(sorry if this should be duplicate: I cannot 'see' my 1st 2 tries...)

after doing a reconfiguration of one site, a BM3.8sp4 + _IR5 server is now behind
a nokia firewall doing NAT and filtering.

the pubIP of the BM was moved to the Nokia, the BM now has a changed IP in a
192.168.254 net.

Site-2-Site is fine.

Client-2-Site with NMAS is fine as well.

Some Windows 98 WS using SKIP (backwards compatibility) *CAN* connect to the BM,
but cannot ping any machine as they were used to do without any trouble before.

The tech that admins this nokia FW looked at the firewall monitoring and is
promising by heart, that not a single packet is dropped from/to the C2S-client's
IP address. He tells, that he cannot see a single SKIP packet (IP protocol 57)

On the BM I activated logging for the deny filters and I can see, that not any
packets are dropped there as well.

Captureing the thraffic of the BM (pktscan) shows, that there *ARE* quite a lot
of packets traveling both directions. I never had trouble with old style (SKIP)
auth, so this is the very first time I was looking for SKIP packets:
Also this CAP file does *NOT* show any SKIP packets (IP Protocol 57), just
TCP:353 Packets begining with "SKIP...": Is that a SKIP packet? Up to now I was
thinking, that SKIP is a separate protocol like TCP, UDP, ICMP-ECHO, ..., not an
TCP:353 starting with the data load "SKIP"??

Well, on friday I was not able to get the information displayed at the C2S side
for the "policies" of the client to see, *IF* there are the required networks
encrypted. Shouldn't these be the same for both, NMAS and SKIP auth anyways?

Also I wasn't able yet to investigate the exact version of the VPN client in use
on these may be 20 remaining Windows 98 SE PC's. (Friday afternoon, and weekend

If the thraffic itself should be of any "help to help", I try to add as plain
text reply to this posting.

Thanks for any suggestions!

Regards, Rudi.