690 Mgr GWRN - PDF by besube

VIEWS: 14 PAGES: 58

									       Intel® NetStructure™
3110/3120/3125/3130 VPN Gateway,
                and
 Intel NetStructure VPN Manager
     Release 6.9 Release Notes




                      Intel Network Systems, Inc.
                       Part Number A23453-005
                                      April 2001
2   Intel® NetStructure™ 3110/3120/3125/3130 VPN Gateway Release 6.9 Release Notes
Disclaimer
Information in this document is provided in connection with Intel® products. No license,
express or implied, by estoppel or otherwise, to any intellectual property rights is granted
by this document. Except as provided in Intel Network System, Inc.’s Terms and
Conditions of Sale for such products, Intel Network Systems, Inc. assumes no liability
whatsoever, and Intel Network Systems, Inc. disclaims any express or implied warranty,
relating to sale and/or use of Intel® products including liability or warranties relating to
fitness for a particular purpose, merchantability, or infringement of any patent, copyright
or other intellectual property right. Intel Network Systems, Inc. products are not intended
for use in medical, life saving, or life sustaining applications.
Intel Network Systems, Inc. may make changes to specifications and product
descriptions at any time, without notice.
These Intel® NetStructure™ 3110/3120/3125/3130 VPN Gateway and Intel NetStructure
VPN Manager Release 6.9 Release Notes as well as the software described in it is
furnished under license and may only be used or copied in accordance with the terms of
the license. The information in this manual is furnished for informational use only, is
subject to change without notice, and should not be construed as a commitment by Intel
Network Systems, Inc. Intel Network Systems, Inc. assumes no responsibility or liability
for any errors or inaccuracies that may appear in this document or any software that may
be provided in association with this document.
Except as permitted by such license, no part of this document may be reproduced, stored
in a retrieval system, or transmitted in any form or by any means without the express
written consent of Intel Network Systems, Inc.
Intel, Intel Device View, Intel NetStructure, LanRover, Pentium, and Shiva are
trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United
States and other countries.
Copyright © Intel Network Systems, Inc. 2001. *Other brands and names are the
property of their respective owners.




Intel® NetStructure™ 3110/3120/3125/3130 VPN Gateway Release 6.9 Release Notes               3
4   Intel® NetStructure™ 3110/3120/3125/3130 VPN Gateway Release 6.9 Release Notes
Contents
DISCLAIMER                                                                       3

CONTENTS                                                                         5

INTRODUCTION                                                                     7
  LIMITATIONS TO THIS RELEASE                                                     7
  NEW PRODUCT IDENTIFICATION                                                      8
  STATEMENT OF ENTRUST* SUPPORT                                                   8
SYSTEM REQUIREMENTS                                                               9

RELEASE 6.9 FEATURES AND ENHANCEMENTS                                            12
  WINDOWS* MILLENNIUM EDITION (ME) SUPPORT                                       12
  PRESERVE TOS BITS SUPPORT IN IPSEC PACKET                                      12
  SITE-TO-SITE FAILOVER FOR IPSEC TUNNELS                                        13
  ENHANCED NETWORK ADDRESS TRANSLATION (NAT) IPSEC AND SST
  FUNCTIONALITY                                                                  15
  ENHANCED IPSEC CAPABILITY                                                      17
  ELLIPTIC CURVE CRYPTOGRAPHY SUPPORT FOR IPSEC                                  18
  RIJNDAEL* ADVANCED ENCRYPTION STANDARD SUPPORT                                 20
  CLEARING THE CONSOLE PASSWORD                                                  21
NEW RELEASE 6.9 MODULES AND PARAMETERS                                           22
  PRESERVE TOS BIT SUPPORT IN IPSEC PACKET COMMANDS                              22
  SITE-TO-SITE FAILOVER SUPPORT COMMANDS                                         23
  ENHANCED NETWORK ADDRESS TRANSLATION (NAT) IPSEC FUNCTIONALITY
  COMMANDS                                                                       24
  ELLIPTIC CURVE CRYPTOGRAPHY (ECC) SUPPORT COMMANDS                             24
  RIJNDAEL ADVANCED ENCRYPTION STANDARD (AES) SUPPORT COMMANDS                   25
  IPSEC ENHANCEMENTS SUPPORT COMMANDS                                            26
UPGRADING TO RELEASE 6.9                                                         30
  IMPORTING MIBS INTO HP* OPENVIEW*                                              30
SPECIAL CONSIDERATIONS                                                           31

PROBLEMS RESOLVED SINCE RELEASE 6.8.1                                            37
  VPN GATEWAY                                                                    37

Intel® NetStructure™ 3110/3120/3125/3130 VPN Gateway Release 6.9 Release Notes    5
    VPN MANAGER                                                                          44
KNOWN PROBLEMS                                                                           49
    VPN GATEWAY                                                                          49
    VPN MANAGER                                                                          55




6             Intel® NetStructure™ 3110/3120/3125/3130 VPN Gateway Release 6.9 Release Notes
Introduction
This document describes the new features and improvements in Release 6.9 of the Intel®
NetStructure™ 3110/3120/3125/3130 VPN Gateway and the Intel NetStructure VPN
Manager.
This document includes the following sections:
•   System requirements
•   Release 6.9 features and enhancements
•   Upgrading to Release 6.9
•   Special considerations
•   Problems resolved since Release 6.8.1
•   Known problems
For information regarding Release 6.9 of the Intel NetStructure VPN Client, refer to the
Release Notes for that application.

Limitations to This Release
PKIX Not Supported
Release 6.9 of the Intel NetStructure 3110/3120/3125/3130 VPN Gateway firmware does
not provide PKIX support.

Ansel* 10BaseT NIC Not Supported
Release 6.8, Release 6.8.1, and Release 6.9 of the Intel NetStructure
3110/3120/3125/3130 VPN Gateway firmware does not support the Ansel 10BaseT
network interface card (NIC) used in Isolation Systems hardware.

Isolation Systems Hardware Not Supported
Release 6.9 of the Intel NetStructure 3110/3120/3125/3130 VPN Gateway firmware does
not support Isolation Systems hardware, because of year 2000 incompatibility.

Older PCMCIA Flash Cards Not Supported In Intel
NetStructure Hardware
Do not insert older 4-MB and 8-MB PCMCIA flash cards from the Isolation* InfoCrypt
Enterprise and the LanRover™ VPN Gateway hardware devices into the new Intel
NetStructure 3120/3125/3130 VPN Gateway chassis hardware. The new hardware and

Intel® NetStructure™ 3110/3120/3125/3130 VPN Gateway Release 6.9 Release Notes             7
BIOS does not recognize the older flash cards.
If an older PCMCIA flash card is inserted into a newer hardware chassis, the hardware
sounds a series of consecutive system bells. Remove the flash card.
Notes:
1. You cannot insert a flash card in an Intel NetStructure 3110 VPN Gateway as this
   device uses a flash DIMM.
2. Never attempt to install or remove a flash card from an Intel NetStructure
   3120/3125/3130 VPN Gateway when the power is turned on.

New Product Identification
Release 6.8 and later releases display new branding for hardware, packaging, and print
documentation. Release 6.8.1 and later releases display new branding for the software
and online Help files. The rebranding reflects the acquisition of Shiva Corporation by
Intel Network Systems, Inc.
Here is a list of the changes:
• From Shiva® to Intel®
• From LanRover™ to NetStructure™
• From VPN Express to 3110 VPN Gateway
Notes:
The Release 6.9 software and firmware also work with existing LanRover VPN
Gateway, LanRover VPN Gateway PLUS and LanRover VPN Express devices.
VPN product releases earlier than Release 6.8 were called Shiva VPN Manager, Shiva
VPN Client, LanRover VPN Gateway, LanRover VPN Gateway PLUS, and LanRover
VPN Express.

