i find that there is too many informations not clearly explained in the
doc.. so i share experiences.. if i'm wrong, please correct..

Using a mixed IKE (new or BM37 upgraded) and SKIP (BM37 not yet
upgraded) based S2S network

1/ Have not been able to make only SKIP running.. A lot of people
already know that this messy SCMAGENT (and java programs behind..)
relies on the objects/attributes created with iManager.. So even if you
build your BM38 with SKIP, he's just waiting that you declare it as a
master or a slave with iManager to have a chance to start... (Not

2/ Also take care of deleting the iManager based configuration.. You
could think that if you're running SKIP (configured with NWAdmin) there
is no impact.. There is !! For example you delete your master in
iManager, then it will immediately clean the SKIP config.. No warning,
nice if you have a wide area network (take care to have a backdoor, FTP
and Telnet, on your remote servers to rebuild all).. (Not documented)

3/ Once you have all your servers configured, the BM38 with iManager +
SKIP to discuss with those only with SKIP, you have to play with the
protected hosts and networks..

It would be logical that the routes for the networks declared protected
by iManager are pushed on IKE servers only, and the routes for the
networks declared protected with NWAdmin are pushed only on SKIP ONLY (<
= BM37) servers.. Very clear, easy to manage...

Too simple... if you use that, you'll have a very nice mess in your
etc/gateways file.. double entries, some go away, etc... And i suspect
VPMASTER, VPSLAVE, SCMLIB and SCMAGENT to not like AT ALL the joke..
(not documented)

So for my part, having still both systems, i've decided to use only
NWAdmin until every server is moved on BM38.. Plus some manually input
static routes, it seems to be stable..

4/ By the way, even if you don't tick the RIP box, all the routes seem
to be pushed.. (not documented ?)

5/ Already spoke about that (i think i'm going to make an official
RFE..) but why to not let the administrator deciding what he wants to
push and where ?? I suspect the algorythm used to manipulate the
etc/gateways file to be a bit buggy.. Between the routes pushed by
NWAdmin, those pushed by iManager, and manual static routes, the poor
software becomes mad !

6/ Still have to test the possibility to push on the other sites the
route to protect the client address (address pushed by the C2S object).
Then you can easyly build a full meshed network including not only the
S2S links but also the connected clients.. With a few additional routes
in some internal devices, it's a nice solution

So i insist on this product but it would be nice to make the system a
bit more reliable... Production environments (and the users) doesn't
like at all abends or fantasies.