NW 6.5 and BM 3.8 C2S VPN

Hello,

    Here is the setup that I currently have, and the problems I'm experiencing. 
    I have one NW 6.5 SP2 file sever, BM 3.8 patched up to BM38FP3B, the SECUDP6A security update for E-Directory, and NMSRV235 NMAS update to E-Directory as per the Current patch list on Craig's web site. Here are some of the things that I have seen on the server "IKE" screen

OPEN DIRECTORY SYS:/ETC/IKE/ROOTCERT/ERROR,ERRNO:1

That is the first message that shows up when I start the C2S service after configuring it through iManager.I have downloaded the new VPN client from the support site, and installed it on to a windows XP client. Here are the settings that I used to connect

Configuration -NMAS , and enable login are checked
VPN- Sever address (My Public Number), Sequence is set to NDS(when connecting from the outside world)
E-Directory- Username (admin), Password ,context (test), Netware Server(the name of the server)

    On the IKE screen when I attempt to connect I do see activity telling me that it must be trying to connect. I do get my tunnel address (172.31.254.1)(on the client vpn screen), and after about two minutes, it does the following

Authenticated Netware User (checked)
Enabled Ip Encryption (checked)
Sucessfully Authenticated User (checked)
Performing Netware Login , and this is when I receive the error 

"VPN Login, the Netware login attempt failed the user is not logged into Netware", "OK", then it seems to be connected to the VPN, but I'm not able to login to the server at all. I have the Traffic rules set to allow Admin to all, under the Authentication Rules i have selected Allow NMAS authentication, and the grade is set to Logged.LDAP configuration is set to the server private IP address, port 389, and trusted root is filled in with the one created by iManager. Nothing set under DNS/SLP configuration. 
    I have used this same configuration on NW 6 SP5, with BM 3.8 and it did work other then not being able to get to the BM server, while being able to get to the other servers in the tree. Just windering what has changed on NW 6.5, and how I can get this to work with limited down time on the server? Thank you for any help that you can offer.

DS
 
0
ds
11/10/2004 4:07:41 PM
novell.bordermanager.vpn 2677 articles. 0 followers. Follow

7 Replies
605 Views

Similar Articles

[PageSpeed] 54
Get it on Google Play
Get it on Apple App Store

1. Can you ping the private IP address of the server over the VPN? 

2. Assuming you can ping the server, try not logging in with the VPN 
client, but instead using Client32 after a VPN attachment, and pointing 
to the server's IP address instead of name.  Does that work?

Craig Johnson
Novell Support Connection SysOp
*** For a current patch list, tips, handy files and books on 
BorderManager, go to http://www.craigjconsulting.com ***

0
Craig
11/11/2004 4:08:54 AM
When I ping the server after connecting VPN(not logged in yet), I get random connection errors. The first time that I ping I get a good response.However when I try it again it gives my request time out. Then pinging again it will connect then drop, like I say very random.  When your saying point to the server IP address instead of the name, do you mean the private(internal)number, or the Public IP address? Also I did apply the patch BM service pack 3 to the server, and it is still not working any better. Thank you for your help in this matter.

DS
0
ds
11/12/2004 5:37:21 PM
In article <lx6ld.804$T85.762@prv-forum2.provo.novell.com>, Ds wrote:
> Then pinging again it will connect then drop, like I say very random.  When your saying point to 
the server IP address instead of the name, do you mean the private(internal)number, or the Public 
IP address?
>
I mean the private IP address.

It sounds like you are seeing the bug where you cannot contact the server's own private address via 
C2S VPN.  This is due to a NAT issue.  (Test - disable NAT on the server, and you probably will 
start pinging the private side reliably).

B1BM38SP3 does not have the fix for this, but the next release of that patch may.

A workaround is to go to the NAT config, make it static and dynamic, and static NAT the private IP 
address to itself.  I've seen it work on 3.8, and I've seen it not work.  One of my clients did not 
have it working until he backrevved NAT.  B1BM38SP3 has a new NAT in it, and perhaps that will at 
least allow the workaround.