Statement of Entrust* Support
Because of enhancements to the Intel NetStructure VPN Client and VPN firmware, Intel
NetStructure VPN technology supports up to and including version 4.0 of Entrust
Technologies’ X.509 certificate authority (CA) product set. Intel Network Systems, Inc.
provides support for the Entrust CA through a licensed dynamic link library (.dll) file
within the Intel NetStructure VPN Manager application. This file, named kmpapi32.dll,
must be obtained from Entrust Technologies. Note that Intel Network Systems, Inc. does
not provide the Entrust client or certificate authority software.
To retrieve an Entrust certificate with the Intel NetStructure VPN Client, you must
install the Entrust client. For complete documentation on installing and configuring
Entrust software, contact your Entrust Technologies support representative.



8                  Intel® NetStructure™ 3110/3120/3125/3130 VPN Gateway Release 6.9 Release Notes
System Requirements
This section provides the system hardware and software requirements for Release 6.9

Intel NetStructure VPN Manager
The recommended system hardware and software requirements are:
•   Any 32-bit Windows* operating system running on:
    -   Intel Pentium II 400-MHz processor performance level
    -   20 MB free disk space
    -   128 MB RAM
The minimum system hardware and software requirements for the Intel NetStructure
VPN Manager Release 6.9 software are as follows:
•   PC or PC-compatible desktop computer
•   Windows 95 running on:
    -   Intel Pentium 200-MHz processor performance level
    -   20 MB free disk space
    -   64 MB RAM
    -   Dial-Up Networking* (DUN) 1.3
    -   Winsock 2 — required for protocol 99 and IPSec features
•   Windows 98 running on:
    -   Intel Pentium 200-MHz processor performance level
    -   20 MB free disk space
    -   64 MB RAM
•   Windows Millennium Edition* (ME) running on:
    -   Intel Pentium 200-MHz processor performance level
    -   20 MB free disk space
    -   64 MB RAM disk space




Intel® NetStructure™ 3110/3120/3125/3130 VPN Gateway Release 6.9 Release Notes        9
•    Windows NT* 4.0 (Workstation or Server version with Service Pack 4, Service Pack
     5, or Service Pack 6a) running on:
     -   Intel Pentium 200-MHz processor performance level
     -   20 MB free disk space
     -   64 MB RAM
         Note: Release 6.9 was tested on Service Pack 6a. Previous releases were tested
         on all of these service packs.
•    Windows 2000 Professional running on:
     -   Intel Pentium 200-MHz processor performance level
     -   20 MB free disk space
     -   64 MB RAM
Note: (Reference Number 1391) In Release 6.9, the splash screen only displays
correctly if your computer display is set to a resolution of High Color (16-bit) or better.

LanRover VPN Gateway/LanRover VPN Express
Your LanRover VPN Gateway/LanRover VPN Express must include a minimum of:
•    8 MB flash memory
•    32 MB RAM
To determine if your VPN Gateway includes the right amount of memory, individually
select the following commands in the Intel NetStructure VPN Manager main window
Show menu:
•    Show Directory
•    Show Hardware
You can also run these commands in the command line interface:
•    show dir
•    show hardware
Note: All Intel NetStructure 3110/3120/3125/3130 VPN Gateway devices exceed these
minimum requirements.




10                 Intel® NetStructure™ 3110/3120/3125/3130 VPN Gateway Release 6.9 Release Notes
Launching the Intel NetStructure VPN Manager Through
                 
Intel Device View
Reference Number 436
Intel Device View is management software for Intel switches and routers. If Intel Device
View is installed on your system prior to installing the Intel NetStructure VPN Manager
software, then the Intel NetStructure VPN Manager can be launched from within Intel
Device View.
Note: The minimum Release of Intel Device View that you need is 2.1.10.x. If you
encounter problems installing the Intel NetStructure VPN Manager, check the Release
number in the Intel Device View About dialog box.




Intel® NetStructure™ 3110/3120/3125/3130 VPN Gateway Release 6.9 Release Notes        11
Release 6.9 Features and
Enhancements
The following enhancements have been made in Release 6.9 of the Intel NetStructure
3110/3120/3125/3130 VPN Gateway and Intel NetStructure VPN Manager.

Windows Millennium Edition (Me) Support
Reference Numbers 617, 631, 632, and 760
In Release 6.9, the Intel NetStructure VPN Manager works on the Windows Millennium
Edition (Me) operating systems.

Preserve TOS Bits Support in IPSec Packet
In Release 6.9, Type of Service (TOS) bit support has been added for IPSec packets.
TOS bits are important for Quality of Service (QoS) implementations. QoS uses
transmission characteristics that can be identified, measured, and controlled. These
transmission characteristics include transmission rates, error rates, packet loss, network
speed, and prioritization of traffic flows. The control capability allows the carrier to
differentiate traffic flow by classes of service. The various classes of service can be
offered for sale and documented in Service Level Agreements (SLAs) between the voice
and data carrier and its customers, which may include telephone companies, Internet
Service Providers (ISPs), Application Service Providers (ASPs), and businesses. Interest
in QoS is increasing in parallel with the growing demand for bandwidth on the Internet.
The Release 6.9 support permits packets with TOS bits set in the IP header to be
optionally included in the IP header of the IPSec packets that result from encryption. To
ensure that any modifications to the TOS bits along the path of the encrypted packet do
not overrule the TOS bits in the original packet, the decrypted packets are always
forwarded with the TOS bits of the original IP packet.
That is, when a cleartext packet that has TOS bits set is encrypted, the TOS bits are
copied and the copies are placed in the cleartext IP header of the new, encrypted packet.
As it travels across the Internet, these TOS bits may be changed for a number of reasons
by routers. This is why, once the packet arrives at its destination and is decrypted, the
protected, encrypted TOS bits are used by the receiving device and the TOS bits from the
cleartext IP header of the encrypted packet are ignored.
The TOS bits support of copying the TOS bits and placing them in the cleartext IP
header is called an optional carry forward (of the TOS bits). Carry forward is configured
in the Security Profile in the Intel NetStructure VPN Manager Normal Configuration

12                Intel® NetStructure™ 3110/3120/3125/3130 VPN Gateway Release 6.9 Release Notes
window or in the Console window. Any IPSec VPN tunnels that use a Security Profile
with the TOS bit carry forward enabled employ the above logic. Otherwise, TOS bits are
ignored in the creation of the IP header of the IPSec packets.
Support for the TOS bit carry forward has been added to the VPN Gateway command set
as well as to the VPN Manager.
To implement this feature through the Intel NetStructure VPN Gateway Console
window, refer to the “TOS Bit Support Commands” section in the Intel® NetStructure™
3110/3120/3125/3130 VPN Gateway and Intel NetStructure VPN Manager Release 6.9
Release Notes document.
Note: The VPN Client supports TOS bit carry forward for IPSec tunnels only. This
feature is configured automatically during tunnel configuration and cannot be configured
manually.

