L2TP/IPsec error 678: in Windows

When connecting to an L2TP/IPsec VPN which sits behind NAT you might get error 678 in Windows. To fix this the solution is as follows:

For Windows XP

http://support.microsoft.com/default.aspx?kbid=885407
Click Start, click Run, type regedit, and then click OK.
Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPsec
On the Edit menu, point to New, and then click DWORD Value.
In the New Value #1 box, type AssumeUDPEncapsulationContextOnSendRule, and then press ENTER.

Important This value name is case sensitive.
Right-click AssumeUDPEncapsulationContextOnSendRule, and then click Modify.
In the Value data box, type one of the following values:
0 (default)
A value of 0 (zero) configures Windows XP SP2 so that it cannot initiate IPsec-secured communications with responders that are located behind network address translators.
1
A value of 1 configures Windows XP SP2 so that it can initiate IPsec-secured communications with responders that are located behind network address translators.
2
A value of 2 configures Windows XP SP2 so that it can initiate IPsec-secured communications when both the initiators and the responders are behind network address translators.

Note This is the behavior of IPsec NAT-T in Windows XP without service packs installed and in Windows XP SP1.
Click OK, and then quit Registry Editor.
Restart the computer.

For Windows Vista

http://support.microsoft.com/kb/926179
Log on to the Windows Vista client computer as a user who is a member of the Administrators group.
Click Start, point to All Programs, click Accessories, click Run, type regedit, and then click OK. If the User Account Control dialog box is displayed on the screen and prompts you to elevate your administrator token, click Continue.
Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent
Note You can also apply the AssumeUDPEncapsulationContextOnSendRule DWORD value to a Microsoft Windows XP Service Pack 2 (SP2)-based VPN client computer. To do this, locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPSec
On the Edit menu, point to New, and then click DWORD (32-bit) Value.
Type AssumeUDPEncapsulationContextOnSendRule, and then press ENTER.
Right-click AssumeUDPEncapsulationContextOnSendRule, and then click Modify.
In the Value Data box, type one of the following values:
0
A value of 0 (zero) configures Windows so that it cannot establish security associations with servers that are located behind NAT devices. This is the default value.
1
A value of 1 configures Windows so that it can establish security associations with servers that are located behind NAT devices.
2
A value of 2 configures Windows so that it can establish security associations when both the server and the Windows Vista-based or Windows Server 2008-based VPN client computer are behind NAT devices.
Click OK, and then exit Registry Editor.
Restart the computer.