Craig Johnson
Novell Support Connection SysOp
*** For a current patch list, tips, handy files and books on 
BorderManager, go to http://www.craigjconsulting.com ***

0
Craig
11/12/2004 10:18:17 PM
Okay, I made the changes to the NAT as suggested and here are some of the things that happend.

First, I was able to Ping the private IP address, on a consistent basis.
Second, I was able to connect to all the volumes on the server, however it was still a little buggy in the fact that I would loose my connections randomly. 
Three, still had some issues with logging into the Server, however once I changed from logging in with the VPN client, and starting using Netware client this stopped happening.
  
    I do have several more questions If you have a moment to answer them.

Will the effect of disabling NAT have an effect on web sites that are using reverse proxy, such as GroupWise webaccess, or web sites? How will this effect internal web sites for people?

All internal users would need to have their proxy settings configured inside of their web browsers to still access the Internet , correct?

Again thank you for all your help in this matter, it has made it much easier to understand what is happening. I'm going to re-build my Setup once more and patch the server according to your web site information, and try this again. I will let you know how that turns out.

DS
0
ds
11/17/2004 3:23:15 PM
In article <D1Kmd.4295$T85.3129@prv-forum2.provo.novell.com>, Ds wrote:
> Will the effect of disabling NAT have an effect on web sites that are using reverse proxy, such 
as GroupWise webaccess, or web sites? How will this effect internal web sites for people?

No effect on any proxy traffic.  That is not your concern - it is the non-proxy traffic going out 
via filter exceptions that will fail to work.
> 
> All internal users would need to have their proxy settings configured inside of their web 
browsers to still access the Internet , correct?

Correct.
> 
> Again thank you for all your help in this matter, it has made it much easier to understand what 
is happening. I'm going to re-build my Setup once more and patch the server according to your web 
site information, and try this again. I will let you know how that turns out.
> 
The NAT disable was a test, to confirm this is a NAT bug.  Living without NAT on the server is 
usually not an option, at least not for my clients.  There are too many things needed to be 
allowed out via dynamic NAT for me to be able to simply disable NAT.

What is needed now is a workaround, until Novell fixes this issue.  (Supposed to be a fix in the 
next BM 3.8 patch).  I have heard that backrevving NAT, coupled with the 
static-nat-the-private-ip-address-to-itself trick, works.

Craig Johnson
Novell Support Connection SysOp
*** For a current patch list, tips, handy files and books on 
BorderManager, go to http://www.craigjconsulting.com ***

0
Craig
11/17/2004 4:51:45 PM
Craig,

    I understand what your saying, I will set it back to what it was Dynamic only.
    What version of the Nat should I be running? My current setup is NW 6.5 sp2 sbs, and with bm 3.8 sp2. My current version of NAT is 7.00.07. Would (or should) I update BM to the latest support pack(b1bm38sp3)? Or should I hold off on that for the time being? 
    For the Static-nat-to-private-IP-address-to-itself-trick, how exactly is that done?
    I know that I need to go into INETCFG, bindings, to the setting for DYNAMIC(current setting), and switch that to STATIC/DYNMAIC. In the Public IP address field  I put the private ip address, correct?Then in the next private ip address field I also put the private number as well, correct?I know that there is going to be an error, I just go past that accepting the error, then resetting. Is that the correct method? Are there any other changes that I would need to do as well?

DS
0
ds
11/17/2004 9:20:42 PM
In article <KgPmd.4764$T85.1053@prv-forum2.provo.novell.com>, Ds wrote:
> I understand what your saying, I will set it back to what it was Dynamic only.

Set it to Static and Dynamic.

>     What version of the Nat should I be running?

You can try the one in B1BM38SP3, or the one from the previous NetWare support pack.

>Would (or should) I update BM to the latest support pack(b1bm38sp3)? Or should I hold off on that 
>for the time being? 

Won't hurt to try it.

>     For the Static-nat-to-private-IP-address-to-itself-trick, how exactly is that done?

