RV082 Gateway-Gateway VPN Won't Connect

I have two RV082's (firmware 2.0.0.7) both with public static IPs. I'm attempting to setup a gateway-gateway vpn between them.

My configuration:

Router A:

Local Security Gateway Type: IP Only
IP Address: 12...*
Local Security Group Type: Subnet
IP Address 192.168.3.0
Subnet Mask: 255.255.255.0

Remote Security Gateway Type: IP Only
IP Address: 70...*
Remote Security Group Type: Subnet
IP Address 192.168.1.0
Subnet Mask: 255.255.255.0

Keying Mode: IKE with Preshared key
Phase1 DH Group: Group 1
Phase1 Encryption: DES
Phase1 Authentication: MD5
Phase1 SA Life Time: 28800
Perfect Forward Secrecy: Enabled
Phase2 DH Group: Group 1
Phase2 Encryption: DES
Phase2 Authentication: MD5
Phase2 SA Life Time: 3600

Aggressive Mode: Enabled
Dead Peer Detection (DPD): Enabled

Router B:

Local Security Gateway Type: IP Only
IP Address: 70...*
Local Security Group Type: Subnet
IP Address 192.168.1.0
Subnet Mask: 255.255.255.0

Remote Security Gateway Type: IP Only
IP Address: 12...*
Remote Security Group Type: Subnet
IP Address 192.168.3.0
Subnet Mask: 255.255.255.0

Keying Mode: IKE with Preshared key
Phase1 DH Group: Group 1
Phase1 Encryption: DES
Phase1 Authentication: MD5
Phase1 SA Life Time: 28800
Perfect Forward Secrecy: Enabled
Phase2 DH Group: Group 1
Phase2 Encryption: DES
Phase2 Authentication: MD5
Phase2 SA Life Time: 3600

Aggressive Mode: Enabled
Dead Peer Detection (DPD): Enabled

---

When I try to connect the tunnel, the log shows:

..[Tunnel Negotiation Info] >>> Initiator Send Aggressive Mode 1st packet
..initiating Aggressive Mode #1814, connection "ips0"
..STATE_AGGR_I1: initiate
..Received Vendor ID payload Type = [Dead Peer Detection]
..[Tunnel Negotiation Info] <<< Responder Received Aggressive Mode 1st packet
..Initial Aggressive Mode message from 12...* but no (wildcard) connection has been configured

When I disable aggressive mode I get:

..Initiating Main Mode
..[Tunnel Negotiation Info] >>> Initiator Send Main Mode 1st packet
..Received Vendor ID payload Type = [Dead Peer Detection]
..[Tunnel Negotiation Info] <<< Responder Received Main Mode 1st packet
..(NATT)Initial Main Mode message received on 70...*:500 but no connection has been authorized. Please check your tunnel endpoint (gateway) setting
..Dynamic VPN client in Main Mode is only supported for Microsoft VPN client, please use Aggressive mode instead.

Any suggestions on what's wrong with my configuration? Both routers are directly connected to their respective modems.

I obfuscated that. The log message shows the full IP. Both those log messages were taken from router A (70...)

When I disable aggressive I get a log message saying that "Dynamic VPN client in Main Mode is only supported for Microsoft VPN client, please use Aggressive mode instead." I'll try dropping and recreating the tunnels.

Hot diggity! Deleting and recreating did it. I wish I had the last 8 hours of my life back...

Next oddity: the error message you're getting when you disable Main Mode is more consistent with a gateway type of Dynamic IP + Domain Name or Dynamic IP + E-mail Addr. than IP only. (You must use Aggressive Mode if you are using one of the dynamic IP types.) Is there any chance one of your Remote Security Gateway Types is dynamic?

I'm thinking there is some bug in the firmware that was causing one of the tunnels to display as static but act dynamic. Deleting and recreating solved it.

Ha! I remember banging my head for several hours on that as well. Glad it worked!

Heh. I was going to suggest next checking for new firmware, but if it's working, don't touch it. :) This family of routers is not the most robust.