prostgpru

Здравствуйте!
Я не сильно большой специалист, очень прошу помощи!
Есть древний 1750, требуется организовать на нём VPN сервер для подключения одного удалённого пользователя с Win 7 к сети офиса. Конфигурация на данный момент вот такая:

version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname FS
!
boot-start-marker
boot system flash c1700-k9o3sy7-mz.123-26.bin
boot-end-marker
!
logging buffered 65536 warnings
enable secret 5 $1$d1o/$nMNZomrQyKYR0nBmXuKJO/
enable password 7 00054A51Р10A52S15A704E
!
memory-size iomem 25
clock timezone Moscow 4
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
aaa new-model
!
!
aaa authentication ppp default local
aaa authorization network default local
aaa session-id common
ip subnet-zero
!
!
no ip domain lookup
ip name-server 8.8.8.8
!
ip cef
ip audit po max-events 100
vpdn enable
!
vpdn-group l2tp
! Default L2TP VPDN group
accept-dialin
protocol l2tp
virtual-template 1
lcp renegotiation on-mismatch
l2tp security crypto-profile L2TP
no l2tp tunnel authentication
ip pmtu
ip mtu adjust
!
!
!
username gpru privilege 15 password 7 104F504E50464B5C595508
username Serg14 password 7 121B0B13470D07J02F7F70MB222427
username Dm05 password 7 12L85C40475AWF5D7D7E750A
!
!
!
!
crypto isakmp policy 80
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 85
encr aes
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 90
encr 3des
authentication pre-share
group 2
lifetime 28800
!
crypto isakmp policy 95
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 100
encr 3des
hash md5
authentication pre-share
group 2
lifetime 36000
!
crypto isakmp policy 110
encr 3des
hash md5
authentication pre-share
group 2
lifetime 3600
crypto isakmp key p#2381QW address 0.0.0.0 0.0.0.0 no-xauth
!
!
crypto ipsec transform-set L2TP esp-aes esp-sha-hmac
mode transport
!
crypto dynamic-map dyn-map 10
set transform-set L2TP
!
!
crypto map L2TP 100 ipsec-isakmp dynamic dyn-map
!
!
!
interface Loopback0
ip address 10.100.0.1 255.255.255.255
ip nat inside
!
interface Ethernet0
ip address AAA.XXX.54.19 255.255.255.248
ip access-group ext_acl in
ip nat outside
full-duplex
no cdp enable
crypto map L2TP
!
interface FastEthernet0
ip address 10.10.1.7 255.255.255.0
ip nat inside
speed auto
no cdp enable
!
interface Serial0
no ip address
shutdown
!
interface Virtual-Template1
ip unnumbered Loopback0
ip nat inside
autodetect encapsulation ppp
peer default ip address pool VPN
ppp encrypt mppe auto
ppp authentication chap ms-chap ms-chap-v2
!
ip local pool VPN 10.100.0.2 10.100.0.100
ip default-gateway AAA.XXX.54.17
ip nat inside source list NAT_SRC interface Ethernet0 overload
ip nat inside source list VPN_NAT_SRC interface Ethernet0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 AAA.XXX.54.17
ip http server
ip http authentication local
ip http secure-server
!
!
!
ip access-list extended NAT_SRC
permit ip 10.10.1.0 0.0.0.255 any
ip access-list extended VPN_NAT_SRC
permit ip 10.100.0.0 0.0.0.255 any
ip access-list extended ext_acl
permit tcp any any established
deny icmp any any redirect
permit icmp any any
permit udp any any eq 1701
permit esp any any
permit ahp any any
permit udp any eq domain any
permit udp any eq ntp any
permit udp any any eq non500-isakmp
permit udp any any eq isakmp
deny ip any any
!
!
!
line con 0
exec-timeout 0 0
line aux 0
line vty 0 4
privilege level 15
password 7 094D16H94B564F42C95F05
transport input telnet ssh
!
ntp clock-period 17180179
ntp server 62.76.96.4
end

в таком виде подключение не устанавливается, попытка видна, клиентская машина выдаёт ош. 809
если убрать строку l2tp security crypto-profile L2TP то подключение происходит, но без шифрования...

Помогите найти ошибку!