSK-orgWIN2KXP"[26] cli.cli.cli.cli:4500 #105: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
May  5 10:30:41 darkflame pluto[20723]: "L2TP-PSK-orgWIN2KXP"[26] cli.cli.cli.cli:4500 #104: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: i am NATed
May  5 10:30:42 darkflame pluto[20723]: "L2TP-PSK-orgWIN2KXP"[26] cli.cli.cli.cli:4500 #104: discarding packet received during DNS lookup in STATE_MAIN_R1
May  5 10:30:42 darkflame pluto[20723]: "L2TP-PSK-orgWIN2KXP"[26] cli.cli.cli.cli:4500 #104: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
May  5 10:30:42 darkflame pluto[20723]: "L2TP-PSK-orgWIN2KXP"[26] cli.cli.cli.cli:4500 #104: Main mode peer ID is ID_IPV4_ADDR: 'cli.cli.cli.cli'
May  5 10:30:42 darkflame pluto[20723]: "L2TP-PSK-orgWIN2KXP"[26] cli.cli.cli.cli:4500 #104: I did not send a certificate because I do not have one.
May  5 10:30:42 darkflame pluto[20723]: "L2TP-PSK-orgWIN2KXP"[26] cli.cli.cli.cli:4500 #104: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
May  5 10:30:42 darkflame pluto[20723]: "L2TP-PSK-orgWIN2KXP"[26] cli.cli.cli.cli:4500 #104: sent MR3, ISAKMP SA established
May  5 10:30:43 darkflame pluto[20723]: "L2TP-PSK-orgWIN2KXP"[26] cli.cli.cli.cli:4500 #106: responding to Quick Mode
May  5 10:30:46 darkflame pluto[20723]: "L2TP-PSK-orgWIN2KXP"[26] cli.cli.cli.cli:4500 #106: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
May  5 10:30:46 darkflame pluto[20723]: "L2TP-PSK-orgWIN2KXP"[26] cli.cli.cli.cli:4500 #106: discarding duplicate packet; already STATE_QUICK_R1
May  5 10:30:46 darkflame pluto[20723]: "L2TP-PSK-orgWIN2KXP"[26] cli.cli.cli.cli:4500 #106: discarding duplicate packet; already STATE_QUICK_R1
May  5 10:30:49 darkflame pluto[20723]: "L2TP-PSK-orgWIN2KXP"[26] cli.cli.cli.cli:4500 #106: route-host output: /usr/lib/ipsec/_updown: doroute `ip route add cli.cli.cli.cli/32 via cli.cli.cli.cli dev eth0 ' failed (RTNETLINK answers: Network is unreachable)
May  5 10:30:49 darkflame pluto[20723]: "L2TP-PSK-orgWIN2KXP"[26] cli.cli.cli.cli:4500 #106: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
May  5 10:30:49 darkflame pluto[20723]: "L2TP-PSK-orgWIN2KXP"[26] cli.cli.cli.cli:4500 #106: IPsec SA established {ESP/NAT=>0x3f4a2f88 <0xf99cd84b NATOA=0.0.0.0}
May  5 10:31:51 darkflame pluto[20723]: "L2TP-PSK-orgWIN2KXP"[26] cli.cli.cli.cli:4500 #105: max number of retransmissions (2) reached STATE_MAIN_R1
May  5 10:32:03 darkflame pluto[20723]: "L2TP-PSK-orgWIN2KXP"[26] cli.cli.cli.cli:4500 #104: received Delete SA(0x3f4a2f88) payload: deleting IPSEC State #106
May  5 10:32:03 darkflame pluto[20723]: "L2TP-PSK-orgWIN2KXP"[26] cli.cli.cli.cli:4500 #104: received and ignored informational message
May  5 10:32:03 darkflame pluto[20723]: "L2TP-PSK-orgWIN2KXP"[26] cli.cli.cli.cli:4500 #104: received Delete SA payload: deleting ISAKMP State #104
May  5 10:32:03 darkflame pluto[20723]: "L2TP-PSK-orgWIN2KXP"[26] cli.cli.cli.cli:4500: deleting connection "L2TP-PSK-orgWIN2KXP" instance with peer cli.cli.cli.cli {isakmp=#0/ipsec=#0}
May  5 10:32:03 darkflame pluto[20723]: "L2TP-PSK-orgWIN2KXP": unroute-host output: /usr/lib/ipsec/_updown: doroute `ip route delete cli.cli.cli.cli/32 via cli.cli.cli.cli dev eth0 ' failed (RTNETLINK answers: No such process)
May  5 10:32:03 darkflame pluto[20723]: packet from cli.cli.cli.cli:4500: received and ignored informational message