Fully appreciating what you say about "Just use the Novell Client", these vendor support people won't, and I can't order them to. So either I get this Cisco client working with the BM38 Server, or I'm liable to end up buying a Cisco VPN server to support them. And, wasn't IKE-interoperability a selling point? I have the Novell client working with certificate authentication.
But the Cisco client gets this error in the VPN Audit Log (I've seen this same error reported in another post):
Proposal Mismatch - PHASE 1 Encryption Algorithm mismatch mine : 3DES his : unsupported encryption algorithm 7
That's followed by address info. The Cisco client then quits its attempt, and says something like "the remote peer has stopped communicating."
Sniffer trace says the client machine sends 2 UDP packets, then client and server exchange ISAKMP - Identity Protection (Main Mode) packets twice, the client retries those UDP and then ISAKMP packets, but the only other response from the server is a single ISAKMP - Informational packet; then the client gives up.
I figure in the exchange of ISAKMP the server finds the Protocol mismatch it reports in the Audit Log; then says soemthing about it in the ISAKMP - Informational packet. Looks like to communicate one of them will have to adopt or translate the other's Phase 1 Encryption Algorithm. But what's that, is it configurable on either side?