Environment
Novell BorderManager 3.8
BM38SP4_IR5.EXE
Situation
After Master VPN server certificate has expired and a new one has
been created, the S2S VPN tunnel is not coming up between Master
and Slave. Slave IKE.log shows:
8-31-2006 7:35:53 pm Sending INITIAL_CONTACT notify to xx.xx.xx.xx
8-31-2006 7:35:53 pm ***Send Main Mode message to xx.xx.xx.xx
8-31-2006 7:35:53 pm
I-COOKIE=4A15277DD4D5DEAE,R-COOKIE=55125203B80CBF9B,MsgID=0,1stPL=ID-PAYLOAD
,state=1331653488
8-31-2006 7:35:54 pm ***Receive Main Mode message from xx.xx.xx.xx
8-31-2006 7:35:54 pm
I-COOKIE=4A15277DD4D5DEAE,R-COOKIE=55125203B80CBF9B,MsgID=0,1stPL=ID-PAYLOAD
,state=1331653488
8-31-2006 7:35:54 pm Received MM ID payload type 9 protocol 0 portnum 0
length 52
8-31-2006 7:35:54 pm sending notify message type 65519 to xx.xx.xx.xx
8-31-2006 7:35:54 pm ***Send Unacknowledge Informational message to
xx.xx.xx.xx
8-31-2006 7:35:54 pm
I-COOKIE=4A15277DD4D5DEAE,R-COOKIE=55125203B80CBF9B,MsgID=FD8C1BC6,1stPL=HAS
H-PAYLOAD,state=1331653536
8-31-2006 7:35:54 pm Failed to create IKE-SA - ACL Check Failed , dst = xx.xx.xx.xx
Resolution
The certificate subject name does not match. The name slave expects
( you configured on the slave iManager screen) is not the same one
as the master is sending ( configured on the s2s iManager setup).
The new created Master vpn certificate name is different than the old one. You'll have to go to iManager on the slave vpn, vpn server configuration, Trusted master server certificate subject name and replace it with the new name.
Stopvpn and Startvpn and tunnel will be reestablish.
The new created Master vpn certificate name is different than the old one. You'll have to go to iManager on the slave vpn, vpn server configuration, Trusted master server certificate subject name and replace it with the new name.
Stopvpn and Startvpn and tunnel will be reestablish.