Our C2S VPN works fine for a few days, but eventually the end users
start receiving an IKE error. I've attached the IKE.log file for one of
the non-starting sessions. A restart of the BM server fixes the issue
for a little while. Once the error happens once, nobody can log in
until the system is restarted. We use certificate based login.

Specifically this line confuses me:
10-25-2004 3:06:37 pm Failed to create IKE-SA - Peer's certificate date

The certificates validate fine, and work again once the server is
restarted. The server is patched to the most recent software and the
VPN clients should be using the 3.7.8 version of the software.

Regards,
Nicholas Lemberger
Lakefield Communications
920.758.2211

10-25-2004 3:06:36 pm ***Receive Main Mode message from 204.251.203.94
10-25-2004 3:06:36 pm
I-COOKIE=73E6688635F2303B,R-COOKIE=0000000000000000,MsgID=0,1stPL=SA-PAYLOAD,state=-1948020148
10-25-2004 3:06:36 pm Start IKE-SA 8C1C0000 -
Responder,src=206.40.97.42,dst=204.251.203.94,TotS A=1
10-25-2004 3:06:36 pm IKE SA NEGOTIATION: Peer lifetime = 28800 My
lifetime=28800
10-25-2004 3:06:36 pm ****DH private exponent size is 1016****
10-25-2004 3:06:36 pm Local server's interfaces : 172.16.1.1
10-25-2004 3:06:36 pm Local server's interfaces : 192.168.250.1
10-25-2004 3:06:36 pm Local server's interfaces : 206.40.97.42
10-25-2004 3:06:36 pm Recieved Supported Vendor id Novell Border Manager
VPN 4.0 client - Protected Net from 204.251.203.94
10-25-2004 3:06:36 pm Recieved Supported Vendor id
draft-ietf-ipsec-nat-t-ike-03 from 204.251.203.94
10-25-2004 3:06:36 pm ***Send Main Mode message to 204.251.203.94
10-25-2004 3:06:36 pm
I-COOKIE=73E6688635F2303B,R-COOKIE=0471C48DCAACD5B2,MsgID=0,1stPL=SA-PAYLOAD,state=-1948020148
10-25-2004 3:06:36 pm ***Receive Main Mode message from 204.251.203.94
10-25-2004 3:06:36 pm
I-COOKIE=73E6688635F2303B,R-COOKIE=0471C48DCAACD5B2,MsgID=0,1stPL=KEY-PAYLOAD,state=-1948020096
10-25-2004 3:06:36 pm There is NAT in between server and client
10-25-2004 3:06:36 pm info: sending certificate request payload is disabled
10-25-2004 3:06:36 pm ***Send Main Mode message to 204.251.203.94
10-25-2004 3:06:36 pm
I-COOKIE=73E6688635F2303B,R-COOKIE=0471C48DCAACD5B2,MsgID=0,1stPL=KEY-PAYLOAD,state=-1948020096
10-25-2004 3:06:37 pm ***Receive Main Mode message from 204.251.203.94
10-25-2004 3:06:37 pm
I-COOKIE=73E6688635F2303B,R-COOKIE=0471C48DCAACD5B2,MsgID=0,1stPL=ID-PAYLOAD,state=-1948020084
10-25-2004 3:06:37 pm Recieved MM ID payload type 9 protocol 0 portnum 0
length 33
10-25-2004 3:06:37 pm Recieved notify message type 24578 from
204.251.203.94
10-25-2004 3:06:37 pm sending notify message type 51 to 204.251.203.94
10-25-2004 3:06:37 pm ***Send Unacknowledge Informational message to
204.251.203.94
10-25-2004 3:06:37 pm
I-COOKIE=73E6688635F2303B,R-COOKIE=0471C48DCAACD5B2,MsgID=5127565C,1stPL=HASH-PAYLOAD,state=-1948020036
10-25-2004 3:06:37 pm Failed to create IKE-SA - Peer's certificate date
is invalid , dst = 204.251.203.94
10-25-2004 3:06:40 pm IKE-SA 8C1C0000 is
Deleted,I-COOKIE=73E66886,R-COOKIE=0471C48D,dst=204.251.203.94
10-25-2004 3:06:40 pm State:2 Cond:4 TimerEvent:1
10-25-2004 3:06:40 pm lifetime :28800 sec Rekey Time :0 sec
10-25-2004 3:06:40 pm Created at :0 sec Remaining life time :-489461
sec Current time 518261
10-25-2004 3:06:40 pm The client 204.251.203.94 removed from vpninf