I had a 3.8 c2s vpn that was working until a migration of another NW6.5
server running cert server to new hardware (the lease was up, what could I
do?). I've now reinstalled cert server and recreated server certificates
for every server in the tree. This is another server BTW, not my BM
server, but VPN stopped working the day the migration happened.

Now, when I try to load authgw.nlm on the BM server (nw5.1 SP6, BM3.8
SP3), I get NWPKIGetwrappedserverkey returned error code FFFFFB3DAUthGw:
failed to acquire the vpn security keys, which can't be good, and then
authgw doesn't load and users can't vpn.

If I go in and look at the VPN config in iManager 2 under NBM vpn server
config everything looks good, except the server certificate and trusted
root fields are blank. I can go out and grab the SSL CertificateIP for my
BM server, but I'm not so sure about the trusted root field and what
should go there?

Also, if I look at the vpn client to site configuration, the trusted root
field there is blank too...kind of like my thoughts on how to fix this.

I did find a tid on the error, and to answer the questions in there (even
though this must be a certificate thing, right?): the host file looks ok
(the private side IP address with the server name beside it on a line by
itself - not the vpntunnel address); in the config interface options,
public is set to public, private to private and vptunnel is private; BM38
SP3 is installed; and I did not recreate the filters, but they are all
still there in filtcfg (going by the list in TID 10098306), except my
filter for VPN-SKIP-st is just VPN-SKIP (source=all, destination=public,
packet: vpn-skip, protocol 57, stateful disabled, src address any and dest
ip address the public side of my firewall).