IPsec for Wireless Network

I am trying to encrypt my wireless traffic with IPsec. My
configuration is as follows:
OpenBSD 3.8 gateway (192.168.100.20) connected to Linksys accesspoint
via crossover cable.
Macintosh OS X 10.4 (192.168.100.200) AirPort
Windows XP SP2 (192.168.100.120) Intel PRO/Wireless 2200BG

I am using isakmpd on the OpenBSD computer, racoon on OS X and ipseccmd
on Windows. If I configure transport policies the setup works
correctly. However, if I use tunnel, the Macintosh works correctly,
but the Windows computer does not.

Below are the ipseccmd commands I am using for Windows.

Transport mode:
ipseccmd -u
ipseccmd -f 192.168.100.120=192.168.100.0/255.255.255.0 -n
ESP[3DES,MD5]1800s -a cert:"C=US, S=Missouri, L=Saint Louis, O=Home
LAN" -1s 3DES-SHA-2 -1k 1800s
ipseccmd -f 192.168.100.0/255.255.255.0=192.168.100.120 -n
ESP[3DES,MD5]1800s -a cert:"C=US, S=Missouri, L=Saint Louis, O=Home
LAN" -1s 3DES-SHA-2 -1k 1800s

After executing these commands, I can ping 192.168.100.20. After
several "Negotiating IP Security" messages, I receive replies from the
remote computer. I can ping from the OpenBSD computer to the Windows
computer as well.


Tunnel mode:
ipseccmd -u
ipseccmd -f 192.168.100.120=0.0.0.0/0.0.0.0 -t 192.168.100.20 -n
ESP[3DES,SHA]1800s -a cert:"C=US, S=Missouri, L=Saint Louis, O=Home
LAN" -1s 3DES-SHA-2 -1k 1800s
ipseccmd -f 0.0.0.0/0.0.0.0=192.168.100.120 -t 192.168.100.120 -n
ESP[3DES,SHA]1800s -a cert:"C=US, S=Missouri, L=Saint Louis, O=Home
LAN" -1s 3DES-SHA-2 -1k 1800s

After executing these commands and pinging 192.168.100.20 I receive
several "Negotiating IP Security" messages again. However, instead of
receiving replies, I now get "Request timed out". If I examine the
Oakley.log file, I can see that SA is successfuly netotiated. I would
expect that if firewalls or some other ICMP block was in place, that it
would affect both transport and tunnel mode.

Any suggestions?

thanks,
Michael

Desert.Bound@gmail.com