Hi.

NW6.5 Sp6 with BM3.8 SP5 on both sites in seperate tree's.

Have followed Craigs book with regards to setting up a S2S VPN as detailed above but have encountered an error which looks like it may be a certificate issue?

The two logs of the handshake are listed below, if someone has the time I would be grateful if you could have a look through and give me some pointers as to either what is wrong or which side has the error, the master or the slave.

All help appriciated
Andrew

MASTER IKE.log (some IP and cert names altered to avoid web harvesting but are confirmed as being correct)

10-12-2007 11:36:46 am Start IPSEC SA 98111D80 - Initiator****totSA=1
10-12-2007 11:36:46 am src from IPsec
10-12-2007 11:36:46 am 10020000 C3C3F783
10-12-2007 11:36:46 am dst from IPsec
10-12-2007 11:36:46 am 10020000 D4DB00E4
10-12-2007 11:36:46 am Start IKE-SA 90C486E0 - Initiator,src=195.195.247.131,dst=212.219.X.X,TotS A=2
10-12-2007 11:36:46 am AUTH ALG IS 3
10-12-2007 11:36:46 am ***Send Main Mode message to 212.219.X.X
10-12-2007 11:36:46 am I-COOKIE=BA69720E2B7C17E9,R-COOKIE=0000000000000000,MsgID=0,1stPL=SA-PAYLOAD,state=-1742209524
10-12-2007 11:36:46 am ***Receive Main Mode message from 212.219.X.X
10-12-2007 11:36:46 am I-COOKIE=BA69720E2B7C17E9,R-COOKIE=92ECEB300DC1E7D4,MsgID=0,1stPL=SA-PAYLOAD,state=-1742209524
10-12-2007 11:36:46 am IKE SA NEGOTIATION: Peer lifetime = 28800 My lifetime=28800
10-12-2007 11:36:46 am ****DH private exponent size is 1016****
10-12-2007 11:36:46 am Local server's interfaces : 172.19.1.3
10-12-2007 11:36:46 am Local server's interfaces : 195.195.X.X
10-12-2007 11:36:46 am Recieved Supported Vendor id draft-ietf-ipsec-nat-t-ike-03 from 212.219.0.228
10-12-2007 11:36:47 am info: sending certificate request payload is disabled
10-12-2007 11:36:47 am ***Send Main Mode message to 212.219.X.X
10-12-2007 11:36:47 am I-COOKIE=BA69720E2B7C17E9,R-COOKIE=92ECEB300DC1E7D4,MsgID=0,1stPL=KEY-PAYLOAD,state=-1742209472
10-12-2007 11:36:47 am ***Receive Main Mode message from 212.219.X.X
10-12-2007 11:36:47 am I-COOKIE=BA69720E2B7C17E9,R-COOKIE=92ECEB300DC1E7D4,MsgID=0,1stPL=KEY-PAYLOAD,state=-1742209472
10-12-2007 11:36:47 am No NAT detected
10-12-2007 11:36:47 am *Sending MM id payload Type 9 - subject name :9 subject alternative name :2,3
10-12-2007 11:36:47 am *protocol 0 portnum 0 length 33
10-12-2007 11:36:47 am Sending INITIAL_CONTACT notify to 212.219.X.X
10-12-2007 11:36:47 am ***Send Main Mode message to 212.219.X.X
10-12-2007 11:36:47 am I-COOKIE=BA69720E2B7C17E9,R-COOKIE=92ECEB300DC1E7D4,MsgID=0,1stPL=ID-PAYLOAD,state=-1742209460
10-12-2007 11:36:47 am ***Receive Unacknowledge Informational message from 212.219.X.X
10-12-2007 11:36:47 am I-COOKIE=BA69720E2B7C17E9,R-COOKIE=92ECEB300DC1E7D4,MsgID=9FE65604,1stPL=HASH-PAYLOAD,state=-1742209412
10-12-2007 11:36:47 am Recieved notify message type -17 from 212.219.X.X
10-12-2007 11:36:47 am Notify Recvd :Deleting IKE SA and related QM SAS - Peer 212.219.X.X
10-12-2007 11:36:47 am IKE-SA 90C486E0 is Deleted,I-COOKIE=BA69720E,R-COOKIE=92ECEB30,dst=212.219.X.X
10-12-2007 11:36:47 am State:2 Cond:4 TimerEvent:1
10-12-2007 11:36:47 am lifetime :28800 sec Rekey Time :0 sec
10-12-2007 11:36:47 am Created at :0 sec Remaining life time :-499939 sec Current time 528739
10-12-2007 11:36:47 am Freeing IKE SA

