Hello all--

I am unable to get the Novell VPN client to complete the authentication
process. I set up the C2S VPN using Craig Johnson's (absolutely wonderful)
BorderManager 3.8 guidebook.

IP configuration for the server is as follows:
- Public Interface: DMZ IP address (outside of my control--only one address
available)
* 10.160.176.5/22 (BM network interface) ---static NAT via ISP
firewall--> 168.xxx.xxx.124 (outside world)
- Private Interface
* 10.10.8.1/22
- Tunnel Address
* 192.168.199.1/24
The workstation (currently) sits on a home network, behind a NAT-enabled
router (192.168.2.49 ---dynamic NAT--> 24.xxx.xxx.230)

When I attempt to connect, the client will connect to the BM server and
start IKE, then will sit flashing "Negotiating and authenticating" for
almost three minutes. At around 2:45 into the attempt, the client will bail
out with the following error message:
"An error was reported by the IKE application
Either %s is an invalid VPN server address or the IKE is not loaded on
the VPN server. For more details please look at IKE log."

I have tried the following steps; all have the same problem:
* Attempted connection with workstation connected to the 10.160.176.xxx
network (eliminates any of the NAT along the route as the culprit)
* Attempted connection from a different workstation
* Deleted & recreated the C2S service
* Deleted and manually recreated the TRO & Server Certificate (followed
the instructions in Craig's guide)
* Changed VPN server IP address to 168.xxx.xxx.124 (instead of
10.160.176.5)

None of the filters are currently active on the server, and I am not running
a personal firewall on the workstation. The BM server has a RW replica of
the (very simple) partition, and my login is in the same tree/OU as the BM
server & associated NDS entities.

I have included the IKE logs from both the client and the server below.
Though the timestamps are out of sync, they are from the same connection
attempt. I can see errors in both IKE logs, but I don't honestly know what
they mean, or how to fix them (Google & Novell KB searches do not turn up
anything)!

I'm completely stumped--if anyone has suggestions, I would really appreciate
them.

Thanks in advance!!
-- Clay
newsgroup [a_t] clayarcher.com

==========
IKE log From Client
==========

01-23-2005 01:34:02 AM Created thread for SendKeepAlivePacketProcess
01-23-2005 01:34:02 AM Start IPSEC SA 00956318 - Initiator****totSA=1
01-23-2005 01:34:02 AM src from IPsec
01-23-2005 01:34:02 AM 00000000 c0a80231
01-23-2005 01:34:02 AM dst from IPsec
01-23-2005 01:34:02 AM 00000000 a8d8ff7c
01-23-2005 01:34:02 AM Start IKE-SA 009595f0 -
Initiator,src=192.168.2.49,dst=168.xxx.xxx.124,Tot SA=1
01-23-2005 01:34:02 AM Negotiating for an NMAS user 168.xxx.xxx.124

01-23-2005 01:34:02 AM ***Send Main Mode message to 168.xxx.xxx.124
01-23-2005 01:34:02 AM
I-COOKIE=d38dbf4223fd3bc1,R-COOKIE=0000000000000000,MsgID=0,1stPL=SA-PAYLOAD,state=17562372
01-23-2005 01:34:02 AM ***Receive Main Mode message from 168.xxx.xxx.124
01-23-2005 01:34:02 AM
I-COOKIE=d38dbf4223fd3bc1,R-COOKIE=108c88c952f90ce1,MsgID=0,1stPL=SA-PAYLOAD,state=16513748
01-23-2005 01:34:02 AM IKE SA NEGOTIATION: Peer lifetime = 28800 My
lifetime=28800
01-23-2005 01:34:02 AM ****DH private exponent size is 1016****
01-23-2005 01:34:02 AM Recieved Supported Vendor id
draft-ietf-ipsec-nat-t-ike-03 from 168.xxx.xxx.124