Site-to-Site Failover for IPSec Tunnels
Reference Number 767
In Release 6.9, support for failover functionality for IPSec tunnels has been added to the
Intel NetStructure VPN Gateway to enhance the use of two VPN Gateways.
The principle mechanisms for implementing failover logic are:
•    Tunnel status indicators, which are achieved using IKE keepalives
•    Security Association (SA) metrics (integer values from 0 to 255), which allow for
     similar SA definitions reachable through multiple tunnel endpoints terminating at
     Intel NetStructure VPN Gateway devices
• Unsecured backup routes to redirect packets normally reachable through a VPN
     tunnel
• Secured backup routes to redirect packets normal reachable through a primary VPN
     tunnel
If a tunnel is configured with a timeout value, and neither decrypted data nor keepalives
are received within the timeout timeframe, the tunnel attempts to reconnect. If the
reconnection attempt fails, the tunnel continues to try reconnecting and any backup
devices or higher metric SAs take effect.
You can configure these keepalives and timeouts in the VPN Manager’s Normal
Configuration window for the selected device, in the Security Profile form view for the
IPSec tunnel. The Keepalive and Timeout edit boxes were present but not used in the
IKE and L2TP over IPSec Security Profiles form views in earlier releases. The Keepalive
and Timeout edit boxes were added to the Access Control List | Matches form view.




Intel® NetStructure™ 3110/3120/3125/3130 VPN Gateway Release 6.9 Release Notes           13
Also, a Failover group box has been added to the window for site-to-site IPSec tunnels in
which the following parameters may be defined:
•      Failover check box, IP Address field, and Metric field wherein, if a redundant device
       is in place for the tunnel, you can create an additional tunnel definition for the
       backup device. This additional tunnel serves as an on-demand tunnel that only
       connects if the primary tunnel is down.
•      Clear Text check box and IP Address field through which you can specify the IP
       address of a backup device that can be reached without tunneling, that is, a device to
       which packets can be redirected in clear text, if the selected tunnel is down.

SA Failover
                                                                                                         SA Failover

     Subnet A
                                                                                  SD
                                                Intel NetStruct ureTM 3130
                                                             V PN G ateway




     20.1.1.0/24
                                                             intel
                                                                                                                       Tunnel Definition to VPNG A:
                                                                          




                                     VPNG A                                                                                 encryptor 10.1.1.1
                  Return Traffic                                                             Nor
                                                                                                mal                  SA Subnet A 20.1.1.0/24 Metric = 0
              redirected to VPNG B   10.1.1.1
                                                                                              Sub Path f
                                                                                                  net   o
                                                                                                      A r
                                                                                                                                                  Intel NetStruct ureTM 3110
                                                                                                                                                               V PN Gateway


                                                                                                                             PO W ER   DC EN ER
                                                                                                                                            T
                                                                                                                                             C
                                                                                                                                        SW IT H
                                                                                                                                                              intel       




                                                                                                                                       VPNG C
                     Failover path for Subnet A
                                                                                                                       Tunnel Definition to VPNG B:
                                                                                                                            encryptor 10.1.1.2
                                                                                       SD
                                                                                                                     SA Subnet B 30.1.1.0/24 Metric = 0
                                                                                                                     SA Subnet A 20.1.1.0/24 Metric = 1
                                                  Inte l NetS truct ureTM 3130
                                                                 V PN Gat eway




      Subnet B                                                  intel
      30.1.1.0/24                                                                           VPNG C may connect to both VPNG A and VPNG
                                                                              




                                     VPNG B                                                 B simultaneously, but traffic to Subnet A will only be
                                     10.1.1.2                                               sent to VPNG A since the metric is lower.

                                                                                            If VPNG C cannot connect its tunnel to VPNG A, the
                           Normal Path                                                      traffic to Subnet B will go through VPNG B.
                           for Subnet A                                                     If VPNG A is alive, but its connection to VPNG C is
                           Alternate Path                                                   down, VPNG A can optionally forward return traffic
                           for Subnet A                                                     from Subnet B to VPNG B, which will tunnel it back
                                                                                            to VPNG C.



The preceding diagram indicates how VPNG C can be configured to have an alternate
path to Subnet A if the connection to VPNG A is down using redundant SAs with
different metrics.
To assign a backup device to which packets can be redirected in clear text in the Intel
NetStructure VPN Gateway Console window, define an unsecured backup route as
follows:
config
   encryptor <ip address>
       cleartext-backup <ip address of backup gateway>




14                            Intel® NetStructure™ 3110/3120/3125/3130 VPN Gateway Release 6.9 Release Notes
When a tunnel is disconnected and does not reconnect after the normal IKE timeout
period, traffic destined to all SAs defined for the tunnel is sent to the unsecured backup.
The term unsecured is used because the traffic is redirected to the backup device as
cleartext, that is, without encryption.
If a redundant device is in place for a tunnel, an additional tunnel definition may be
created for the backup device. This additional tunnel serves as an on-demand tunnel,
which only connects if the primary tunnel is down.
In the Intel NetStructure VPN Gateway Console window, enter the on-demand tunnel
command in the following format:
config
   encryptor <ip address>
       failover-for <tunnel ip address> <metric number>
The fail-over encryptor metric determines the order of precedence when multiple
encryptor definitions are defined for multiple backup devices. When a primary device is
down, all tunnels defined as fail-overs attempt to connect. If more than one tunnel
connection succeeds, all other tunnels of higher metric are disconnected and enter an idle
state until the tunnel with the lower metric disconnects.
The metrics added to SAs determine which VPN tunnel is the active tunnel when more
than one tunnel is connected. For example, given a host with two VPN Gateways and a
branch with a single VPN Gateway, the branch device would be configured with VPN
tunnels to each host VPN Gateway, with redundant SAs to the same subnets with
different metrics.
In the VPN Manager GUI, a Metric field has been added to the New Security
Association dialog box so that if a redundant device is in place for the tunnel, you can
create an additional tunnel definition for the backup device plus redundant SAs with
different metrics to the same subnets as defined for the primary device, and see them in
the list view for the backup site-to-site tunnel’s SAs in the Normal Configuration
window.
Note: Site-to-site failover support for SST is not available for Release 6.9.

Enhanced Network Address Translation (NAT)
IPSec and SST Functionality
In Release 6.9, enhanced Network Address Translation (NAT) functionality has been
added. Now the Intel NetStructure VPN Gateway has the ability to receive VPN
connections from devices whose IP addresses have been modified by NATing. Prior to
Release 6.9, SST connections that were NATed would only be accepted if the NATing
device provided a one-to-one mapping from the original address to the translated address.
This constraint meant that if multiple users were using NAT behind such a NATing
device, only one user could connect at a time.
Intel® NetStructure™ 3110/3120/3125/3130 VPN Gateway Release 6.9 Release Notes             15
Release 6.9 provides NAT support for IPSec and redresses the SST constraint by
tracking VPN remote connections by IP address and port number.
Another problem with NATing involves IPSec. NATing devices that attempt to NAT
IPSec connections to a single IP address are not capable of providing a means of de-
multiplexing the packet on a return path from an Intel NetStructure VPN Gateway. This
lack is because there is no port number or known value, such as an Encapsulating
Security Payload (ESP) Security Parameter Index (SPI), to modify and track. To support
NATing of IPSec packets, the Intel NetStructure VPN Gateway supports an alternate
mechanism of ESP encapsulation, which utilizes a UDP header rather than an ESP
header.
The introduction of a UDP header allows the NATing device to modify the source port
through the device and identify return data packets, NATing them back to the original
source port on return to the originating device.
Notes:
1. NATing of multiple Intel NetStructure VPN Gateways behind a NATing device that
    does not support 1:1 address translation is not supported.
2. This functionality allows multiple IPSec client tunnels to be established from behind
    a NATing device with a single external IP address and IPSec tunnels to be tracked by
    IP address and port numbers.
The enhanced Network Address Translation (NAT) functionality has required the
introduction of a new attribute for the existing secure-profile command.
The udp-encapsulation <port number> attribute is used as follows:
config
    secure-profile <profile name>
         udp-encapsulation <port number , 0, 1025-65534>,                                    0
         = no UDP encapsulation
This attribute is passed during IKE configuration mode to enable auto discovery of the
encapsulation port when using Accept Peer Proposal on the Intel NetStructure VPN
Client. The Intel NetStructure VPN Client also includes a check box indicating whether
UDP encapsulation should be used (and which port to use) in the absence of Accept Peer
Proposal.
As both the Intel NetStructure VPN Gateway and the Intel NetStructure VPN Client
allow the use of the SST port (2233) for the purposes of UDP encapsulation, this is the
default port if UDP encapsulation is supported. This default use does not affect the
behavior of other SST tunnels.




