We have recently installed a Xincom Dual Wan Router in front (i.e. public
side)of a working BM38 SP3 server to provide load balancing and failover
for a DSL and Private Leased Line (I think you guys call it a T1).

Prior to the Xincom install IKE C2S VPN was working fine.

The Xincom install was quite a challenge in terms of the load balancing
set-up, we opted for a manual load balance set-up based on services i.e.
HTTP primarily goes across WAN A and SMTP goes across WAN B etc etc. We
used both Virtual Servers and DMZ set-ups to achieve the required config.

Everything appears to be working fine, we carried out extensive testing of
both performance and failover and all works okay. Xincom firmware updates
were a bit confusing but we got there eventually.

The main VPN usage is C2S, S2S is not being used. We ended up configuring
a Virtual Server (instead of a DMZ) for passing the IPSEC traffic through
the Xincom, we defined the relevant ports for NMAS auth etc and I tested
C2S from my home laptop via an ADSL Router to the Virtual BM Server
address and amazingly it worked first time.

Anyway,after further testing I noticed it didn't always want to connect,
it would get stuck quite often on Negotiating and Authenticating...

The strangest problem is that from our office where we have our own
BM3.8.4 server, we now can't C2S to this client from any PC on our private
LAN we get Negotiating and Authenticating...all the time. Bear in mind we
can connect to every other client's BM38 server without problem. Note:
Dynamic NAT is enabled and I have tried dropping the filters.

Anyway, here's the ikelog from my PC in our office behind our BM3.8.4 box:


04-20-2007 12:51:51 AM Created thread for SendKeepAlivePacketProcess
04-20-2007 12:51:51 AM Start IPSEC SA 00a25430 - Initiator****totSA=1

04-20-2007 12:51:51 AM src from IPsec

04-20-2007 12:51:51 AM 00000000 ac1d019f
04-20-2007 12:51:51 AM dst from IPsec

04-20-2007 12:51:51 AM 00000000 c399686a
04-20-2007 12:51:56 AM Start IKE-SA 00a28658 -
Initiator,src=172.29.1.159,dst=195.x.x.x,TotSA=1

04-20-2007 12:51:56 AM AUTH ALG IS 1
04-20-2007 12:51:56 AM Negotiating for an NMAS user 195.x.x.x

04-20-2007 12:51:56 AM ***Send Main Mode message to 195.x.x.x

04-20-2007 12:51:56 AM
I-COOKIE=9ed3ac0826e5c942,R-COOKIE=0000000000000000,MsgID=0,1stPL=SA-PAYLOAD,state=21101316

04-20-2007 12:51:56 AM ERROR :packet length 25600 recieved is too high ,
probably bogus packet

04-20-2007 12:51:56 AM ERROR :Maximum size of allowed packet is 25600

04-20-2007 12:51:57 AM ***Receive Main Mode message from 195.x.x.x

04-20-2007 12:51:57 AM
I-COOKIE=9ed3ac0826e5c942,R-COOKIE=8c1b6dd2087c25f2,MsgID=0,1stPL=SA-PAYLOAD,state=20052692

04-20-2007 12:51:57 AM IKE SA NEGOTIATION: Peer lifetime = 28800 My
lifetime=28800

04-20-2007 12:51:57 AM ****DH private exponent size is 1016****
04-20-2007 12:51:59 AM Recieved Supported Vendor id
draft-ietf-ipsec-nat-t-ike-03 from 195.x.x.x
04-20-2007 12:51:59 AM ***Send Main Mode message to 195.x.x.x

04-20-2007 12:51:59 AM
I-COOKIE=9ed3ac0826e5c942,R-COOKIE=8c1b6dd2087c25f2,MsgID=0,1stPL=KEY-PAYLOAD,state=20052592

04-20-2007 12:51:59 AM ERROR :packet length 25600 recieved is too high ,
probably bogus packet

04-20-2007 12:51:59 AM ERROR :Maximum size of allowed packet is 25600

04-20-2007 12:51:59 AM ***Receive Main Mode message from 195.x.x.x

04-20-2007 12:51:59 AM
I-COOKIE=9ed3ac0826e5c942,R-COOKIE=8c1b6dd2087c25f2,MsgID=0,1stPL=KEY-PAYLOAD,state=20052692

04-20-2007 12:52:00 AM There is NAT in between server and client

04-20-2007 12:52:00 AM ****SKEYID***secret***

04-20-2007 12:52:00 AM 4fd17595 879158d4 ce35efc0 53b0d005

04-20-2007 12:52:00 AM ec13041c 6ac716c6 4afb5901 fce57ca2

04-20-2007 12:52:00 AM fce42e01 747c47bf 9a971bef 74ecc28d

04-20-2007 12:52:00 AM 59326d6b 967da0f2 2d1c2873 97402b3d

04-20-2007 12:52:00 AM b4708f91 b67138f3 7c14cace 711a4600

04-20-2007 12:52:00 AM 80456aa2 a820799b f5951e0e a33b7768

04-20-2007 12:52:00 AM ff84e43f b9f8a631 46edaa70 860f1bf5

04-20-2007 12:52:00 AM 3e18f627 6ea57b46 3712c5fa 02776296

04-20-2007 12:52:00 AM *Sending MM id payload IPSEC_ID_IPV4_ADDR
172.29.1.159

04-20-2007 12:52:00 AM *protocol 0 portnum 0 length 8

04-20-2007 12:52:00 AM Sending INITIAL_CONTACT notify to 195.x.x.x
04-20-2007 12:52:00 AM ***Send Main Mode message to 195.x.x.x

04-20-2007 12:52:00 AM
I-COOKIE=9ed3ac0826e5c942,R-COOKIE=8c1b6dd2087c25f2,MsgID=0,1stPL=ID-PAYLOAD,state=20052620

04-20-2007 12:52:03 AM ERROR :packet length 25600 recieved is too high ,
probably bogus packet

04-20-2007 12:52:03 AM ERROR :Maximum size of allowed packet is 25600

04-20-2007 12:52:03 AM ***Receive Main Mode message from 195.x.x.x

04-20-2007 12:52:03 AM
I-COOKIE=9ed3ac0826e5c942,R-COOKIE=8c1b6dd2087c25f2,MsgID=0,1stPL=KEY-PAYLOAD,state=20052692

04-20-2007 12:52:03 AM Processed KEY-PAYLOAD unsuccessful - Received the
message in the wrong state. Lost our reply, dst=195.x.x.x.

04-20-2007 12:52:03 AM Failed to create IKE-SA - Received the message in
the wrong state. Lost our reply , dst = 195.x.x.x

04-20-2007 12:52:06 AM Retransmit timer expired :Peer lost our reply
retransmit the old packet to 195.x.x.x
04-20-2007 12:52:16 AM Retransmit timer expired :Peer lost our reply
retransmit the old packet to 195.x.x.x
04-20-2007 12:52:31 AM Exiting thread for SendKeepAlivePacketProcess

Any ideas guys?

Thanks,

Richard.