01-23-2005 01:34:02 AM ***Send Main Mode message to 168.xxx.xxx.124
01-23-2005 01:34:02 AM
I-COOKIE=d38dbf4223fd3bc1,R-COOKIE=108c88c952f90ce1,MsgID=0,1stPL=KEY-PAYLOAD,state=16513648
01-23-2005 01:34:06 AM ***Receive Main Mode message from 168.xxx.xxx.124
01-23-2005 01:34:06 AM
I-COOKIE=d38dbf4223fd3bc1,R-COOKIE=108c88c952f90ce1,MsgID=0,1stPL=SA-PAYLOAD,state=16513748
01-23-2005 01:34:06 AM Processed SA-PAYLOAD unsuccessful - Received the
message in the wrong state. Lost our reply, dst=168.xxx.xxx.124.

01-23-2005 01:34:06 AM ***Send Main Mode message to 168.xxx.xxx.124
01-23-2005 01:34:06 AM
I-COOKIE=d38dbf4223fd3bc1,R-COOKIE=108c88c952f90ce1,MsgID=0,1stPL=KEY-PAYLOAD,state=16513684
01-23-2005 01:34:06 AM Failed to create IKE-SA - Received the message in the
wrong state. Lost our reply , dst = 168.xxx.xxx.124
01-23-2005 01:34:07 AM Retransmit timer expired :Peer lost our reply
retransmit the old packet to 168.xxx.xxx.124

01-23-2005 01:34:07 AM ***Send Main Mode message to 168.xxx.xxx.124
01-23-2005 01:34:07 AM
I-COOKIE=d38dbf4223fd3bc1,R-COOKIE=108c88c952f90ce1,MsgID=0,1stPL=KEY-PAYLOAD,state=13368088
01-23-2005 01:34:13 AM ***Receive Main Mode message from 168.xxx.xxx.124
01-23-2005 01:34:13 AM
I-COOKIE=d38dbf4223fd3bc1,R-COOKIE=108c88c952f90ce1,MsgID=0,1stPL=SA-PAYLOAD,state=16513748
01-23-2005 01:34:13 AM Processed SA-PAYLOAD unsuccessful - Received the
message in the wrong state. Lost our reply, dst=168.xxx.xxx.124.

01-23-2005 01:34:13 AM ***Send Main Mode message to 168.xxx.xxx.124
01-23-2005 01:34:13 AM
I-COOKIE=d38dbf4223fd3bc1,R-COOKIE=108c88c952f90ce1,MsgID=0,1stPL=KEY-PAYLOAD,state=16513684
01-23-2005 01:34:13 AM Failed to create IKE-SA - Received the message in the
wrong state. Lost our reply , dst = 168.xxx.xxx.124
01-23-2005 01:34:14 AM Retransmit timer expired :Peer lost our reply
retransmit the old packet to 168.xxx.xxx.124

01-23-2005 01:34:14 AM ***Send Main Mode message to 168.xxx.xxx.124
01-23-2005 01:34:14 AM
I-COOKIE=d38dbf4223fd3bc1,R-COOKIE=108c88c952f90ce1,MsgID=0,1stPL=KEY-PAYLOAD,state=13368088
01-23-2005 01:34:24 AM Retransmit timer expired :Peer lost our reply
retransmit the old packet to 168.xxx.xxx.124


