Every problem I have run into has been because of a typo. Secifically in the "agreed" common passphrase.

They all have to agree on what each one is. They don't have to be the same one for each system, but between trusts they do.

IOW: ( -> describes a trust)

A -> B and B -> A have to use the same password
B -> C and C -> B have to use the same password
C -> D and D -> C have to use the same password
D -> A and A -> D have to use the same password

C & A don't trust each other directly, but through D or B they do, and B & D don't trust each other directly but through A or C they do. That is only if you have the "domain" routing setup properly.

Now Domain routing isn't "DNS domain" it is more like "Windows Domain" or a King's Domain of Rule. So if any of them know the domain and how to check against it... you should be good to go.

You could also setup a single "Routing" radious authentication machine and have it trusted by eveything... then have it determine where to get auth info. Matter of choice I guess.