Well the IPsec route has worked.
I had to apply a NAT patch for openswan 2.3.0 (patch for 2.3.1) to the debian openswan (2.3.0-2) unstable package. Getting l2tpd working was a doddle (having done pptpd before I knew what it needed). After that it all worked!
If only – I found the next day that after 55 minutes it was dropping the connection. It seems that this NAT patch doesn’t make the rekey work correctly.
After some digging in the pluto source (ipsec_doi.c), I’ve decided that it’s actually very complicated (especially for 2am). It sounds like the daemon needs to be changed to send back different information to the windows host. Certainly the error the linux daemon _was_ giving before the patch looks like the error the windows machine is now generating. So the solution is clearly to fix the reply to the windows box.