The only thing that could present a difference here is the hardware crypto in the safexcel driver. But you said you tried using a cipher that does not effect (blowfish) so it can't be that directly.

So I'm left trying to think of something you might have had set in the old device that's somehow incompatible with the SG-1100. I can't see what that could be though.

The fact setting the tunnel to use ports 600/4600 allowed it to come up implies something in the path blocking the standard ports. The crypto hardware doesn't care what ports are in use for example.

It really 'feels' like the upstream device trying to do something clever with IPSec traffic.

Are we able to review the config you are importing to the 1100? If you open a ticket with us and reference this thread the guys will make sure I see it.

It's hard to see how this could be a hardware issue. If we swapped it out I would expect another device to do exactly the same thing given the same config.

Steve