...

The only IPSec implementation that we tested on W2K was its native IPSec support. Which, basically, didn't work. W2K professional doesn't support tunnel mode

Are you really sure about that? I know that the configuration with that MMC console is pretty mad [there are people who need a GUI - but I think that GUI is too confusing]. I made a simple interop. test with W2K/freeswan (W2K as road warrior connecting to secured networks behind a VPN gw) which worked.

Yes, I am sure. A W2K *Professional* road warrior connecting to a FreeS/WAN gateway wouldn't work. The MMC has a panel in which you can specify that the respective connection is to a tunnel endpoint and define that tunnel endpoint, though. However, if you use this panel you effectively silence the interface completely. With W2K Server, this was not the case, but we ran into the problem with the commit bit. We didn't stick around to try to correct that (there appears to be a patch to FreeS/WAN to make it ignore that bit), since the use of W2K Server on the road warriors was out of the question. Cheers Tobias