A user with a Mac needs to access our VPN. The Novell Site
recommended VPN Tracker. I bought the product and installed it on the
Mac. I downloaded the instructions from the equinux web site for
BorderManager 3.8 and followed them with the understanding that the CA
had already been created and was working well. The VPN Tracker would
not log in.

I opened a ticket with equinux and their answer was that our VPN rules
are complex and that the authentication rules may be conflicting with
each other. My VPN rules are straight out of Craig's book and they
work perfectly well for all our Windows Clients.

General: Trusted Root is TRC-Gondor.border.osu
Address Pool is

Our Traffic rule for the Everyone group is:
User: Everyone group
Services: Any Protocol
Action: Encrypt
Encryption 3DES
Authentication: HMAC-MD5

NMASAllow Authentication Rule
Define user: Everyone group
Authentication Condition: Allow NMAS Authentication checked.
Minimum allowed authentication grade - Logged.
Allow/Deny Action Allow

I created a separate Authentication Rule for the VPN Tracker to use:
Define User: Everyone Group
Authenticaton Condition: Allow Certificate Authentication checked
Trust Server CA checked
Issuer List, MasterTRO.TRC.Gondor.Border.osu
Allow/Deny Action: Allow

The adminstrator created a user certificate,
signed it with the MasterTRO and returned it to the user's Mac on a
flash drive. The Mac user imported the certificate and it was
accepted by the program.

Here is the message we get in the BM log when the Mac tries to log
into VPN.

"Failed to create IKE SA - Received the message in the wrong state.
Lost our reply cookies my-his : E0EB371047A045D3-CAC36D5FD1EE502C dst: src:"
(The first IP is Roadrunner. The second IP is our public IP but has
been changed for security reasons)

I understand that this is may not be a Bordermanager issue, but if
anyone has set up VPN Tracker on a Mac, any words of wisdom would be

Mark Rodgers