16                Intel® NetStructure™ 3110/3120/3125/3130 VPN Gateway Release 6.9 Release Notes
UDP Encapsulation

                                                Original IP
    IP Header, Protocol = 50      ESP Header
                                                Datagram
                               ESP Packet




                          UDP Header, Source Port
    IP Header, Protocol                                           Original IP
                          = ANY, Dest Port = User   ESP Header
        = 17 (UDP)                                                Datagram
                              Definable Port
                           Modifed ESP Packet




To implement this enhanced functionality in the VPN Manager, a UDP Encapsulation
Port check box was added to the ESP v1, ESP v2 (Manual), IKE and L2TP over IPSec
Security Profiles form views in the Configuration Window and to the Matches form
views in the Access Control List Window for the selected device.
To enable this feature through the Intel NetStructure VPN Gateway Console window,
refer to the “Enhanced Network Address Translation Functionality Command” section of
this document.

Enhanced IPSec Capability
In Release 6.9, enhancements have been made to IPSec functionality, specifically
improved IKE connection speed and secondary authentication functionality.
With respect to improved IKE connection speed, when many SAs are connecting
simultaneously, response time is improved, and heartbeats are added. A mechanism was
added to keep track of whether or not a tunnel is active. These IPSec heartbeats (known
as keepalives for SST) mostly are used for fail-over and state detection purposes.
In the VPN Manager Normal Configuration window for the selected device, in the
Security Profile form view for IPSec, there now are opportunities to set keepalive,
timeout, client keepalive, and client timeout.
The timeout and keepalive values for the Intel NetStructure 3110/3120/3125/3130 VPN
Gateway support the idle disconnect feature for site-to-site IPSec tunnels.
The separate Client Timeout and Client Keepalive values for the Intel NetStructure VPN
Client support the idle disconnect feature for remote-access IPSec tunnels.
To implement these enhancements through the Intel NetStructure VPN Gateway Console
window, refer to the “Enhanced IPSec Support Commands” section of this document.

Intel® NetStructure™ 3110/3120/3125/3130 VPN Gateway Release 6.9 Release Notes        17
Also, when an IPSec remote user connects, IPSec secondary authentication now uses the
name of the ACL that allowed the tunnel to proceed as the Group name. Therefore, an
ACL such as a domain name (for example, Intel.com), an e-mail address (for example,
*@intel.com), an IP address (for example, 10.250.155.10) or a distinguished name may
now become the Group name for the RADIUS authentication of a user.
The RADIUS server (for example, the Intel NetStructure Access Manager) would require
this Group name for the user record to authorize the connection. Previously when IPSec
secondary authentication was performed, there was no Group name included in the query
to the RADIUS server to authenticate the user making the connection.
IPSec primary authentication refers to certificate or to key authentication. IPSec
secondary authentication, which is usually known as Xauth, refers to SecurID, RADIUS,
or RADIUS-CHAP authentication. The difference between primary and secondary
authentication is that primary authentication can be common to a number of users, say a
Group, and is dispersed from a central point, whereas secondary authentication requires
user interaction and therefore is unique to that interaction.

Elliptic Curve Cryptography Support for IPSec
In Release 6.9, support for Elliptic Curve Cryptography (ECC) has been added for IPSec.
As the requirement for longer key sizes increases, so do processing space and time.
Using ECC decreases overhead and latency, while allowing strong encryption from the
public-key algorithms it produces using the algebraic system defined on the points of an
elliptic curve.
ECC’s algorithms can be used for data encryption and user verification and
accommodate user authentication, primarily in wireless communication applications as
well as for certain encryption applications that run on Windows 95/98/2000 or Windows
NT platforms.
The VPN Manager uses Certicom* licensed technology in order to provide full ECC
support (DH groups 3, 4 and 7). ECC support was added to the IKE Phase 1 Diffie-
Hellman options and is used in Phase 2 for Perfect Forward Secrecy (PFS). ECC is
typically used in low-end devices such as personal digital assistant and pocket PC
devices and in cellular phones. Three new DH groups were added to support ECC:
Group 3, Group 4 and Group 7.




18                Intel® NetStructure™ 3110/3120/3125/3130 VPN Gateway Release 6.9 Release Notes
You can select these ECC algorithms in the VPN Manager’s Normal Configuration
window for the selected device in the IKE and L2TP over IPSec Security Profiles form
views and in the Access Control List | Matches form view from the DH Group drop-
down menu:




In the Console window ? (help command) view, the selections appear as follows:
hostname[config][secure-profile ecc]:NORMAL#ike-group ?
1 | 2 | 3 | 4 | 5 | 7
1 - DH group 1 RSA 768 bits
2 - DH group 2 RSA 1024 bits
3 - DH group 3 ECC 155 bits
4 - DH group 4 ECC 185 bits
5 - DH group 5 RSA 1536 bits
7 - DH group 7 ECC 1024 bits
Notes:
1. Diffie-Hellman Group 5, 1536-bit, has been added to the DH (Diffie-Hellman)
   Group drop-down menu for completeness.
2. ECC DH group 7 is not supported in the VPN Client as the license agreement with
   Certicom precludes use of its licensed technology in mobile applications. ECC DH

Intel® NetStructure™ 3110/3120/3125/3130 VPN Gateway Release 6.9 Release Notes         19
     groups 3 and 4 are supported in the VPN Client using RSA* technology.
3. To implement this feature in the Intel NetStructure VPN Gateway Console window,
   refer to the “Elliptic Curve Cryptography (ECC) Support Commands” section of this
   document.

Rijndael* Advanced Encryption Standard
Support
Release 6.9 supports Rijndael, the proposed Advanced Encryption Standard (AES)
recently selected by the U.S. National Institute of Standards and Technology (NIST), an
agency of the U.S. Commerce Department’s Technology Administration. AES is an
alternate to DES for encryption.
Developed by two Belgian researchers, Rijndael comprises cryptographic algorithms and
protocols that are used for data encryption and user verification and that accommodate
user authentication.
As the AES, Rijndael protects sensitive but unclassified electronic information of the
U.S. Government. During the last year, a large number of products and applications have
been AES-enabled. Therefore, it is likely to become a worldwide de facto standard in
numerous other applications such as Internet security, bank cards, and ATMs.
For more information concerning AES, go to the National Institute of Standards and
Technology (NIST) Web site at the following URL:
http://csrc.nist.gov/encryption/aes/round2/aesfact.html
Support for the AES encryption algorithm is achieved in software. AES is supported only
for IKE Phase 2, and not for SST. AES encryption support provides three additional
encryption options: 128-bit, 192-bit, and 256- bit.
You can select these AES algorithms in the VPN Manager’s Normal Configuration
window for the selected device in two places:
•    In the IKE and L2TP over IPSec Security Profiles windows in the ESP Algorithm
     drop-down menu
• In the Access Control List | Matches | Security Associations window in the
     Algorithm drop-down menu: 256-bit key, 192-bit key, and 128-bit key
To implement this feature in the Intel NetStructure VPN Gateway Console window, refer
to the “Rijndael Advanced Encryption Standard (AES) Support Commands” section of
this document.




