Yes, all rules were allowed fragmented packets from the beginning.
Ports 500 and 4500 are passed ok (according to logs 500 and 4500 are allowed). I think that natting of port IP 50 (ESP) is the problem...
Right now i use PPTP + W2K3 + RADIUS and it works great, but L2TP/IPSec is very desirable
P.S. Sorry for my english ...