Hi,

I'm trying to setup a S2S VPN circuit between BM38 server(s) and an
"inherited" Zywall 100 (www.zyxel.com) waiting for his replacement by
another BM38 machine

first everything is patched (bmfp3b, tcpip657ha, nw65sp2, etc...).
Configuration that i think up2date and working

I built a first limited configuration and after a few adjustments of
pfs, the exp_size of the pss and the dh groups i had the tunnel working...

network protected by the Zywall is 10.128.238.0 / 24
VPN ip associated is 192.168.128.12 /24
public is for exemple 212.234.xxx.yyy /26

network protected by the BM38 is 10.128.144.0 / 24
VPN ip associated is 192.168.128.2 /24
public is for example 194.206.xxx.yyy /26

But i've more networks protected by the BM38 server.. Then i changed the
settings in both devices to protect 10.128.0.0 / 16 on the BM38 side, to
see... even if i think that it's not logical because doing that i tell
that 10.128.238.0 is protected by BM38 but also remote..

I found funny to see everything starting to work fine, the routing was
even ok.. 10.128.136.0 / 24, protected by the BM38 was able to ping
something on 10.128.238.0 / 24 protected by the Zywall.. But suddenly a
deletion of the SA, after an incoming call of the Zywall, and from the
IKE phase 2 negotiation for a new SA, hundreds of abends... It doesn't
brake the other VPN circuits (have about 10 other sites connected with
SKIP or IKE) but the server becomes too busy to deal with the abends
that everything is virtually dead.. a part of the abend.log at the end..

1/ I know that there is not too much details but it's a start.. So, is
it any known problem with such kind of configuration. Experiences with a
poor Zywall 100 ? At least if it doesn't work and makes a routing loop
it should not abend

2/ When a 3d-party device becomes a member of the VPN, how to build or
simulate the meshed network ? Is the tunnel restricted between the
master and the third-party device ? And in this case any packet for
10.128.238.0 /24 has to be routed through 192.168.128.2 (the master) ?
Or will the other members learn, through iManager and eDirectory, that
212.234.xxx.yyy is associated to 192.168.128.12 (i know that it's
"virtual" for the 3d-party..) ? Then a packet sent to the 10.128.238.0
will be routed through 212.234.xxx.yyy and an IKE negotiation will start
automatically in order to build the tunnel directly between the other
members and the 3d party device ??

3/ The Zywall is also a bit limited... So for one circuit, he knows only
one range or one subnet as the remote protected network.. And it seems
that he's not able to understand that a remote router (10.128.144.1 for
example) is the way to reach some other remote networks.. He's just
happy with 10.128.0.0 or with 10.128.144.0... So if i cannot deal with
10.128.0.0 (and it's logical that i can't), i've to build a circuit in
the Zywall for each protected remote network.. I've seen a post in the
cool solutions about that but it says just nothing clear

-> question, will BM38 be able to deal with a remote 3d-party device
(only one public ip address) several times ? I mean simulating several
members all using the same remote public address with each time only one
network protected by BM38 ??

-> For the moment it seems even difficult to come back to the original
state with only 10.128.144.0 declared protected by BM38.. same abends as
soon as i activate the tunnel (i can make it on/off on the Zywall side
hopefully..). I think that i'll have to delete the 3d-party member and
test again from the scratch

-> Is it a dream to have a day a bit more informations about the logic
used by the project managers and the developers for Bordermanager ? Like
there is not so much documentations for complicated environments, it's
waste of time to try, test and imagine what they had in the head...

--------------------------------------------------------------------
the nice abend anyway... there is about 300 hundreds similar following..
and it's reproductible easily

Server WARFRFW2 halted Wednesday, 15 December 2004 14:58:47,135
Abend 1 on P00: Server-5.70.02: Page Fault Processor Exception (Error
code 00000000)

Registers:
CS = 0060 DS = 007B ES = 007B FS = 007B GS = 007B SS = 0068
EAX = 6F6E2064 EBX = 80188C24 ECX = 6F6E2064 EDX = 37DC65C7
ESI = 00000010 EDI = 87D37B7C EBP = 00000000 ESP = 87D37B44
EIP = 002CE2AC FLAGS = 00210092
002CE2AC 8A10 MOV DL, [EAX]=?
EIP in SERVER.NLM at code start +000CBF4Ch
Access Location: 0x6F6E2064

