I'm having a serious C2S problem.

Two server Network/Tree, both brand new hardware, brand new install of NW
6.5 SP2a from the SP2a Overlay CD. One server is the file, print, ZEN, etc
server. The other is the BM 3.8 Server. These servers are replacing an
existing pair of NW 6.0 servers that started life as NW 4.11 boxes and this
replacement cleans up and revamps the NDS tree. Installed BM 3.8, SP2a, beta
field patch on the BM box. BM's Primary Private IP is the default gateway
for the LAN segment. BM has several bound secondaries on the private side
(for DNS, etc to run on).

I followed Craig's Book's setup verbatim except for the Tunnel subnet (to
match the existing server's config as closely as possible, FYI existing BM
is NW6SP5/BM3.7SP3.)

Bordermanager server (BM-01):
Private NIC (PRIVATE):
Public NIC (PUBLIC):
Default Gateway
BM-01 is the default gateway for the private lan. Dynamic NAT and several
Static NATS in place on the Public NIC.
iManager VPN server config is:
Server Address:
Tunnel Address:

Server is setup as a SITE-TO-SITE Master (not connected to anything yet

Client to Site Service (TYPICAL):
IP Address List: Network:
Traffic Rules (per Craig's Book): Allow Admin to
encrypt, Allow VPN Users encrypt, Allow Internet
Access Bypass
NMAS Auth for admin and VPN_Users_Group
Have tried both with and without pushing out DNS & SLP server IPs.
WAN Client IPX set to 57344

I've had two problems one of which I think is fixed.

AuthGW would authenticate the user but in NRM and on the IKE console screen
I'd have a "proposal mismatch" with IKE triple DES (3des) and the client DES
(des) error. I found a forum message about back reving IKE to the Shippling
version on the BM 3.8 CD, which I did and the IKE "proposal mismatch" went
away with both ends showing Triple DES (3des).

Now onto the second (and show stopping) problem.

Since this is not in production yet and can't be until the Client VPN is
working I have setup a test connection using the folllowing:

Plugged the Public NIC into a 4-port 10/100 switch and plugged my laptop
(Win XP Pro SP1, NWClient 4.90 SP2, VPN Client 3.8.7) into it as well, set
the Laptop IP address to and I've tried not
setting the default gateway, setting it to the "real" upstream router and setting it to the BM's public IP I can auth
to the server, IKE likes me and NRM shows me connected, HOWEVER, can't ping,
tracert, etc to the private subnet. I can see the server pushed out pool IP
and DNS info but NRM shows that the IPX and IP associated connects are not
up (I would expect the IPX to not come up since my latop is XP Pro) and the
the IP associated connect details lists th connection state as

I have also followed Craig's book to try the "Legacy" Client VPN. I connect
and auth just fine but no tunnel-no talking.

Also checked the stupid stuff like Router vs End-Node and Set Dynamic
Passthru, turned off the filters, etc....

Please Help!!!!
Tracy Carlton