20                Intel® NetStructure™ 3110/3120/3125/3130 VPN Gateway Release 6.9 Release Notes
Clearing the Console Password
Reference Number 610770-PM00
To clear the console password and invalidate the system configuration by deleting the
isbr.cfg and safe.cfg files and all other files except system files, at the
hostname:NORMAL> prompt, type RESET, then press ENTER.
Prior to accepting the RESET command, the following confirmation prompt appears:
WARNING: This command should be attempted only if you have
forgotten the login password. Resetting the Intel(r)
NetStructure(tm) VPN Gateway Software will cause the entire
configuration to be deleted, thus returning your Intel(r)
NetStructure(tm) VPN Gateway Software to a default
configuration state. Would you like to proceed to reset the
Intel(r) NetStructure(tm) VPN Gateway Software (y/n)?
Reply Yes to the confirmation prompt. The device reboots. All certificates are cleared.
You now can log in using admin as your password.




Intel® NetStructure™ 3110/3120/3125/3130 VPN Gateway Release 6.9 Release Notes            21
New Release 6.9 Modules and
Parameters
Many new commands are introduced in Release 6.9.

Preserve TOS Bit Support in IPSec Packet
Commands
The following new/extended commands are set in the device configuration file and the
ACL file, respectively.

 Command                  Parameters          Meaning
 preserve-tos             on | off            To permit packets with TOS bits set in
 (in the device                               the IP header to be included in the IP
 configuration file)                          header of the IPSec packets that
                                              result from encryption, in the device
                                              configuration file under the secure-
                                              profile command, enter the
                                              preserve-tos command followed
                                              by on.
                                              Otherwise, follow the command with
                                              off.
                                              The default setting is off.
 preserve-tos             on | off            To permit packets with TOS bits set in
 (in the acl file)                            the IP header to be included in the IP
                                              header of the IPSec packets that
                                              result from encryption, in the acl file,
                                              under the match setting, enter the
                                              preserve-tos command followed by
                                              on.
                                              Otherwise, follow the command with
                                              off.




22                Intel® NetStructure™ 3110/3120/3125/3130 VPN Gateway Release 6.9 Release Notes
Site-to-Site Failover Support Commands
The following new commands are set in the device configuration file.

 Command                    Parameters          Meaning
 metric                     <metric>            In the configuration file under the
                                                encryptor sa commands, enter the
                                                command, then set the SA metric, an
                                                integer from 1 to 255.
 cleartext-                 <ip address of      To assign a backup device to which
 backup                     backup              packets can be redirected as clear
                            gateway>            text, in the configuration file under the
                                                encryptor command, enter the
                                                command, then enter the IP address
                                                of the backup VPN Gateway.
 failover-for               <ip address of      If a redundant device is in place for a
                            tunnel>             tunnel, to create an additional tunnel
                            <metric             definition for the backup device to
                            number>             serve as an on-demand tunnel, in the
                                                configuration file under the
                                                encryptor command, enter the
                                                command, then enter the IP address
                                                of the primary tunnel, followed by the
                                                metric.
                                                The failover encryptor metric
                                                determines the order of precedence
                                                when multiple encryptor definitions
                                                are defined for multiple backup
                                                devices. When a primary device is
                                                down, all tunnels defined as failovers
                                                attempt to connect. If more that one
                                                connection succeeds, all tunnels of
                                                higher metric are disconnected and
                                                enter an idle state until the tunnel with
                                                the lower metric disconnects.




Intel® NetStructure™ 3110/3120/3125/3130 VPN Gateway Release 6.9 Release Notes              23
Enhanced Network Address Translation (NAT)
IPSec Functionality Commands
The following new commands are set in the device configuration file and the ACL file,
respectively.

 Command                 Parameters            Meaning
 udp-                    <port number>         To enable NAT functionality in the
 encapsulation                                 device configuration file under the
                                               secure-profile command, enter the
                                               udp-encapsulation command followed
                                               by a port number between 1025 and
                                               65534. To prevent UDP encapsulation,
                                               enter a 0 (zero).
                                               The default setting is 0 (zero):
                                               disabled. If you enable this command,
                                               the enabled default port number is
                                               2233.
 udp-                    <port number>         To enable NAT functionality in the acl
 encapsulation                                 file, under the match setting, enter the
                                               udp-encapsulation command
                                               followed by a port number between
                                               1025 and 65534.
                                               To prevent UDP encapsulation, enter a
                                               0 (zero).
                                               The default setting is 0 (zero):
                                               disabled. If you enable this setting, the
                                               enabled default port number is 2233.


Elliptic Curve Cryptography (ECC) Support
Commands
The following new commands are set in the device configuration file and the ACL file,
respectively.

 Command                 Parameters          Meaning
 ike-group               <DH group           To enable ECC in the device
                         number>             configuration file under the secure-
                                             profile command, enter the ike-group
                                             command followed by the Diffie-
                                             Hellman (DH) group number, for
                                             which your new ECC choices are 3
24               Intel® NetStructure™ 3110/3120/3125/3130 VPN Gateway Release 6.9 Release Notes
 Command                    Parameters          Meaning
                                                and 4, where 3 is ECC-2^155 (2 to the
                                                power of 155) and 4 is ECC—2^185
                                                (2 to the power of 185).

                                                Note: For completeness, Diffie-
                                                Hellman Group 5, 1536-bit, has been
                                                added to the original Diffie-Hellman
                                                Group choices of 1 and 2.
 ike-group                  <DH group           To enable ECC in the ACL file, under
                            number>             the match setting, enter the ike-group
                                                command followed by the Diffie-
                                                Hellman (DH) group number, for
                                                which your new ECC choices are 3
                                                and 4, where 3 is ECC-2^155 (2 to the
                                                power of 155) and 4 is ECC—2^185
                                                (2 to the power of 185).
                                                Note: For completeness, Diffie-
                                                Hellman Group 5, 1536-bit, has been
                                                added to the original Diffie-Hellman
                                                Group choices of 1 and 2.


Rijndael Advanced Encryption Standard (AES)
Support Commands
The following new commands are set in the device configuration file and the ACL file,
respectively.

 Command                    Parameters          Meaning
 algorithm                  <algorithm          To enable AES in the device
                            name>               configuration file under the secure-
                                                profile command, enter the algorithm
                                                command followed by the AES
                                                algorithm name: aes-256 (for 256-bit
                                                key), aes-192 (for 192-bit key), and
                                                aes-128-bit (for 128-bit key).
                                                The existing des, 3des, none and null
                                                options remain.
 algorithm                  <algorithm          To enable AES in the ACL file, under
                            name>               the match | sa setting, enter the
                                                algorithm command followed by the
                                                AES algorithm name: aes-256 (for

Intel® NetStructure™ 3110/3120/3125/3130 VPN Gateway Release 6.9 Release Notes           25
                                             256-bit key), aes-192 (for 192-bit
                                             key), and aes-128-bit (for 128-bit
                                             key).