In the static NAT table, add the private IP address as both public and private, when you set NAT to 
static and dynamic.  (I show this in an example in my BMgr 3.x book).

>     I know that I need to go into INETCFG, bindings, to the setting for DYNAMIC(current setting), 
and switch that to STATIC/DYNMAIC. In the Public IP address field  I put the private ip address, 
correct?Then in the next private ip address field I also put the private number as well, correct?

Yes.

>I know that there is going to be an error, 

Ignore it.

If you want to swap NAT versions, disable NAT so that it unloads when you reinitialize system, copy 
in another NAT, then re-enable NAT and reinit.

Craig Johnson
Novell Support Connection SysOp
*** For a current patch list, tips, handy files and books on 
BorderManager, go to http://www.craigjconsulting.com ***

0
Craig
11/18/2004 4:02:48 PM
Reply:

Similar Artilces:

NW 5.1 & BM 3.6 to NW 6.5 & BM 3.8
Current configuration: NW 5.1 sp7, eDir 8.7.3.6, Border 3.6EE Desired end result: NW 6.5, eDir 8.7.3.6, Border 3.8 I know that NW 6.5 only supports BM 3.8, so my current plan is to upgrade BM to 3.8, then Netware to 6.5. With this in mind: 1) Is it necessary or recommended to apply NW 5.1 sp8 before doing these upgrades? 2) Would there be any substantial benifit to installing NW 6.5 and BM 3.8 from scratch over upgrading my current installation? Thanks for any insight. DT In article <XE_re.946$Ix2.174@prv-forum2.provo.novell.com>, Daryl Tilley wrote: > 1) I...

upgrade from bm 3.6 nw 6.0 to bm 3.8 nw 6.5
Hi, We've been asked to upgrade the 4 BM 3.6 servers that are used as our customer's proxy service, they are only used for proxy services, no firewall or vpn services. The servers are currently running NW 6.0, I see that 3.8 is only officially supported on NW 6.5. therefore, is there a recommended path from 3.6 NW 6.0 to 3.8 NW 6.5? Thanks Hi Mark, That's not correct. You can install BM3.8 on NW6.5, NW6.0 or NW5.1. Just upgrade to BM3.8, trying to follow as much as possible the recommended installation sequence in this web site: http://www.craigjconsultin...

nw 5.1 bm 3.7 to nw 6.5 bm 3.8
I have a nw 5.1 server running sp6 with bm .37 installed. I need to replace the hardware and at the same time upgrade the server to nw 6.5 and bm 3.8. I was thinking that I would go ahead and upgrade the nw5.1 server to bm 3.8. The use the migration wizzard to move the server to the new hardware running nw 6.5. Once that is done just reinstall bm 3.8 on the server. Will this work or does someone else have a better idea? Thanks Grant I would probably just put 3.8 on NW 5.1, and then upgrade it to NW 6.5. However, I think your method will also work. Craig Johnson Novell ...

Upgrade to BM 3.8 and NW 6.5 with VPN running
Hi, my present network configuration is: in main office - 3 servers with NetWare 6.0 + SP5, on one of them runs BM 3.7 + SP3, eDirectory 8.6.2 in four branch offices - one serwer running NW 6.0 + SP5 and BM 3.7 + SP3, eDirectory 8.6.2 All these BM servers are connected to main office via vpn in full mesh topology. I have to upgrade all my NetWare serwers in main office to NetWare 6.5, so I have to also upgrade BM 3.7 to BM 3.8. What is the best procedure, to do it without loosing vpn connections? Can I upgrade servers only in main office and leave servers in branch offices...

setup bm 3.8 vpn with nw 6.5 sp5
dear all, it seems that there is a problem setting up bm 3.8 vpn c2s within the environment mentioned above. the sequence is as follows: setting up nw65 sp5 (overlay) installing 3.8; infos that there are problems with imanager plugins, apply bm38sp4 afterwards. opening imanager, finding a message that not all plugins are installed but i can initiate a reinstall from imananger, works well ! started to initiate the vpn-server and c2s - everything seems to run well but i can't see a vpntunnel-"board" nor the plugins for the nrm ?! i first saw this behavior in an esx vir...

