we have the following problem.

We have a Nw6 / BM 3.8 box with latest patches (nmas, nw, bm)

BM 3.8 has a private IP at his public interface
The Lancom router has one public ip of the providers network
and has static nat for the vpn releated ports (353, 500, 4500) to the BM ip
vpn C2S is up and running fine, if we connect directly to the BM's public ip.
We use nmas authentication (password only)

the lancom router makes a simple plain ethernet connection to his public interface,
we use it only for additional packet filtering
if we connect to the public interface (with a public ip) of the lancom, vpn c2s is also working
fine now (after doing some traces Lancom has provided us with a beta firmware which has fixed some issues
in vpn-pass-thou mode with BM 3.8)

the providers sdsl-router is a cisco, which makes a pppoe connection to the provider.
Now, if we try to connect to the Lancoms public ip, which is nattet to the BM's public Ip,
then the connection fails with the following errors in the IKE screen:

Invalid payload lenght - HASH-PAYLOAD payload
Processed HASH-PAYLOAD unsuccessful - Received the message in the wrong state.
Lost our reply, dst= 217.x.x.x

We connected the Lancom directly to the SDSL port and make a pppoe dialin to the provider.
Now its also not possible to connect to the BM trough the public ip of the lancom.

After some research we set the MTU of the BM and the Cisco to 1300 to avoid packet fragmentation,
but we still get the error.

We then double-checked the configuration by connecting trough the lancom in transparent ethernet mode
and this works fine.

And yes, the BM has the public IP of the Lancom configured as the public ip of the VPN C2S Server.

I seems to me that this error ocours only if there is a ppp connection at the way or anything other than ethernet.

Any ideas to fix this and any suggestions other then "give the BM the public IP" are welcome ;-)

Kind regards