The violation occurred while processing the following instruction:
002CE2AC 8A10 MOV DL, [EAX]
002CE2AE 89442420 MOV [ESP+20], EAX
002CE2B2 80FA4C CMP DL, 4C
002CE2B5 7431 JZ 002CE2E8
002CE2B7 8B2C24 MOV EBP, [ESP]
002CE2BA 8B442418 MOV EAX, [ESP+18]
002CE2BE 8A00 MOV AL, [EAX]
002CE2C0 84C0 TEST AL, AL
002CE2C2 0F8416010000 JZ 002CE3DE
002CE2C8 8B7C2418 MOV EDI, [ESP+18]



Running process: Server 00:24 Process
Thread Owned by NLM: SERVER.NLM
Stack pointer: 87D37F80
OS Stack limit: 87D30040
Scheduling priority: 67371008
Wait state: 50500F0 Waiting for work
Stack: --87D37B54 ?
--87D37DD8 ?
84CE322D (NETLIB.NLM|NWinet_ntoa+55)
--87D37DD8 ?
--87D37B80 ?
--87D37B90 ?
--6F6E2064 ?
--87D37B5C ?
--000000C2 ?
--00000000 ?
--00000254 ?
--80188C24 ?
85331319 (TCPIP.NLM|SkipDeregister+FA21)
--87D37B90 ?
--6F6E2064 ?
--37DC65C7 ?
--87D37E0C ?
--87D37DD8 ?
--0000000A ?
--00000000 ?
002EECFB (SERVER.NLM|GetCurrentClock+18F)
002EED09 (SERVER.NLM|GetCurrentClock+19D)
--84CF6640 ?
--8026BBB4 ?
--00000282 ?
--0000491F ?
--00000000 ?
--00000282 ?
--00000607 ?
--229C0911 ?
--9EAFF601 ?
--00000016 ?
--00B02BA2 ?
--00000000 ?
--86F3E3DC ?
--86F7B2D0 ?
--87D37BFC ?
86E709E8 (CE1000.LAN|(Code Start)+F9E8)
--86F3E3DC ?
--0063E308 ?
--86F7B2D0 ?
--000000F2 ?
--8026BA9C ?
--8026BA9C ?
--87D37CA0 ?
--87D37C1C ?
87B631BE (IPFLT31.NLM|IPFDeRegisterFilters+B62)
--87D37C1C ?
--87D37CE0 ?
--87D37CA0 ?
87B63CF4 (IPFLT31.NLM|IPFDeRegisterFilters+1698)
--87D37CE0 ?
--8F5A20A4 ?
--00000035 ?
--00000000 ?
--00000000 ?
--00000000 ?
--00000000 ?
--00000000 ?
--00000000 ?
--00000000 ?
--00000000 ?
--00000054 ?
--00000000 ?
--00000054 ?
--00000000 ?
--00000002 ?
--00000000 ?
--00000000 ?
--00000000 ?
--00000000 ?
--00000000 ?
--00000032 ?
--00000000 ?
--00000000 ?
--00000000 ?
87B65050 (IPFLT31.NLM|IPFDeRegisterFilters+29F4)
--87AAE0A0 ?
--87AAC340 ?
--87AAE0A0 ?
--87D37CBC ?
--0000010B ?
87B62CE2 (IPFLT31.NLM|IPFDeRegisterFilters+686)
--87D37CBC ?
--87AAC340 ?
--87D37CA0 ?
--00000001 ?
--00000285 ?
--87AA8BA0 ?
--00000000 ?
--00000032 ?
--0000010B ?
87B718DC (IPFLT31.NLM|IPFDestroyOnDemandFilters+178)
--87D37CBC ?
--00000000 ?
--00000000 ?
--00000000 ?
--00000000 ?
--00000000 ?
--00000000 ?

Additional Information:
The CPU encountered a problem executing code in SERVER.NLM. The
problem may be in that module or in data passed to that module by a
process owned by SERVER.NLM.