> In article <JPX7c.6388$jb5.2091@prv-forum2.provo.novell.com>, wrote:
> > exporting Master TRO to the .DER file and import this object into the
> > Slave's TRC - it's a correct?

>
> You don't export a TRO to a .DER file, you export the Trusted Root of

the
> server's certificate to a .DER file. (Probably ROOTCERT.DER from the

Public
> directory would be just as good).
>
> > As result Slave's TRC contain one objects: MasterTRO. The Master's TRC
> > contain two objects: MasterTRO and SlaveTRO. Is it correct(if we are

have
> > only two servers)?

>
> This is correct. Any time you configure a BMgr slave, you only have to

tell
> it about the Master. The master will then push all the other slave

configs needed to each slave.
>
> > All ServerCert objects are answer "valid" when I chack validity...
> > Please explain to me - what is it means "subject name", I guess my

mistake
> > nearly that...

>
> The Subject Name is the 'subject name' when looking at the certificate
> properties in iManager or ConsoleOne.
>
>
> Craig Johnson
> Novell Support Connection SysOp
> *** For a current patch list, tips, handy files and books on
> BorderManager, go to http://www.craigjconsulting.com ***


Thanks for support, we are changed Slave's subject name in the VPN Site to
Site Configuration and impoted both certificates from rootcert.der file.
So, follow I paste IKE log after changing.
---IKE.LOG----------------->8-------------
3-30-2004 12:16:02 pm Start IPSEC SA 8C9A5480 - Initiator****totSA=1
3-30-2004 12:16:02 pm src from IPsec
3-30-2004 12:16:02 pm 100201F4 C257B6AB
3-30-2004 12:16:02 pm dst from IPsec
3-30-2004 12:16:02 pm 100201F4 C257B6AD
3-30-2004 12:16:02 pm ****DH private exponent size is 1016****
3-30-2004 12:16:02 pm Sending DH params in QM - PFS Configured or
Requested by Peer
3-30-2004 12:16:02 pm *Sending proxy ID type 4 0.0.0.0/0.0.0.0
3-30-2004 12:16:02 pm *Sending proxy ID type 4 0.0.0.0/0.0.0.0
3-30-2004 12:16:02 pm ***Send Quick Mode message to 194.87.182.173
3-30-2004 12:16:02 pm I-COOKIE=0CA8C6FD8BCF8EF3,R-
COOKIE=8DFF572399D94773,MsgID=E60A4A7E,1stPL=HASH-PAYLOAD,state=-1884151160
3-30-2004 12:16:02 pm ***Receive Quick Mode message from 194.87.182.173
3-30-2004 12:16:02 pm I-COOKIE=0CA8C6FD8BCF8EF3,R-
COOKIE=8DFF572399D94773,MsgID=E60A4A7E,1stPL=HASH-PAYLOAD,state=-1884151160
3-30-2004 12:16:02 pm Received (QM) proxy ID 0.0.0.0 0.0.0.0 - 0.0.0.0
0.0.0.0
3-30-2004 12:16:02 pm IPSE SA NEGOTIATION: Peer lifetime = 1000 My
lifetime=1000
3-30-2004 12:16:02 pm Received (QM) proxy ID 0.0.0.0 0.0.0.0 - 0.0.0.0
0.0.0.0
3-30-2004 12:16:02 pm ***Send Quick Mode message to 194.87.182.173
3-30-2004 12:16:02 pm I-COOKIE=0CA8C6FD8BCF8EF3,R-
COOKIE=8DFF572399D94773,MsgID=E60A4A7E,1stPL=HASH-PAYLOAD,state=-1884151160
3-30-2004 12:16:02 pm ESP-SA is created:algorID=esp
3des,mySPI=2A2493AA,peerSPI=2042E503,time=57044 ,dst=194.87.182.173
3-30-2004 12:17:42 pm ESP-SA is deleted from protoSAUpList
mySPI=B2C68FAA,peerSPI=4174BBC6,time=1028619 dst: 194.87.182.173
3-30-2004 12:17:42 pm ***Send Acknowledge Informational message to
194.87.182.173
3-30-2004 12:17:42 pm I-COOKIE=0CA8C6FD8BCF8EF3,R-
COOKIE=8DFF572399D94773,MsgID=405E311E,1stPL=HASH-PAYLOAD,state=-1884151160
3-30-2004 12:17:42 pm ***Receive Acknowledge Informational message from
194.87.182.173
3-30-2004 12:17:42 pm I-COOKIE=0CA8C6FD8BCF8EF3,R-
COOKIE=8DFF572399D94773,MsgID=405E311E,1stPL=HASH-PAYLOAD,state=-1884151160
3-30-2004 12:17:42 pm ESP-SA is deleted :algorID=esp
3des,mySPI=B2C68FAA,peerSPI=4174BBC6,time=57145,ds t=194.87.182.173
---IKE.LOG-----------------8<-------------

hmmm, how I guess - we are create vpn-key, and the servers exchanged vpn
key... It look better then early, keys are changed each 5 minutes (it's
key's life time period), but ping can't fly to other server. Can't ping
from Master to Slave, and can't ping from Slave to Master... also can't
estabilished VPN-TUNNEL CONNECTION :(

In comparing BM38 with BM35 - VPN in the BM35 very easy to install and
working correctly after some pressing on the keyboard... VPN BM38 - very
hard to setup and very hard to understanding, IMHO... So, we need help!