Ok I setup a S2S VPN a good few months ago and it's been working fine
up until yesterday. One of the BM servers was abending occasionally
running TCPIP so I decided to update the TCPIP NLM's to see if it would
help. UPdated them, rebooted the server and noticed it wasn't
establishing the VPN so I put the old ones back again, still not
connecting. Spent the whole of today checking everything and it all
appears correct, no errors in PKIDiag etc. On the slave server IKE
isn't being loaded, I can't remember if this was the case before or
not, so that may or may not be relevant. Both servers are running
Netware 6.5 with no SP's.

The IKE screen on the master server gives the following messages
repeatedly :-

2-6-2004 2:21:56 pm Start IPSEC SA B7F7B0C0 - Initiator****totSA=1
2-6-2004 2:21:56 pm src from IPsec
2-6-2004 2:21:56 pm 10020000 D5D040C2
2-6-2004 2:21:56 pm dst from IPsec
2-6-2004 2:21:56 pm 10020000 528519BB
2-6-2004 2:21:56 pm Start IKE-SA A8080000 - Initiator,src=1.1.1.1,dst
2.2.2.2,TotSA=1
2-6-2004 2:21:56 pm ***Send Main Mode message to 2.2.2.2
2-6-2004 2:21:56 pm
I-COOKIE=657E7761,R-COOKIE=00000000,MsgID=0,1stPL=SA-PAYLOAD,state=0
2-6-2004 2:21:56 pm Start IPSEC SA B7F7B180 - Initiator****totSA=2
2-6-2004 2:21:56 pm src from IPsec
2-6-2004 2:21:56 pm 10020000 D5D040C2
2-6-2004 2:21:56 pm dst from IPsec
2-6-2004 2:21:56 pm 10020000 528519BB
2-6-2004 2:22:00 pm Retransmit timer expired :Peer lost our reply
retransmit the old packet to 2.2.2.2
2-6-2004 2:22:00 pm ***Send Main Mode message to 2.2.2.2
2-6-2004 2:22:00 pm
I-COOKIE=657E7761,R-COOKIE=00000000,MsgID=0,1stPL=SA-PAYLOAD,state=0
2-6-2004 2:22:07 pm Retransmit timer expired :Peer lost our reply
retransmit the old packet to 2.2.2.2
2-6-2004 2:22:07 pm ***Send Main Mode message to 2.2.2.2
2-6-2004 2:22:07 pm
I-COOKIE=657E7761,R-COOKIE=00000000,MsgID=0,1stPL=SA-PAYLOAD,state=0

Obviously I've substituted the real IP's with 1.1.1.1 and 2.2.2.2


If I load IKE up on the slave server I get the following messages :-

2-6-2004 4:16:39 pm ***Receive Main Mode message from 1.1.1.1
2-6-2004 4:16:39 pm
I-COOKIE=01136AE5,R-COOKIE=00000000,MsgID=0,1stPL=SA-PAYLOAD,state=0
2-6-2004 4:16:39 pm Start IKE-SA A6623000 -
Responder,src=2.2.2.2,dst=1.1.1.1,TotSA=1
2-6-2004 4:16:39 pm IKE SA NEGOTIATION: Peer lifetime = 28800 My
lifetime=300
2-6-2004 4:16:39 pm sending notify message type: 28 to 1.1.1.1
2-6-2004 4:16:39 pm ***Send Unacknowledge Informational message to
1.1.1.1
2-6-2004 4:16:39 pm
I-COOKIE=01136AE5,R-COOKIE=F5A81DDD,MsgID=B8663C01,1stPL=NOTIFY-PAYLOAD,
state=0
2-6-2004 4:16:39 pm Error :Server certificate not available , probably
error reading certificate
2-6-2004 4:16:39 pm Processed SA-PAYLOAD unsuccessful - No usage
certificate available for signature authentication, dst=1.1.1.1.
2-6-2004 4:16:39 pm Error processing the first MM packet - No usage
certificate available for signature authentication
2-6-2004 4:16:42 pm IKE-SA A6623000 is
Deleted,I-COOKIE=01136AE5,R-COOKIE=F5A81DDD,dst=1.1.1.1
2-6-2004 4:16:42 pm State:0 Cond:4 TimerEvent:1
2-6-2004 4:16:42 pm lifetime :0 sec Rekey Time :0 sec
2-6-2004 4:16:42 pm Created at :0 sec Remaining life time :-410 sec
Current time 410
2-6-2004 4:16:42 pm The client 1.1.1.1 removed from vpninf


Whilst BM is running I am unable to ping from one server to the other,
if I onload it via STOPBRD they are able to ping each other fine.

Hopefully someone has a clue to what's going on here :o\