I have two servers in the same tree and we are replacing a leased line
connection between them with a VPN circuit. I have been through Craig's
step by step setup in his wonderful book but unfortunately i'm still having
problems. The slave server doesn't seem to want to commit to a long term
relationship with the master! They are talking so the communication is ok
but the slave seems to refuse the master stating it isn't in its access
control list.

Here is a sample dump of the IKE screen from each server, can anyone point
me in the right direction? I've replaced the IP addresses with
*MasterPublicIP* & *SlavePublicIP* respectively.

MASTER IKE Screen

12-7-2004 3:08:44 pm Local server's interfaces : *MasterPublicIP*
12-7-2004 3:08:44 pm Recieved Supported Vendor id
draft-ietf-ipsec-nat-t-ike-03
from *SlavePublicIP*
12-7-2004 3:08:44 pm info: sending certificate request payload is disabled
12-7-2004 3:08:44 pm ***Send Main Mode message to *SlavePublicIP*
12-7-2004 3:08:44 pm
I-COOKIE=2DD117005E57D475,R-COOKIE=5A7DE252BA8C75C7,MsgID=
0,1stPL=KEY-PAYLOAD,state=-2084982144
12-7-2004 3:08:44 pm ***Receive Main Mode message from
12-7-2004 3:08:44 pm
I-COOKIE=2DD117005E57D475,R-COOKIE=5A7DE252BA8C75C7,MsgID=
0,1stPL=KEY-PAYLOAD,state=-2084982144
12-7-2004 3:08:44 pm No NAT detected
12-7-2004 3:08:44 pm *Sending MM id payload Type 9 - subject name :9
subjec
t alternative name :2,3
12-7-2004 3:08:44 pm *protocol 0 portnum 0 length 48
12-7-2004 3:08:44 pm Sending INITIAL_CONTACT notify to *SlavePublicIP*
12-7-2004 3:08:44 pm ***Send Main Mode message to *SlavePublicIP*
12-7-2004 3:08:44 pm
I-COOKIE=2DD117005E57D475,R-COOKIE=5A7DE252BA8C75C7,MsgID=
0,1stPL=ID-PAYLOAD,state=-2084982132
12-7-2004 3:08:44 pm ***Receive Unacknowledge Informational message from
*SlavePublicIP*
12-7-2004 3:08:44 pm
I-COOKIE=2DD117005E57D475,R-COOKIE=5A7DE252BA8C75C7,MsgID=
28763829,1stPL=HASH-PAYLOAD,state=-2084982084
12-7-2004 3:08:44 pm Recieved notify message type -17 from *SlavePublicIP*
12-7-2004 3:08:44 pm Notify Recvd :Deleting IKE SA and related QM SAS -
Peer 82
..133.50.34

SLAVE IKE Screen

12-7-2004 3:07:23 pm
I-COOKIE=696F1D73D74367B2,R-COOKIE=5A7DE252BA8C75C7,MsgID=
0,1stPL=KEY-PAYLOAD,state=-1780522420
12-7-2004 3:07:23 pm ***Receive Main Mode message from *MasterPublicIP*
12-7-2004 3:07:23 pm
I-COOKIE=696F1D73D74367B2,R-COOKIE=5A7DE252BA8C75C7,MsgID=
0,1stPL=ID-PAYLOAD,state=-1780522408
12-7-2004 3:07:23 pm Recieved MM ID payload type 9 protocol 0 portnum 0
length
48
12-7-2004 3:07:23 pm Recieved notify message type 24578 from
*MasterPublicIP*
12-7-2004 3:07:23 pm Recieved INITIAL_CONTACT notify deleting all old SA's
with
*MasterPublicIP* address
12-7-2004 3:07:23 pm sending notify message type 65519 to *MasterPublicIP*
12-7-2004 3:07:23 pm ***Send Unacknowledge Informational message to
*MasterPublicIP*

12-7-2004 3:07:23 pm
I-COOKIE=696F1D73D74367B2,R-COOKIE=5A7DE252BA8C75C7,MsgID=
93C4811E,1stPL=HASH-PAYLOAD,state=-1780522360
12-7-2004 3:07:23 pm Failed to create IKE-SA - ACL Check Failed , dst =
*MasterPublicIP*
12-7-2004 3:07:24 pm IKE-SA 8F18C040 is
Deleted,I-COOKIE=696F1D73,R-COOKIE=5A7D
E252,dst=*MasterPublicIP*
12-7-2004 3:07:24 pm State:2 Cond:4 TimerEvent:1
12-7-2004 3:07:24 pm lifetime :28800 sec Rekey Time :0 sec
12-7-2004 3:07:24 pm Created at :0 sec Remaining life time :-1104695 sec
Cu
rrent time 1133495
12-7-2004 3:07:24 pm The client *MasterPublicIP* removed from vpninf

--
Matt Hudson,
Principle Network and Communications Officer,
Burnley Borough Council.
CNA 6/5/4