I bit the bullet and installed BM3.8 on Saturday. Previously we were running a BM3.7 master, with two BM3.7 slaves.

First thing I learned was the importance of LDAP :) It didn't help
that
I was installing on a brand new NW6.5 server, which had been installed

on a temporary IP before being moved "into place". Without LDAP, there

is no iManager, and without SSL, there is no (secure) LDAP. A
frustrating few hours of juggling certificates, .conf files and portal

setups, and BM3.8 was installed and configured.

The IKE-based VPN works fine client-to-site; took me a few minutes to

get the hang of the access rules, and iManager doesn't always get on well with Mozilla, but apart from that there's nothing too difficult.

Again, having LDAP working seems to be the key to a lot of problems.
At
last, no more problems with VPN clients and conflicting address ranges
-
we can specify a range that clients are automatically assigned.

One thing that did slow me down was when trying to get the
site-to-site
VPN back up. For now, I want to continue using the SKIP VPN until I
can
get the slaves upgraded. However, with the default filters in place,
it
seems VPMASTER can't talk out to VPSLAVE to set up the initial
connection and routes. With filters on, it would stick in NWAdmin as "being configured", and VPTUNNEL wasn't configured on the slaves.
Without filters, it sync'd in a few seconds. Re-enabling the filters -

and the VPN works fine! It's probably just a case of sticking in a
couple of filter exceptions, but I thought it would only need 353/213

opened up ... not a huge issue, we'll not be reconfiguring often so
I'm
happy to leave it.

Apart from that, everything's great. Congratulations to Scott and his

team - glad Novell didn't let a great product die. Now bring on BM4.0
:)