I had a perfectly working S2S on BM3.8 sp3ir2.
Then I had to take down the master, due to an IP change in the public
IP address.

I deleted the all VPN members in turn from iManger's Site to Site
Configuration on the master. I then deleted the S2S servers on the
iManager on the slaves and the master.
I then recreated the S2S VPN. Well, this did'nt do the trick, so I did
the above rutine once more, and then deleted all the SYS:\SYSTEM\VPN
catalogs on all three VPN servers,.

But I still can't get one of the slaves to make the tunnel, the other
one is connecting fine. On top of that, the Master server is still
trying to connect to it's own old IP address during STARTVPN as if it
was a member.

How do I make a _complete_ clean-out of the old VPN information?

The master showns this in Inetcfg's WAN Call Directory:
VPTUNNEL@192-XX-103-226 IP Relay VPTUNNEL
VPTUNNEL@192-XX-105-3 IP Relay VPTUNNEL
VPTUNNEL@192-XX-105-5 IP Relay VPTUNNEL
The new IP address of the Master server is 192.xxx.103.194, the old
one was 192.xxx.105.3. Slave1 = 192.xxx.103.226. Slave2 =
192.xxx.105.5.
Slave 2 is the one not working. I have Perfect Forward Secrecy
enabled on all servers.


Slave 2 errors in CSAudit:

PFS NOT ENABLED - DELETING ALL IPSEC SA
-
Failed to create IKE SA - ACL Check Failed cookies my-his :
81F4EAE587F9A4D3-579FE0D1BF56F774 dst: 192.xxx.103.226 src:
192.xxx.105.5
-
VPN ACLCheck could not find a match in configured Authentication Rule
List.
-
VPN ACLCheck - No Match in Client Auth List.
-
VPN ACLCheck - No Match found in Member List
-
VPN ACLCheck - No Match found in Trusted Master List.
-