> > Thanx, I'll try to do it at Sunday... and post here results. Ok?
> OK!
> > We think our results be interesting for many peoples, so - in St.Pete

we
> > can't find any Novell System Administrator, who know - how working new
> > BMEE VPN :( ... To be a pioneer very hard :)

> very true. If you have a bit of money to invest, you can check Craig's

book
> on BM. His new version covers also the BM 3.8 VPN quite in details.
> Good luck!
> --
> Caterina Luppi
> Novell Support Connection Volunteer Sysop


..... so, we have some result, but need help yet. We are buyed book "A
Beginner's Guide to Border Manager 3.x".
Ours steps after reading book:
1. Remove Legacy VPN client from both servers
2. Remove ServerCert object, TRC container with any object inside
container - remove from both servers.
3. From inet browser configuring Master server as VPN Server as this
described in the book.
4. Export Trusted Root Certificate to the .DER file on the work station.
For export use ConsoleOne.
5. From inet browser configuring Slave server as VPN Server.
*Note: the servers live in the different trees...*
6. Import in the Slave's TRC Master_Trusted_Root_Certificate from .DER
file (from work station). For import use ConsoleOne.
7. Import Slave's TRO into the Master's TRC via ConsoleOne.
------------------------------------------------------------------------
Master Server:
TRO (ServerCert - M01)
TRC (TRC - M01)
+---- MasterTRO (Created automaticaly by iManager)
+---- SlaveTRO (Impoted by m from .DER file)

Slave Server:
TRO (ServerCert - S01)
TRC (TRC - S01)
+---- MasterTRO (Impoted by m from .DER file)

On the both servers form console run:
stopvpn
startvpn

AS result VPNMaster & VPNSlave loaded, VPTUNNEL.LAN loaded and bind VPN
Private IP to the VPTUNNEL.LAN - allways seems ok...

Master VPN server initiated VPN Connection with Slave, in IKE log screen I
see repeatly messages look like:
*Sending MM id payload Type 9 - subject name :9 subject alternative
name :2,3
*protocol 0 portnum 0 length 48
***Send Main Mode message to 195.131.99.101
I-COOKIE=36E96BFE,R-COOKIE=B24E88A0,MsgID=0,1stPL=ID-PAYLOAD,state=2
***Receive Main Mode message from 195.131.99.101
I-COOKIE=36E96BFE,R-COOKIE=B24E88A0,MsgID=0,1stPL=ID-PAYLOAD,state=0
Recieved MM ID payload type 9 protocol 0 portnum 0 length 44
IKE_PKI_GetCertInfo: The subject alternative name type Directory Name is
not supported
sending notify message type 62 to 195.131.99.101
***Send Unacknowledge Informational message to 195.131.99.101
I-COOKIE=36E96BFE,R-COOKIE=B24E88A0,MsgID=5E956F31,1stPL=HASH-
PAYLOAD,state=2
Failed to create IKE-SA - ACL Check Failed , dst = 195.131.99.101
IKE-SA 90C33000 is Deleted,I-COOKIE=36E96BFE,R-
COOKIE=B24E88A0,dst=195.131.99.101
State:2 Cond:4 TimerEvent:1
lifetime :28800 sec Rekey Time :0 sec
Created at :0 sec Remaining life time :-328130 sec Current time 356930


On IKE console on the SLAVE VPN server:
***Receive Main Mode message from 195.131.99.100
I-COOKIE=A9EADE07,R-COOKIE=00000000,MsgID=0,1stPL=SA-PAYLOAD,state=0
Start IKE-SA 91684000 -
Responder,src=195.131.99.100,dst=195.131.99.100,To tSA=1
IKE SA NEGOTIATION: Peer lifetime = 28800 My lifetime=28800
****DH private exponent size is 1016****
***Send Main Mode message to 195.131.99.100
I-COOKIE=A9EADE07,R-COOKIE=B24E88A0,MsgID=0,1stPL=SA-PAYLOAD,state=1
***Receive Main Mode message from 195.131.99.100
I-COOKIE=A9EADE07,R-COOKIE=B24E88A0,MsgID=0,1stPL=KEY-PAYLOAD,state=0
No NAT detected
sending certificate request payload is disabled
***Send Main Mode message to 195.131.99.100
I-COOKIE=A9EADE07,R-COOKIE=B24E88A0,MsgID=0,1stPL=KEY-PAYLOAD,state=2
***Receive Main Mode message from 195.131.99.100
I-COOKIE=A9EADE07,R-COOKIE=B24E88A0,MsgID=0,1stPL=ID-PAYLOAD,state=0
Recieved MM ID payload type 9 protocol 0 portnum 0 length 48
IKE_PKI_GetCertInfo: The subject alternative name type Directory Name is
not supported
*Sending MM id payload Type 9 - subject name :9 subject alternative
name :2,3
*protocol 0 portnum 0 length 44
***Send Main Mode message to 195.131.99.100
I-COOKIE=A9EADE07,R-COOKIE=B24E88A0,MsgID=0,1stPL=ID-PAYLOAD,state=3
***Receive Unacknowledge Informational message from 195.131.99.100
I-COOKIE=A9EADE07,R-COOKIE=B24E88A0,MsgID=52F97F44,1stPL=HASH-
PAYLOAD,state=0
Recieved notify message type 62 from 195.131.99.100
Notify Recvd :Deleting IKE SA and related QM SAS - Peer 195.131.99.100
IKE-SA 91684000 is Deleted,I-COOKIE=A9EADE07,R-
COOKIE=B24E88A0,dst=195.131.99.100
State:3 Cond:4 TimerEvent:2
lifetime :28800 sec Rekey Time :0 sec
Created at :0 sec Remaining life time :15035 sec Current time 13765


So - Slave do not try to estabilished connection with Master. The main
problem - we can't estabilish VPN connection between master and slave ;(

Yours ideas???






Corporate Governance | Legal | Privacy | Accessibility |