Well Mike, I thought I was OK, but I'm still having trouble.
I re-created the tunnels between the 2 problem endpoints (Sites A and B), and things seemed to work nicely. Phase 2 re-negotiations took only a handful of attempts. For the past 5 days or so, the tunnels have been stable, with the phase 2's renegotiating successfully as scheduled (every 4 hours.) Then just this morning, I ran into the same problem again with the A-B tunnel, with phase 2 failing repeatedly (endless "Phase 2 complete" messages) for several hours. I rebooted the router at Site B and the tunnels re-established after about 90 seconds. Connections and IP traffic between sites A and B have been fine for the past 3 hours; hopefully the next phase 2 re-negotiation won't barf.
I'm at my wits end with this. The tunnels out of Site C have been rock-solid since inception. The A-B tunnel settings at Sites A and B are identical (and different from the A-C and B-C settings). I have done a 'show config' dump and checked everything line by line. Furthermore, the IKE and Connection Profile settings for the A-B tunnel match the A-C and B-C settings (though unique from the other 2 tunnels in name, IKE Profile, and password).
Netopia online chat help would not offer any VPN configuration assistance; they referred me to their fee-based production support offerings (consistent with their website's advertised support policy regarding VPN's).
The only common issue I can think of at this point is that Sites A and B both have an ISP connection requiring PPPOE underlying encapsulation even though they have fixed IP addresses. Site C (the oldest) for some reason, even though under the same provider (SBC), does not utilize PPPOE at all.
Any thoughts?