==========
IKE log From BorderManager
==========

1-23-2005 1:36:45 am ***Receive Main Mode message from 24.xxx.xxx.230
1-23-2005 1:36:45 am
I-COOKIE=D38DBF4223FD3BC1,R-COOKIE=0000000000000000,MsgID=0,1stPL=SA-PAYLOAD,state=-1913175476
1-23-2005 1:36:45 am Start IKE-SA 97517000 -
Responder,src=10.160.176.5,dst=24.xxx.xxx.230,TotS A=1
1-23-2005 1:36:45 am Negotiating for an NMAS user 24.xxx.xxx.230
1-23-2005 1:36:45 am IKE SA NEGOTIATION: Peer lifetime = 28800 My
lifetime=28800
1-23-2005 1:36:45 am ****DH private exponent size is 1016****
1-23-2005 1:36:45 am Local server's interfaces : 10.10.8.1
1-23-2005 1:36:45 am Local server's interfaces : 10.160.176.5
1-23-2005 1:36:45 am Recieved Supported Vendor id Novell Border Manager VPN
4.0 client - Protected Net from 24.xxx.xxx.230
1-23-2005 1:36:45 am Recieved Supported Vendor id
draft-ietf-ipsec-nat-t-ike-03 from 24.xxx.xxx.230
1-23-2005 1:36:45 am ***Send Main Mode message to 24.xxx.xxx.230
1-23-2005 1:36:45 am
I-COOKIE=D38DBF4223FD3BC1,R-COOKIE=FC5188C952F90CE1,MsgID=0,1stPL=SA-PAYLOAD,state=-1913175476

1-23-2005 1:36:49 am ***Receive Main Mode message from 24.xxx.xxx.230
1-23-2005 1:36:49 am
I-COOKIE=D38DBF4223FD3BC1,R-COOKIE=108C88C952F90CE1,MsgID=0,1stPL=KEY-PAYLOAD,state=-1913175424
1-23-2005 1:36:49 am The first payload of the message #1 is not the SA
Payload!
1-23-2005 1:36:49 am sending notify message type: 4 to 24.xxx.xxx.230
1-23-2005 1:36:49 am ***Send Unacknowledge Informational message to
24.xxx.xxx.230
1-23-2005 1:36:49 am
I-COOKIE=D38DBF4223FD3BC1,R-COOKIE=108C88C952F90CE1,MsgID=FA11764A,1stPL=NOTIF Y-PAYLOAD,state=-1913175312
1-23-2005 1:36:49 am Retransmit timer expired :Peer lost our reply
retransmit the old packet to 24.xxx.xxx.230
1-23-2005 1:36:49 am ***Send Main Mode message to 24.xxx.xxx.230
1-23-2005 1:36:49 am
I-COOKIE=D38DBF4223FD3BC1,R-COOKIE=FC5188C952F90CE1,MsgID=0,1stPL=SA-PAYLOAD,state=-1913175476

1-23-2005 1:36:49 am ***Receive Main Mode message from 24.xxx.xxx.230
1-23-2005 1:36:49 am
I-COOKIE=D38DBF4223FD3BC1,R-COOKIE=108C88C952F90CE1,MsgID=0,1stPL=KEY-PAYLOAD,state=-1913175424
1-23-2005 1:36:49 am The first payload of the message #1 is not the SA
Payload!
1-23-2005 1:36:49 am sending notify message type: 4 to 24.xxx.xxx.230
1-23-2005 1:36:49 am ***Send Unacknowledge Informational message to
24.xxx.xxx.230
1-23-2005 1:36:49 am
I-COOKIE=D38DBF4223FD3BC1,R-COOKIE=108C88C952F90CE1,MsgID=46600713,1stPL=NOTIF Y-PAYLOAD,state=-1913175312

1-23-2005 1:36:49 am ***Receive Main Mode message from 24.xxx.xxx.230
1-23-2005 1:36:49 am
I-COOKIE=D38DBF4223FD3BC1,R-COOKIE=108C88C952F90CE1,MsgID=0,1stPL=KEY-PAYLOAD,state=-1913175424
1-23-2005 1:36:49 am The first payload of the message #1 is not the SA
Payload!
1-23-2005 1:36:49 am sending notify message type: 4 to 24.xxx.xxx.230
1-23-2005 1:36:49 am ***Send Unacknowledge Informational message to
24.xxx.xxx.230
1-23-2005 1:36:49 am
I-COOKIE=D38DBF4223FD3BC1,R-COOKIE=108C88C952F90CE1,MsgID=ED220D23,1stPL=NOTIF Y-PAYLOAD,state=-1913175312
1-23-2005 1:36:56 am Retransmit timer expired :Peer lost our reply
retransmit the old packet to 24.xxx.xxx.230
1-23-2005 1:36:56 am ***Send Main Mode message to 24.xxx.xxx.230
1-23-2005 1:36:56 am
I-COOKIE=D38DBF4223FD3BC1,R-COOKIE=FC5188C952F90CE1,MsgID=0,1stPL=SA-PAYLOAD,state=-1913175476

