replaced on end of BEFSX41 tunnel with RV082 Now VPN won't connect.

Hi all,
I have a fully functional VPN site hooked up between 3 office locations using BEFSX41 box's. I am trying to replace the main office 41 with a new RV082 to allow more site connections for a new office.
I copied all of the configurations from the main site 41 onto the 82 and plugged it in, one site connects (charter Connection) just fine but the second site (SBC DSL) refuses to connect. I have been over all teh Ipsec settings until I cannot see straight and I can see nothing wrong.

Error log:

Main mode peer ID is ID_IPV4_ADDR: '70.226.184.225'
Apr 15 07:03:38 2007 VPN Log No suitable connection for peer '70.226.184.225', Please check Phase 1 ID value
Apr 15 07:03:57 2007 VPN Log [Tunnel Negotiation Info] <<< Responder Received Main Mode 1st packet
Apr 15 07:03:57 2007 VPN Log [Tunnel Negotiation Info] >>> Responder Send Main Mode 2nd packet
Apr 15 07:03:57 2007 VPN Log [Tunnel Negotiation Info] <<< Responder Received Main Mode 3rd packet
Apr 15 07:03:57 2007 VPN Log [Tunnel Negotiation Info] >>> Responder send Main Mode 4th packet
Apr 15 07:03:58 2007 VPN Log probable authentication failure (mismatch of preshared secrets?): malformed payload in packet
Apr 15 07:03:59 2007 VPN Log [Tunnel Negotiation Info] <<< Responder Received Main Mode 5th packet

If I put the 41 back everything pops up and runs.

The 82 Ipsec is setup like this

IKE with Preshared Key
PH 1 Group 1
Ph1 DES
SHA1
3600

PFS = on

Group 1
3DES
SHA1
28800

Key is the same on both ends

The only difference I can see is the BEFSX41 only has a SHA and not a SHA1 setting in the selections, But the working 41 on the second line only has the same thing and it is working fine.

SBC line has a netopia router talking to the net and my The 41 is behind it.

 

From the RV082 log

Main mode peer ID is ID_IPV4_ADDR: 'XX.XXX.XXX.225'
Apr 15 09:19:19 2007 VPN Log We require peer to have ID 'XX.XXX.XXX.230', but peer declares 'XX.XXX.XXX.225'
Apr 15 09:19:29 2007 VPN Log Received informational payload, type INVALID_PAYLOAD_TYPE
Apr 15 09:19:41 2007 VPN Log [Tunnel Negotiation Info] <<< Responder Received Main Mode 1st packet
Apr 15 09:19:41 2007 VPN Log [Tunnel Negotiation Info] >>> Responder Send Main Mode 2nd packet
Apr 15 09:19:41 2007 VPN Log [Tunnel Negotiation Info] <<< Responder Received Main Mode 3rd packet
Apr 15 09:19:41 2007 VPN Log [Tunnel Negotiation Info] >>> Responder send Main Mode 4th packet
Apr 15 09:19:42 2007 VPN Log [Tunnel Negotiation Info] <<< Responder Received Main Mode 5th packet

