Hello,

    Here is the setup that I currently have, and the problems I'm experiencing. 
    I have one NW 6.5 SP2 file sever, BM 3.8 patched up to BM38FP3B, the SECUDP6A security update for E-Directory, and NMSRV235 NMAS update to E-Directory as per the Current patch list on Craig's web site. Here are some of the things that I have seen on the server "IKE" screen

OPEN DIRECTORY SYS:/ETC/IKE/ROOTCERT/ERROR,ERRNO:1

That is the first message that shows up when I start the C2S service after configuring it through iManager.I have downloaded the new VPN client from the support site, and installed it on to a windows XP client. Here are the settings that I used to connect

Configuration -NMAS , and enable login are checked
VPN- Sever address (My Public Number), Sequence is set to NDS(when connecting from the outside world)
E-Directory- Username (admin), Password ,context (test), Netware Server(the name of the server)

    On the IKE screen when I attempt to connect I do see activity telling me that it must be trying to connect. I do get my tunnel address (172.31.254.1)(on the client vpn screen), and after about two minutes, it does the following

Authenticated Netware User (checked)
Enabled Ip Encryption (checked)
Sucessfully Authenticated User (checked)
Performing Netware Login , and this is when I receive the error 

"VPN Login, the Netware login attempt failed the user is not logged into Netware", "OK", then it seems to be connected to the VPN, but I'm not able to login to the server at all. I have the Traffic rules set to allow Admin to all, under the Authentication Rules i have selected Allow NMAS authentication, and the grade is set to Logged.LDAP configuration is set to the server private IP address, port 389, and trusted root is filled in with the one created by iManager. Nothing set under DNS/SLP configuration. 
    I have used this same configuration on NW 6 SP5, with BM 3.8 and it did work other then not being able to get to the BM server, while being able to get to the other servers in the tree. Just windering what has changed on NW 6.5, and how I can get this to work with limited down time on the server? Thank you for any help that you can offer.

DS
 

1. Can you ping the private IP address of the server over the VPN? 

2. Assuming you can ping the server, try not logging in with the VPN 
client, but instead using Client32 after a VPN attachment, and pointing 
to the server's IP address instead of name.  Does that work?

Craig Johnson
Novell Support Connection SysOp
*** For a current patch list, tips, handy files and books on 
BorderManager, go to http://www.craigjconsulting.com ***

When I ping the server after connecting VPN(not logged in yet), I get random connection errors. The first time that I ping I get a good response.However when I try it again it gives my request time out. Then pinging again it will connect then drop, like I say very random.  When your saying point to the server IP address instead of the name, do you mean the private(internal)number, or the Public IP address? Also I did apply the patch BM service pack 3 to the server, and it is still not working any better. Thank you for your help in this matter.

DS

In article <lx6ld.804$T85.762@prv-forum2.provo.novell.com>, Ds wrote:
> Then pinging again it will connect then drop, like I say very random.  When your saying point to 
the server IP address instead of the name, do you mean the private(internal)number, or the Public 
IP address?
>
I mean the private IP address.

It sounds like you are seeing the bug where you cannot contact the server's own private address via 
C2S VPN.  This is due to a NAT issue.  (Test - disable NAT on the server, and you probably will 
start pinging the private side reliably).

B1BM38SP3 does not have the fix for this, but the next release of that patch may.

A workaround is to go to the NAT config, make it static and dynamic, and static NAT the private IP 
address to itself.  I've seen it work on 3.8, and I've seen it not work.  One of my clients did not 
have it working until he backrevved NAT.  B1BM38SP3 has a new NAT in it, and perhaps that will at 
least allow the workaround.

Craig Johnson
Novell Support Connection SysOp
*** For a current patch list, tips, handy files and books on 
BorderManager, go to http://www.craigjconsulting.com ***

Okay, I made the changes to the NAT as suggested and here are some of the things that happend.

First, I was able to Ping the private IP address, on a consistent basis.
Second, I was able to connect to all the volumes on the server, however it was still a little buggy in the fact that I would loose my connections randomly. 
Three, still had some issues with logging into the Server, however once I changed from logging in with the VPN client, and starting using Netware client this stopped happening.
  