New BM 3.9 VPN only server on a NW 6.5 SP7 eDir8.8 SP2 server not working
I just created a new NW 6.5 SP7 server so by default it has eDir 8.8 SP2. I also updated the server with WSOCK6N, NWLIB6k and TCP681j (using the TCPD files). I then installed BM 3.9 using the NBM39_GMC.iso (the VPMaster is version 8.00.08 dated Feb 9, 2007 and VPMON is version 1.02.10 dated October 8. 2003). I set up the server just like my other VPN server (NW 6.5 SP5+ eDir 8.7.3.9) that is working. I assigned different IP addresses and the VPN tunnel to 4.0.0.0 instead of 1.0.0.0 like my current server. I used iManager (version 2.6) to install the default filters. I'm a...

New BM 3.9 VPN only server on a NW 6.5 SP7 eDir8.8 SP2 server not working
I just created a new NW 6.5 SP7 server so by default it has eDir 8.8 SP2. I also updated the server with WSOCK6N, NWLIB6k and TCP681j (using the TCPD files). I then installed BM 3.9 using the NBM39_GMC.iso (the VPMaster is version 8.00.08 dated Feb 9, 2007 and VPMON is version 1.02.10 dated October 8. 2003). I set up the server just like my other VPN server (NW 6.5 SP5+ eDir 8.7.3.9) that is working. I assigned different IP addresses and the VPN tunnel to 4.0.0.0 instead of 1.0.0.0 like my current server. I used iManager (version 2.6) to install the default filters. I'm a...

NW5.1 BM 3.6 to NW 6.5 BM 3.8 Upgrade
Current configuration: NW 5.1 sp7, eDir 8.7.3.6, Border 3.6EE Desired end result: NW 6.5, eDir 8.7.3.6, Border 3.8 I know that NW 6.5 only supports BM 3.8, so my current plan is to upgrade BM to 3.8, then Netware to 6.5. With this in mind: 1) Is it necessary or recommended to apply NW 5.1 sp8 before doing these upgrades? 2) Would there be any substantial benifit to installing NW 6.5 and BM 3.8 from scratch over upgrading my current installation? Thanks for any insight. DT Sorry, wrong forum! DT On 6/15/2005 Daryl Tilley wrote: > Sorry, wrong forum! No pr...

upgrade bm 3.6 nw 6.0 to bm3.8 nw 6.5
Hi, We've been asked to upgrade the 4 BM 3.6 servers that are used as our customer's proxy service, they are only used for proxy services, no firewall or vpn services. The servers are currently running NW 6.0, I see that 3.8 is only officially supported on NW 6.5. therefore, is there a recommended path from 3.6 NW 6.0 to 3.8 NW 6.5? Thanks support wrote: > Hi, > > We've been asked to upgrade the 4 BM 3.6 servers that are used as our > customer's proxy service, they are only used for proxy services, no > firewall or vpn services. The ser...

BM 3.5 to BM 3.8 w/VPN
Bordermanager 3.5 server on Netware 5.1 providing firewall and proxy services for users on internal network. This box is also acting as the Master VPN server with multiple site-to-site VPN links to BM 3.5 slave servers. Primary Goal Replace the existing Bordermanager 3.5 master VPN server hardware with a new server running Bordermanager 3.8 on Netware 6.0. It is possible to have both servers online during migration. Must minimize disruption to firewall, proxy & VPN services. Secondary Goal: No changes (or minimial changes only) to the slave servers running BM 3.5. (T...

NW 6+BM 3.8 migration to NW 6.5
I will be migrating an existing BM 3.8 proxy server(no VPN, Filtering, etc.)running on NW 6 to NW 6.5. I am expecting to re-install BM after the migration... What items need to be re-installed and in what order? Dennis In article <w9Mef.330$Pe3.27@prv-forum2.provo.novell.com>, wrote: > I will be migrating an existing BM 3.8 proxy server(no VPN, Filtering, > etc.)running on NW 6 to NW 6.5. > I am expecting to re-install BM after the migration... What items need to > be re-installed and in what order? > How are you migrating? In-place, or across the wire?...