xx.xxx.xxx.25 is the BEFsx41
xx.xxx.xxx.30 is the Netopia SBC router


From the 41 log ::::::xx.xxx.xxx.89 = the RV082 IP address

2007-04-15 09:19:25 IKE[2] Tx >> Notify : INVALID-PAYLOAD-TYPE
2007-04-15 09:19:36
2007-04-15 09:19:36 IKE[1] Tx >> MM_I1 : xx.xxx.xxx.146 SA
2007-04-15 09:19:36
2007-04-15 09:19:36 IKE[2] Tx >> MM_I1 : xx.xxx.xxx.89 SA
2007-04-15 09:19:37 IKE[2] Rx << MM_R1 : xx.xxx.xxx.89 SA, VID
2007-04-15 09:19:37 IKE[2] ISAKMP SA CKI=[xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx]
2007-04-15 09:19:37 IKE[2] ISAKMP SA DES / SHA / PreShared / MODP_768 / 3600 sec (*3600 sec)
2007-04-15 09:19:37 IKE[2] Tx >> MM_I2 : xx.xxx.xxx.89 KE, NONCE
2007-04-15 09:19:37 IKE[1] Rx << MM_R1 : xx.xxx.xxx.146 SA
2007-04-15 09:19:37 IKE[1] ISAKMP SA CKI=[xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
2007-04-15 09:19:37 IKE[1] ISAKMP SA DES / SHA / PreShared / MODP_768 / 3600 sec (*3600 sec)
2007-04-15 09:19:37 IKE[1] Tx >> MM_I2 : xx.xxx.xxx.146 KE, NONCE
2007-04-15 09:19:37 IKE[2] Rx << MM_R2 : xx.xxx.xxx.89 KE, NONCE
2007-04-15 09:19:37 IKE[2] Tx >> MM_I3 : xx.xxx.xxx.89 ID, HASH
2007-04-15 09:19:38 IKE[1] Rx << MM_R2 : xx.xxx.xxx.146 KE, NONCE
2007-04-15 09:19:38 IKE[1] Tx >> MM_I3 : xx.xxx.xxx.146 ID, HASH
2007-04-15 09:19:39 IKE[1] Rx << MM_R3 : xx.xxx.xxx.146 ID, HASH
2007-04-15 09:19:39 IKE[1] Tx >> QM_I1 : xx.xxx.xxx.146 HASH, SA, NONCE, KE, ID, ID
2007-04-15 09:19:40 IKE[1] Rx << Notify : PAYLOAD-MALFORMED
2007-04-15 09:19:40 IKE[1] **Check your PFS setting !
2007-04-15 09:19:45 IKE[8] **Check your ISAKMP Pre-share Key setting !
2007-04-15 09:19:45 IKE[8] Tx >> Notify : INVALID-PAYLOAD-TYPE

 

Have you tried using 3DES/MD5/Group5/PFS settings? That might have an easier time authenticating.

 

There seems to be some NAT problems if you are seeing messages like

Apr 15 09:19:19 2007 VPN Log We require peer to have ID 'XX.XXX.XXX.230', but peer declares 'XX.XXX.XXX.225'

But without the diagram and real addresses I can't know for sure.

Also, it may be some settings mismatch. Try using 3DES on the main mode.
I'm not sure the BEFSX41 can do Group5 (I guess only 1 and 2)

 

Is there a difference in the way an 082 and a 41 handle natting on the far end? if I place the original 41 back into the main office location everything runs fine. I tried DES and Manual on both ends and no Happyness.
The netopia SBC router is the xxx.226.184.230
the 41 sitting behind it is the xxx.226.184.225
All works fine with 2 41's just not the 082

 

I don't know if there is a difference, there shouldn't be. A few things, make sure the RV8 is on the latest release. Make sure you are selecting NAT Traversal in the Advanced options for the tunnel. We'll assume that your router can pass VPN since the other one worked. I would also suggest trying with the tried and true 3DES/MD5 settings. I have one VPN that only works with that.

 

I don't know if there is a difference, there shouldn't be. A few things, make sure the RV8 is on the latest release. Make sure you are selecting NAT Traversal in the Advanced options for the tunnel. We'll assume that your router can pass VPN since the other one worked. I would also suggest trying with the tried and true 3DES/MD5 settings. I have one VPN that only works with that.

 

As far as I know, both will translate the packets in the same way (NAT). But the problem in this case is not the RV or the BEF routers, but rather yet another router on the way, usually a router used to connect to the ISP (in you case I guess is the SBC DLS right?). Where is the DSL connection (PPPoE typically for SBC) handled? If it's done by the DSL modem, then that is a possible cause. The VPN code in the BEF is not the same as in the RV, so there might be some small difference that the router code in the DSL modem is failing to see.

Another possibility, if indeed you have a combined modem/router, is that it can handle only 1 VPN passthru (NAT) and for some reason it's being "locked" to the BEF (do you power cycle the modem?).

 

Were you able to find a solution to this Toddah? I am having the same problem...

 

Hei Toddah.

Did You get Your problem solved or? Because I have the similar problem With one befsx 41 behind a Zyxel dlsmodem / router and Rv082. The Rv082 replace befvp41. There were no problems about the connection with befvp41.
I do hope You have got an answer You wish to share.
New user at this site, misape