                                             The existing des, 3des, none and null
                                             options remain.


IPSec Enhancements Support Commands
The following new commands are set in the device configuration file and the ACL file,
respectively.

 Command                 Parameters          Meaning
 keepalive               <keepalive          To set the rate at which the VPN
                         length> (in         Gateway should send keepalive
                         seconds)            packets to the VPN component at the
                                             other end of a tunnel, in the device
                                             configuration file, under the secure-
                                             profile setting, enter the keepalive
                                             command followed by the <keepalive
                                             length> in seconds.
                                             Set the keepalive to something less
                                             than the timeout value on the
                                             opposing VPN device. For example, if
                                             the timeout is set to 65 seconds on
                                             the opposing VPN component, then
                                             set the keepalive to 15 seconds) so
                                             that the keepalive packet has time to
                                             travel from the opposing VPN
                                             component to the VPN Gateway.
 keepalive               <keepalive          To set the rate at which the VPN
                         length> (in         Gateway should send keepalive
                         seconds)            packets to the VPN component at the
                                             other end of a tunnel, in the ACL file,
                                             under the match setting, enter the
                                             keepalive command followed by the
                                             <keepalive length> in seconds.
                                             Set the keepalive to something less
                                             than the timeout value on the
                                             opposing VPN device. For example, if
                                             the timeout is set to 65 seconds on
                                             the opposing VPN component, then
                                             set the keepalive to 15 seconds) so

26               Intel® NetStructure™ 3110/3120/3125/3130 VPN Gateway Release 6.9 Release Notes
 Command                    Parameters          Meaning
                                                that the keepalive packet has time to
                                                travel from the opposing VPN
                                                component to the VPN Gateway.
 client-keep-               <client-keep-       To set the number of seconds
 alive                      alive length>       between the client keepalive packets
                            (in seconds)        sent from the Intel NetStructure VPN
                                                Client to the VPN Gateway, in the
                                                device configuration file, under the
                                                secure-profile setting, enter the client-
                                                keep-alive command followed by the
                                                <client- keep-alive length> in
                                                seconds.
                                                To disable client-keep-alive, set this
                                                value to 0 (zero). To disable the idle
                                                tunnel disconnect feature, set the
                                                client-timeout value greater than the
                                                client-keep-alive value.
                                                Note: For the client-timeout and
                                                client-keep-alive values to be sent to
                                                the VPN Client, Accept Peer Proposal
                                                must be enabled for the Intel
                                                NetStructure VPN Client.
 client-                    <client-            To set the number of seconds
 keepalive                  keepalive           between the client keepalive packets
                            length> (in         sent from the Intel NetStructure VPN
                            seconds)            Client to the VPN Gateway, in the
                                                ACL file, under the match setting,
                                                enter the client-keepalive command
                                                followed by the <client- keepalive
                                                length> in seconds.
                                                To disable client-keepalive, set this
                                                value to 0 (zero). To disable the idle
                                                tunnel disconnect feature, set the
                                                client-timeout value greater than the
                                                client-keep-alive value.
                                                Note: For the client-timeout and
                                                client-keep-alive values to be sent to
                                                the VPN Client, Accept Peer Proposal
                                                must be enabled for the Intel
                                                NetStructure VPN Client.
 timeout                    <timeout            To set the time that the VPN Gateway
                            length> (in         should wait for a keepalive packet

Intel® NetStructure™ 3110/3120/3125/3130 VPN Gateway Release 6.9 Release Notes              27
 Command            Parameters          Meaning
                    seconds)            from the opposing VPN component, in
                                        the device configuration file, under the
                                        secure-profile setting, enter the
                                        timeout command followed by the
                                        <timeout length> in seconds.
                                        If a keepalive packet does not arrive
                                        from the opposing VPN component
                                        within this time, the VPN Gateway
                                        declares the session keys invalid and
                                        may try to re-negotiate the session.
 timeout            <timeout            To set the time that the VPN Gateway
                    length> (in         should wait for a keepalive packet
                    seconds)            from the opposing VPN component, in
                                        the ACL file, under the match setting,
                                        enter the timeout command followed
                                        by the <timeout length> in seconds.
                                        If a keepalive packet does not arrive
                                        from the opposing VPN component
                                        within this time, the VPN Gateway
                                        declares the session keys invalid and
                                        may try to re-negotiate the session.
 client-timeout     <client-timeout     To set the length of time after which
                    length> (in         the VPN Client disconnects the tunnel
                    seconds)            if the VPN Client has not received
                                        either data or keepalive messages
                                        from the VPN Gateway, in the device
                                        configuration file, under the secure-
                                        profile setting, enter the client-
                                        timeout command followed by the
                                        <client- timeout length> in seconds.
                                        To enable the idle tunnel disconnect
                                        feature, the client-timeout value must
                                        be set to a value greater than 0 (for
                                        example, 300 seconds) and the client-
                                        keep-alive must be disabled. To
                                        disable the client-keep-alive, set the
                                        client-keep-alive value to 0 (zero).
                                        To disable the idle tunnel disconnect
                                        feature, the client-timeout value must
                                        be greater than the client-keep-alive
                                        value. For example, set the client-
                                        timeout to 65 seconds, and set the

28          Intel® NetStructure™ 3110/3120/3125/3130 VPN Gateway Release 6.9 Release Notes
 Command                    Parameters          Meaning
                                                client-keep-alive to 15 seconds.
                                                Note: For the client-timeout and
                                                client-keep-alive values to be sent to
                                                the VPN Client, Accept Peer Proposal
                                                must be enabled for the Intel
                                                NetStructure VPN Client.
 client-timeout             <client-timeout     To set the length of time after which
                            length> (in         the VPN Client disconnects the tunnel
                            seconds)            if the VPN Client has not received
                                                either data or keepalive messages
                                                from the VPN Gateway, in the ACL
                                                file, under the match setting, enter the
                                                client- timeout command followed by
                                                the <client- timeout length> in
                                                seconds.
                                                To enable the idle tunnel disconnect
                                                feature, the client-timeout value must
                                                be set to a value greater than 0 (for
                                                example, 300 seconds) and the client-
                                                keep-alive must be disabled. To
                                                disable the client-keep-alive, set the
                                                client-keep-alive value to 0 (zero). To
                                                disable the idle tunnel disconnect
                                                feature, the client-timeout value must
                                                be greater than the client-keep-alive
                                                value. For example, set the client-
                                                timeout to 65 seconds, and set the
                                                client-keep-alive to 15 seconds.
                                                Note: For the client-timeout and
                                                client-keep-alive values to be sent to
                                                the VPN Client, Accept Peer Proposal
                                                must be enabled for the Intel
                                                NetStructure VPN Client.




Intel® NetStructure™ 3110/3120/3125/3130 VPN Gateway Release 6.9 Release Notes             29
Upgrading to Release 6.9
To upgrade to Release 6.9, install the Release 6.9 Intel NetStructure VPN Manager
software on your desktop PC. Follow the instructions in the Intel® NetStructure™
3110/3120/3125/3130 VPN Gateway, Intel NetStructure VPN Manager and Intel
NetStructure VPN Client Installation and Upgrade Guide that accompanies your
software.