SLAVE IKE.log (some IP and cert names altered to avoid web harvesting but are confirmed as being correct)

10-12-2007 11:36:46 am ***Receive Main Mode message from 195.195.X.X
10-12-2007 11:36:46 am I-COOKIE=BA69720E2B7C17E9,R-COOKIE=0000000000000000,MsgID=0,1stPL=SA-PAYLOAD,state=-1766248948
10-12-2007 11:36:46 am Start IKE-SA 9D2970C0 - Responder,src=212.219.X.X,dst=195.195.X.X,TotSA=1
10-12-2007 11:36:46 am AUTH ALG IS 3
10-12-2007 11:36:46 am IKE SA NEGOTIATION: Peer lifetime = 28800 My lifetime=28800
10-12-2007 11:36:46 am ****DH private exponent size is 1016****
10-12-2007 11:36:46 am Local server's interfaces : 172.25.1.100
10-12-2007 11:36:46 am local Server behind NAT
10-12-2007 11:36:46 am Recieved Supported Vendor id draft-ietf-ipsec-nat-t-ike-03 from 195.195.X.X
10-12-2007 11:36:46 am ***Send Main Mode message to 195.195.X.X
10-12-2007 11:36:46 am I-COOKIE=BA69720E2B7C17E9,R-COOKIE=92ECEB300DC1E7D4,MsgID=0,1stPL=SA-PAYLOAD,state=-1766248948
10-12-2007 11:36:46 am ***Receive Main Mode message from 195.195.X.X
10-12-2007 11:36:46 am I-COOKIE=BA69720E2B7C17E9,R-COOKIE=92ECEB300DC1E7D4,MsgID=0,1stPL=KEY-PAYLOAD,state=-1766248896
10-12-2007 11:36:46 am No NAT detected
10-12-2007 11:36:46 am info: sending certificate request payload is disabled
10-12-2007 11:36:46 am ***Send Main Mode message to 195.195.X.X
10-12-2007 11:36:46 am I-COOKIE=BA69720E2B7C17E9,R-COOKIE=92ECEB300DC1E7D4,MsgID=0,1stPL=KEY-PAYLOAD,state=-1766248896
10-12-2007 11:36:46 am ***Receive Main Mode message from 195.195.X.X
10-12-2007 11:36:46 am I-COOKIE=BA69720E2B7C17E9,R-COOKIE=92ECEB300DC1E7D4,MsgID=0,1stPL=ID-PAYLOAD,state=-1766248884
10-12-2007 11:36:46 am Recieved MM ID payload type 9 protocol 0 portnum 0 length 33
10-12-2007 11:36:46 am Recieved notify message type 24578 from 195.195.X.X
10-12-2007 11:36:46 am Recieved INITIAL_CONTACT notify deleting all old SA's with 195.195.X.X address
10-12-2007 11:36:46 am sending notify message type 65519 to 195.195.X.X
10-12-2007 11:36:46 am ***Send Unacknowledge Informational message to 195.195.X.X
10-12-2007 11:36:46 am I-COOKIE=BA69720E2B7C17E9,R-COOKIE=92ECEB300DC1E7D4,MsgID=9FE65604,1stPL=HASH-PAYLOAD,state=-1766248836
10-12-2007 11:36:46 am Failed to create IKE-SA - ACL Check Failed , dst = 195.195.X.X
10-12-2007 11:36:48 am IKE-SA 9D2970C0 is Deleted,I-COOKIE=BA69720E,R-COOKIE=92ECEB30,dst=195.195.X.X
10-12-2007 11:36:48 am State:2 Cond:4 TimerEvent:1
10-12-2007 11:36:48 am lifetime :28800 sec Rekey Time :0 sec
10-12-2007 11:36:48 am Created at :0 sec Remaining life time :-219386 sec Current time 248186
10-12-2007 11:36:48 am The client 195.195.X.X removed from vpninf