On NBM 3.9, remote user uses certificate to authenticate. The existing certificate expired. The new one gives the following IKE error:

Failed to create ike-sa - acl check failed

I found a TID (3663945) that seems to explain my situation which tells me what to do, but not how to do it. My VPN setup days were all done when ConsoleOne was the tool to use. I have poked around in iManager trying several things for the last hour and am having no luck. Here is the solution text from the TID.

The certificate subject name does not match. The name slave expects ( you configured on the slave iManager screen) is not the same one as the master is sending ( configured on the s2s iManager setup).
The new created Master vpn certificate name is different than the old one. You'll have to go to iManager on the slave vpn, vpn server configuration, Trusted master server certificate subject name and replace it with the new name.
Stopvpn and Startvpn and tunnel will be reestablish.

Any help on how to get this working again would be helpful. I hate it when things that have worked for years suddenly stop!