We've had BM3.0/NW5.0 through BM3.7/NW6.0 Site-to-Site VPN working for
years. We added two new slave servers last year but they don't talk
right. They were Netware 6.5 with BorderManager 3.8.

Problem relates to IP routing. VPN comes up and IPX flows fine; Display
Servers *tree* shows all the trees from all the servers, on all servers.
But the new slave servers can only ping back to the Master server's
subnet. Prior Slaves work full-mesh (e.g. BM3.7 server at can
ping BM3.6 server at, and yes the VPN is defined full-mesh.

I've looked at Protected Networks on each server and they look OK. Also I
recently read a document about how HOSTS is not supposed to contain FQDN
and External addresses (a condition I had on some of the servers, both
working and non-working ones) and about the servers Not using RIP in
INETCFG. All my servers say Yes use RIP in INETCFG but I've tried the new
servers with Yes and No there. In VPN configuration screen, I enable IPX
and IP, and Enable RIP is turned Off there. Tunnel network is
through mask Class B.

On some of the servers (including one that worked fine pinging the pre-
BM3.8 servers) I found the wrong Tunnel Address for Gateway to protected
network on one of the older servers (i.e. static route for my
subnet said not, again even though it's working good
and seen fine from all other pre-BM3.8 servers. I've brushed up all the
static routes so they look right, but new BM3.8 slave servers still cannot
route IP right.

Also the two new servers always stick at Being Configured while the older
Slave servers and BM3.6 Master server all say Up To Date.

I know lots of VPN technology changed from BM3.7 to 3.8. But since the
servers do join in the VPN, and IPX flows fine, I figure it's some kind of
routing problem that could be overcome.

This has been a problem for over a year for us, so I'm not burning to fix
it, but it has recently come up again as an irritant, so I'd like to
resolve it if I could.

Thanks for any help.

- Charles Paskewitz