After finishing install and configuration of a BM 3.8 server on a NW 6.5
box I think, that the following behaviour, which is not documented
elsewhere should be included in documentation.

If you are using Bordermanager VPN services, you absolutely have to
define filters using the "action: Deny Packets in Filter List" setting.
Even if you add for every interface two filters, which deny any traffic
to and from this interface you can autoload IKE.NLM and AUTHGW.NLM by
loading runvpn.nlm

If you are using the opposite setting "action: Allow Packets in Filter
List", you have to add a filter (unloading ipflt.nlm and ipflt31.nlm is
not sufficient), which allows any packets - thus disabling filtering -
before you load runvpn.nlm to allow IKE.NLM and AUTHGW.NLM to load.
After loading of runvpn.nlm (and autoloading of IKE.NLM and AUTHGW.NLM)
you can remove this "allow all" filter without any loss of
functionality. If you don't add an "allow all" traffic filter - even if
you allow any traffic to and from every interface this is not sufficient
- loading runvpn.nlm will not autoload IKE.NLM and AUTHGW.NLM, which
means besides of the non-functioning of VPN services, that you are
absolutely unable to down the server gracefully.

I have tested this on a server, which has several restrictions between
his 4 private interfaces - and which therefore originally had the deny
all policy as the starting point.

W. Prindl

W. Prindl