Web access 6.5 with NW 6.5 and BM 3.8
I have a new installation of web access that is up and running with one exception (and this may be the wrong forum). The "web" portion is running on a NW 6.5 (sp 1) box that also has BorderManager 3.8 on it. Thus the box has both an internal IP address and an External address. I would like to be able to get to the "normal" portal and iManager on the internal address and the web access on the external address. I am not very familiar with the NetWare implementation of Apache and Tomcat and the subtleties of command line configurations of either (I've always had some s...

VPN 3.6 slave to VPN 3.8 master
I have more or less gone through what I could to set this up. I exported the BM 3.8 master encryption key (minfo.vpn) and imported that to the BM 3.6 slave without any issue. I then created the slave (sinfo.vpn) file. I had setup the vpn tunnel ip's as 192.168.10.1 and when these were both masters, clients could access either one perfectly. We know the VPN's work. I changed 1 to a slave, but I halted what I was doing as I noted that the master and slave networks both are using 192.168.0.x for the private IP's. Questions: 1. Can a 3.6 slave talk to a 3.8 master?...

Upgrade NW 4.11 BM3.5 to NW 6.5 BM 3.8
I've browsed all the question in this newsgroup trying to find my case but no luck. I have a Netware 4.11 running BorderManager 3.5 with alot of filters and rules. We want to upgrade the server (same hardware) to Netware 6.5 and BM 3.8 I really would like to do a fresh reinstall of the server OS and BM 3.8 but wonder what I need to keep from the old server in order to get all the filters and rules in place after the upgrade. There are already two Netware 6.5 servers in the tree. This is the only non 6.5 server left to upgrade Can anyone share some thoughts about this?...

Web resources about - NW 6.5 and BM 3.8 C2S VPN - novell.bordermanager.vpn

Donald Trump: Hitler Or Franklin D. Roosevelt? Trump Compares Muslim Immigrants Ban Plan To World War ...
The Donald Trump Hitler memes started to go viral shortly after Trump made his announcement about wanting to stop Muslim immigration completely ...

Firefox OS isn’t dead
This week at the developer event Mozlando, Mozilla revealed that Firefox OS was dead. At the same time, they really didn't. They suggested that ...

The Journey Begins in a New ‘Secret’ TV Spot for ‘Star Wars: The Force Awakens’
The journey begins in a new “Secret” television spot that has been for Star Wars: The Force Awakens . The TV spot features Han Solo handing a ...

Chipotle: CDC and Media Tactics Have Added to E. Coli Hype
Chipotle Mexican Grill is preparing to move past its ties to a recent E. coli outbreak as soon as it can, even as an outbreak of what looks to ...

Pixel C arrives at Google Store
Today, Google started selling its first homegrown tablet, Pixel C. You can buy one directly from the company—until they sell out! Google typically ...

Quentin Tarantino Fans Revel in ‘Road Show’ Debut for ‘The Hateful Eight’
Even by his outsized standards, Quentin Tarantino is going very big with the opening of “The Hateful Eight.” And the opening night crowd at Hollywood’s ...

Spotify has a new plan to fix its beef with Taylor Swift
Over the last year, Spotify has repeatedly gotten into high-profile spats with blockbuster artists based primarily on one policy: Spotify's unwillingness ...

China rolls out WATER CANNON to take on Beijing smog
Beijing's pollution crisis appears to have spawned a new fashion trend with dozens of residents seen walking the smog-ridden streets wearing ...

Oscar Pistorius gets tagged after being granted bail for Reeva Steenkamp's murder
South African appeal judges last week found the Paralympian overturned his earlier conviction on the lesser charge of culpable homicide for shooting ...

The hopeful news about CO2 emissions and climate change
This story was originally published by Slate and is reproduced here as part of the Climate Desk collaboration. Our planet is heating up. The ...

Resources last updated: 12/8/2015 9:08:50 PM