1-23-2005 1:36:56 am ***Receive Main Mode message from 24.xxx.xxx.230
1-23-2005 1:36:56 am
I-COOKIE=D38DBF4223FD3BC1,R-COOKIE=108C88C952F90CE1,MsgID=0,1stPL=KEY-PAYLOAD,state=-1913175424
1-23-2005 1:36:56 am The first payload of the message #1 is not the SA
Payload!
1-23-2005 1:36:56 am sending notify message type: 4 to 24.xxx.xxx.230
1-23-2005 1:36:56 am ***Send Unacknowledge Informational message to
24.xxx.xxx.230
1-23-2005 1:36:56 am
I-COOKIE=D38DBF4223FD3BC1,R-COOKIE=108C88C952F90CE1,MsgID=83911D85,1stPL=NOTIF Y-PAYLOAD,state=-1913175312

1-23-2005 1:36:57 am ***Receive Main Mode message from 24.xxx.xxx.230
1-23-2005 1:36:57 am
I-COOKIE=D38DBF4223FD3BC1,R-COOKIE=108C88C952F90CE1,MsgID=0,1stPL=KEY-PAYLOAD,state=-1913175424
1-23-2005 1:36:57 am The first payload of the message #1 is not the SA
Payload!
1-23-2005 1:36:57 am sending notify message type: 4 to 24.xxx.xxx.230
1-23-2005 1:36:57 am ***Send Unacknowledge Informational message to
24.xxx.xxx.230
1-23-2005 1:36:57 am
I-COOKIE=D38DBF4223FD3BC1,R-COOKIE=108C88C952F90CE1,MsgID=D3DB317A,1stPL=NOTIF Y-PAYLOAD,state=-1913175312
1-23-2005 1:37:06 am Retransmit timer expired :Peer lost our reply
retransmit the old packet to 24.xxx.xxx.230
1-23-2005 1:37:06 am ***Send Main Mode message to 24.xxx.xxx.230
1-23-2005 1:37:06 am
I-COOKIE=D38DBF4223FD3BC1,R-COOKIE=FC5188C952F90CE1,MsgID=0,1stPL=SA-PAYLOAD,state=-1913175476

1-23-2005 1:37:07 am ***Receive Main Mode message from 24.xxx.xxx.230
1-23-2005 1:37:07 am
I-COOKIE=D38DBF4223FD3BC1,R-COOKIE=108C88C952F90CE1,MsgID=0,1stPL=KEY-PAYLOAD,state=-1913175424
1-23-2005 1:37:07 am The first payload of the message #1 is not the SA
Payload!
1-23-2005 1:37:07 am sending notify message type: 4 to 24.xxx.xxx.230
1-23-2005 1:37:07 am ***Send Unacknowledge Informational message to
24.xxx.xxx.230
1-23-2005 1:37:07 am
I-COOKIE=D38DBF4223FD3BC1,R-COOKIE=108C88C952F90CE1,MsgID=546F7391,1stPL=NOTIF Y-PAYLOAD,state=-1913175312
1-23-2005 1:37:21 am Retransmit timer expired :Peer lost our reply
retransmit the old packet to 24.xxx.xxx.230
1-23-2005 1:37:21 am IKE-SA is deleted- packet retransmit exceeded the
limit, dst=24.xxx.xxx.230