Importing MIBs into HP* OpenView*
Every SNMP application has its own way of importing MIBs, for example, some SNMP
applications need the .asn's to be precompiled, while others accept .asn's as they are and
compile them for you. As a consequence of this individuality, it is not practical to
prepare one procedure regarding integrating the MIBs into various SNMP management
utilities. In its simplest form, such a global procedure would instruct you to use the
SNMP application's import function to import the MIBs, however, as they are kept
hierarchically, that is, they must create/fit in a tree structure, the MIBs must be imported
in a certain order or they do not work.
A commonly used SNMP application is HP OpenView. A procedure to import MIBs into
HP OpenView is provided next.
For Release 6.8.1 Patch #1 and later software MIBs, the MIBs should be imported into
HP OpenView in the following order:
1. From the shiva\ folder, import shiva.asn
2. From the vpn\ folder, import shiva-vpn.asn
3. From the vpn\ folder, import shiva-lanrover-vpn-gateway.asn
4. From the vpn\ folder, import shiva-vpn-system.asn
5. From the vpn\ folder, import shiva-vpn-memory.asn
6. From the vpn\ folder, import shiva-vpn-utilization.asn
7. From the vpn\ folder, import shiva-vpn-config.asn
8. From the vpn\ folder, import shiva-vpn-arp.asn
9. From the vpn\ folder, import shiva-vpn-ip.asn
10. From the vpn\ folder, import shiva-vpn-tunnel.asn
Note: For the VPN products, you must import the first two files in the correct order as
they create the structure into which the SNMP application can fit the other files.


30                 Intel® NetStructure™ 3110/3120/3125/3130 VPN Gateway Release 6.9 Release Notes
Special Considerations
Outbound Proxy Rule With Dual-Default Gateways
Requires Static Route
Reference Number 262DF
Although an Intel NetStructure 3110/3120/3125/3130 VPN Gateway may have a red
default gateway defined, a black default gateway defined, an outbound proxy rule, and a
requirement to reach services, such as a RADIUS server or an ACE/Server*, you cannot
reach the service from the Intel NetStructure 3110/3120/3125/3130 VPN Gateway unless
a specific static route is defined.

IPSec-Default and Remote-group IPSec Not Removable
Reference Number 13DF
IPSec-Default and Remote-group IPSec cannot be removed permanently from a device
configuration. Although you can go through the steps to delete these items and then
attempt to write the configuration change to memory, when you reboot the device the
deleted Remote-group IPSec and the Secure-profile IPSEC-Default are still present.
This functionality supports policy-based management.

Static Client IP Assignments Using the ACL
Typically, Client-IP addresses are not assigned statically in the Access Control List
(ACL). However, if on occasions addresses are assigned statically in the ACL, note that
an IP address or a range of IP addresses must be set aside in the group tunnel
corresponding to the ACL.
Specifically, the range must not overlap any of the Client-IP addresses specified in the
ACL.

Configuration of Both DHCP and Static IP Addresses on
One Tunnel
The Intel NetStructure VPN Manager allows you to configure both DHCP and static
Client-IP addresses on the same remote-use tunnel, but should not since this
configuration is not supported. You can, however, configure either multiple static Client-
IP address entries or multiple DHCP entries (as long as you enter the DHCP gateway’s
IP address), but not a combination of these.




Intel® NetStructure™ 3110/3120/3125/3130 VPN Gateway Release 6.9 Release Notes             31
DHCP Server of Client-IP Addresses
To successfully use the Intel NetStructure 3110/3120/3125/3130 VPN Gateway as a
DHCP server or forwarder for an Intel NetStructure VPN Client, the client-IP address
assigned must fall within one of the subnets on a red interface so that the Intel
NetStructure 3110/3120/3125/3130 VPN Gateway can return an appropriate subnet mask
and DHCP server.
For example:
remote-group test
client-ip 10.20.1.17 2
assigns two IP addresses to the group test, 10.20.1.17 and 10.20.1.18.
To service DHCP requests, a red interface could be configured as follows:
int e 0
mode red
ip address 10.20.1.1 255.255.255.240
ip address 10.20.1.19 255.255.255.240 secondary
The secondary address 10.20.1.19 is the address/mask that is used when responding to
Intel NetStructure VPN Client DHCP requests. The DHCP information returned for the
first Intel NetStructure VPN Client is:
IP Address:      10.20.1.17
Subnet Mask: 255.255.255.240
DHCP Server: 10.20.1.18
If the Intel NetStructure 3110/3120/3125/3130 VPN Gateway is configured to relay
requests to a DHCP server on an inside network, there must be a secondary IP address
that maps into the address space of the pool of addresses that the DHCP server issues.
This pool can optionally be selected by specifying the secondary IP defined on the red
interface in the client-IP command as follows:
remote-group test2
client-ip DHCP 2 10.20.1.18
For example, if a DHCP server is configured with two pools of addresses:
10.1.1.1 to 10.1.1.20 mask 255.255.255.0
and
20.2.2.1 to 20.2.2.10 mask 255.255.255.240
then the Intel NetStructure 3110/3120/3125/3130 VPN Gateway must be configured with
two IP addresses, one in the 10.1.1.21-10.1.1.254 range and one in the 20.2.2.11-
20.2.2.14 range to support both subnets.

32                Intel® NetStructure™ 3110/3120/3125/3130 VPN Gateway Release 6.9 Release Notes
The groups would be configured as follows:
remote-group tenNetwork
client-ip DHCP 20 10.1.1.21
remote-group twentyNetwork
client-ip DHCP 10 20.2.2.11
The red interface would be configured as follows:
int e 0
mode red
ip address 10.1.1.21 mask 255.255.255.0
ip address 20.2.2.11 mask 255.255.255.240

SST Tunnel Renegotiation Requirements
Two hours before the key lifetime expiration for an SST tunnel, the tunnel renegotiates,
which is normal.
The reason for this behavior is that if your Intel NetStructure 3110/3120/3125/3130 VPN
Gateway has a large number of active tunnels, it may take that amount of time (two
hours) to renegotiate all the tunnels.
RADIUS, SecurID*, and SoftID* users must reauthenticate their tunnels after
renegotiation, however challenge phrase and Intel NetStructure Certificate Authority and
Entrust certificate users do not have to reauthenticate their tunnels as renegotiation is
transparent to them.

Unable to Connect With PPP/CHAP Through Synchronous
Line Without Match
Reference Number 104330DF
Attempting to connect with PPP (Point-to-Point Protocol) using CHAP (Challenge
Handshake Authentication Protocol) through a synchronous line is unsuccessful if there
is no match of peer user names and password. If unsuccessful, the PPP session does not
complete. The error message states no name found.
To avoid this problem, remember that CHAP negotiation requires both user names and a
password at the local device and the remote device. At each device, the local user name
is used as configured in the General settings. You must enter the CHAP Peer User Name
and the CHAP password, that is, the user name from the peer device and the CHAP
password, at each device. The CHAP password must be identical, that is, both devices
must use the same password.




Intel® NetStructure™ 3110/3120/3125/3130 VPN Gateway Release 6.9 Release Notes         33
Net-Include and Static Route Shortfalls Overcome by SAs
for IPSec Tunnels
Reference Number 185DF
In Release 6.9, when you want to route subnet traffic to a destination that is within the
tunnel destination, use a Security Association (SA) to define the tunnel end-points. SAs
override net-includes and static routing statements.

Frame Relay Sprint Certification Testing
Release 6.9 passed all Frame Relay Sprint certification testing except for one suite of
tests that was not run. Since congestion management is not fully supported currently in
the Frame Relay module, the Congestion Control certification test was not run.