    I do have several more questions If you have a moment to answer them.

Will the effect of disabling NAT have an effect on web sites that are using reverse proxy, such as GroupWise webaccess, or web sites? How will this effect internal web sites for people?

All internal users would need to have their proxy settings configured inside of their web browsers to still access the Internet , correct?

Again thank you for all your help in this matter, it has made it much easier to understand what is happening. I'm going to re-build my Setup once more and patch the server according to your web site information, and try this again. I will let you know how that turns out.

DS

In article <D1Kmd.4295$T85.3129@prv-forum2.provo.novell.com>, Ds wrote:
> Will the effect of disabling NAT have an effect on web sites that are using reverse proxy, such 
as GroupWise webaccess, or web sites? How will this effect internal web sites for people?

No effect on any proxy traffic.  That is not your concern - it is the non-proxy traffic going out 
via filter exceptions that will fail to work.
> 
> All internal users would need to have their proxy settings configured inside of their web 
browsers to still access the Internet , correct?

Correct.
> 
> Again thank you for all your help in this matter, it has made it much easier to understand what 
is happening. I'm going to re-build my Setup once more and patch the server according to your web 
site information, and try this again. I will let you know how that turns out.
> 
The NAT disable was a test, to confirm this is a NAT bug.  Living without NAT on the server is 
usually not an option, at least not for my clients.  There are too many things needed to be 
allowed out via dynamic NAT for me to be able to simply disable NAT.

What is needed now is a workaround, until Novell fixes this issue.  (Supposed to be a fix in the 
next BM 3.8 patch).  I have heard that backrevving NAT, coupled with the 
static-nat-the-private-ip-address-to-itself trick, works.

Craig Johnson
Novell Support Connection SysOp
*** For a current patch list, tips, handy files and books on 
BorderManager, go to http://www.craigjconsulting.com ***

Craig,

    I understand what your saying, I will set it back to what it was Dynamic only.
    What version of the Nat should I be running? My current setup is NW 6.5 sp2 sbs, and with bm 3.8 sp2. My current version of NAT is 7.00.07. Would (or should) I update BM to the latest support pack(b1bm38sp3)? Or should I hold off on that for the time being? 
    For the Static-nat-to-private-IP-address-to-itself-trick, how exactly is that done?
    I know that I need to go into INETCFG, bindings, to the setting for DYNAMIC(current setting), and switch that to STATIC/DYNMAIC. In the Public IP address field  I put the private ip address, correct?Then in the next private ip address field I also put the private number as well, correct?I know that there is going to be an error, I just go past that accepting the error, then resetting. Is that the correct method? Are there any other changes that I would need to do as well?

DS

In article <KgPmd.4764$T85.1053@prv-forum2.provo.novell.com>, Ds wrote:
> I understand what your saying, I will set it back to what it was Dynamic only.

Set it to Static and Dynamic.

>     What version of the Nat should I be running?

You can try the one in B1BM38SP3, or the one from the previous NetWare support pack.

>Would (or should) I update BM to the latest support pack(b1bm38sp3)? Or should I hold off on that 
>for the time being? 

Won't hurt to try it.

>     For the Static-nat-to-private-IP-address-to-itself-trick, how exactly is that done?

In the static NAT table, add the private IP address as both public and private, when you set NAT to 
static and dynamic.  (I show this in an example in my BMgr 3.x book).

>     I know that I need to go into INETCFG, bindings, to the setting for DYNAMIC(current setting), 
and switch that to STATIC/DYNMAIC. In the Public IP address field  I put the private ip address, 
correct?Then in the next private ip address field I also put the private number as well, correct?

Yes.

>I know that there is going to be an error, 

Ignore it.

If you want to swap NAT versions, disable NAT so that it unloads when you reinitialize system, copy 
in another NAT, then re-enable NAT and reinit.

Craig Johnson
Novell Support Connection SysOp
*** For a current patch list, tips, handy files and books on 
BorderManager, go to http://www.craigjconsulting.com ***