i've my own solution which is working not too bad but a bit ennoying to
maintain -> read-only flag on sys:etc/gateways

and i know the purpose of a "protected network" in a VPN environment...
it's similar to the "interested packets" access-lists that we have in a
Pix for example

i've already posted a RFE in the past but i'm not sure that Novell's
developers are connected enough with the "ground" to take to this..

as far as i know, if you don't put any protected network in the NWAdmin
list, it's pushing an empty list to the remote BM servers and is
clearing anyway your remote sys/etc/gateways files, like if you would
remove all the protected network... so if you had static routes
corresponding to some subnets behind your BM servers, you bump your head
in the wall !

-> first RFE was to have a way to not clean the routing table but
leaving it untouched when the list is empty in NWAdmin

then the developers could understand that in a worldwide environment,
based on public internet lines, the good way is not necessarily the
shortest one... even in a full meshed network topology

sometimes it's interesting or necessary to bypass the point-to-point
link between 2 BM servers and to use a triangle for example... a
concrete situation is with some China's locations where it's a nightmare
to go directly through the "big proxy" managed by the government.. but
if you've a way to go through HongKong, by miracle you can have response
times divided by 2 or 3.. so with a BM server in HK, one in China, and
one in France for example, without flagging the routing table with a RO
attribute, you cannot do that with the NWAdmin interface

other possible situation is a direct link on the internet which is
down.. i suppose that the experience of some internet links being down
between country A and country B, when simultaneously A to C and B to C
is working, is not so rare.. how to deal with that and re-route the
trafic smoothly ? you can play with tcpcon of course but it would be
better to have a bit more possibilities with the NWAdmin interface...

of course it will not make the coffee also and some case of figures will
never be covered, but the 2 above ones are for me very basic.. and
actually a bit frustrating

a small "on/off" button would be marvelous..