56-Bit DES and 168-Bit 3DES Versions
There are two versions of the software. One version provides 56-bit DES encryption,
while the other version provides 168-bit 3DES encryption.
As a result of certain countries’ import and export restrictions on security technology,
use of encryption encapsulation algorithms that exceed 56 bits may be limited. If you are
using the software in one of these countries, disregard instructions concerning encryption
greater than 56 bits as both software versions include the same online Help file.

Tunnel Negotiation Attempted After Interface Shutdown
Reference Number 114DF
As a result its architecture, the Intel NetStructure 3110/3120/3125/3130 VPN Gateway
tries to bring up tunnels even though the interface is shut down. This happens for SST, as
well as IPSec, tunnels.
No packets are sent on the physical media as a result of this internal behavior.

Windows 2000 Setup With Intel NetStructure Access
Manager
Windows 2000 uses an entry in its services file to determine the machine’s default
RADIUS port. In previous versions of the Windows operating system, this entry did not
exist. The new entry may conflict with the RADIUS port value you configure in Intel
NetStructure Access Manager.
Intel Network Systems, Inc. recommends that you delete the RADIUS port value entry in
the Windows services file and configure the value from Intel NetStructure Access
Manager. The services files is located in:
c:/winnt/system32/drivers/etc/services


34                Intel® NetStructure™ 3110/3120/3125/3130 VPN Gateway Release 6.9 Release Notes
Open this file in a text editor and delete the following entries:
•   radius
•   radiusacct

DHCP Relay Now Enabled On Red Interface
Reference Number 1289
In Release 6.8.1, dhcp-relay had to be enabled on both interfaces. In Release 6.9, the
DHCP Relay (dhcp-relay) command can be enabled on the red interface only.
To configure the new DHCP relay capability for a VPN tunnel, on the remote VPN
Gateway:
1. To enter configuration mode, at the Hostname:NORMAL# prompt, type config,
   then press Enter.
2. Set the red (private) Ethernet interface to dhcp-relay enable in the following
   format:
   int e 1
   dhcp-relay enable
3. Press Enter.
4. Set the red Ethernet interface to dhcp-relay-server followed by the IP address of the
   DHCP server and the IP address of the central VPN Gateway in the following
   format:
   dhcp-relay-server 192.168.1.10 207.37.244.51
5. Type end, then press Enter.
6. To save the configuration, type write, then press Enter.
When the remote VPN Gateway receives a DHCP request broadcast packet from a VPN
Client, the device forwards the packet according to the settings you made for the new
dhcp-relay-server command.
Note: You can relay requests from the internal (remote) network only. You cannot relay
requests for the internal VPN Gateway’s interface from the device’s red interface. You
must configure the red interface using a local DHCP server or using static IP.

No Communication With VPN Gateway Unless Setup
Command Script Run First
Reference Number 12PDF
For all releases of the VPN software, the Setup command script must be run on the VPN
Gateway before attempting communication between the VPN Manager or the Console
and the VPN Gateway. Otherwise, communication is not possible.

Intel® NetStructure™ 3110/3120/3125/3130 VPN Gateway Release 6.9 Release Notes           35
In the Setup command script, set the user name to admin and set the VPN Manager
password (formerly called the admin password) to a password of your own choosing.

Setup Command Does Not Set VPN Manager Password
Automatically
Reference Number 1310
In Release 6.9, when the Setup command script prompts you for the VPN Manager
password (formerly called the administrative password), this password is not set
automatically. In earlier releases, the command line interface prompt appeared as
follows:
Enter admin password [password]:
In Release 6.9, the command line interface prompt now appears as follows:
Enter VPN Manager password [disabled]:
The VPN Manager password is disabled by default. You must enter a password of your
choice here to enable the VPN Manager to communicate with the VPN Gateway.

Heartbeat/Timeout Interoperability for IPSec
Reference Number 1362
In Release 6.9 of the VPN Gateway, IPSec site-to-site and remote tunnels treat incoming
data packets as keepalives, that is, the VPN Gateway responds to the incoming data
packets as if they were heartbeats. In the VPN Gateway, a data packet zeroes the
keepalive counters so that the keepalive counters do not expire.
This treatment has two implications:
1. You can configure a tunnel on the VPN Gateway to just use timeout instead of
   keepalives/heartbeats and the tunnel stays alive, as long as data is received through
   the tunnel.
2. A Release 6.8.1 VPN Client talking to a VPN Gateway running Release 6.9 firmware
   that is configured to use Keepalives, timeout and Accept Peer Proposal negotiates
   the tunnel correctly but the tunnel only stays alive if data is passed through the
   tunnel. If no data is seen, the tunnel timeouts after the timeout period.

Add One Entry to ACL in Safe Image
Reference Number 1284
In Release 6.9, you can add one entry to an Access Control List (ACL) in Safe mode as
the safe mode ACL only allows one match by criteria. If you try to add more than one
ACL match in Safe mode, the following error message appears:
Add failed - Table full unable to store pre.....


36                Intel® NetStructure™ 3110/3120/3125/3130 VPN Gateway Release 6.9 Release Notes
Problems Resolved Since Release
6.8.1
The following problems were solved in Release 6.9 of the Intel NetStructure
3110/3120/3125/3130 VPN Gateway firmware and the Intel NetStructure VPN Manager.

VPN Gateway
PFS and DH Group 1 Combined Caused Negotiation Failure
Reference Number 881
In Release 6.8.1, if both the Diffie-Hellman Group 1 and the Perfect Forward Secrecy
options were selected in combination, the VPN Client negotiation would fail.
This problem has been corrected in Release 6.9.

Simultaneous Upload of lrvg.exe and isbr.exe Files Failed
Reference Numbers 602 and 736
In Release 6.8 and later releases, simultaneous upload of lrvg.exe and isbr.exe files to
VPN Gateway devices with Release 6.8 firmware failed.
The ability to carry out simultaneous file transfers was disabled in Release 6.8 the Intel
NetStructure 3110/3120/3125/3130 VPN Gateway devices in order to have the Intel
NetStructure Policy Manager software operate successfully.
This feature has been re-enabled in Release 6.9.

Non-XAuth Clients Interoperability Improvement
Reference Number 894
In Release 6.8.1, an improvement was identified for the way that a VPN Gateway with
secondary authentication (XAuth) set interoperates with clients that do not implement
XAuth, for example, Release 6.8 and Release 6.7 of the VPN Client and Network
Associates, Inc.'s PGPNet Client version 7.0.1 for the Apple Macintosh.
If you tried to negotiate a tunnel with a VPN Gateway that had secondary authentication
enabled, the following happened:
1. The VPN tunnel negotiated Phase 1.
2. Then the VPN Client started Phase 2 (as it did not know that the VPN Gateway
   wanted to do XAuth).


Intel® NetStructure™ 3110/3120/3125/3130 VPN Gateway Release 6.9 Release Notes               37
3. The VPN Gateway initiated XAuth but also responded to the Phase 2 Quick mode
   packet and finished Quick mode before it did the secondary authentication.
4. The VPN Gateway was not rejecting Quick mode packets when secondary
   authentication had not finished.
Now, the tunnel negotiates Phase 1, the client starts Phase 2, not knowing that the VPN
Gateway wants to do XAuth. The VPN Gateway initiates XAuth, but also responds to
the Quick packet and finishes Quick mode before it does the secondary authentication.
This improvement has been made in Release 6.9.

FTP In-Proxy Through VPN Device With PASV Option
Failed
Reference Numbers 1059 and GW682P1-4
In Release 6.8.1, FTP in-proxy through a VPN device with PASV (passive mode) option
failed. You could not retrieve any files or a directory listing with certain FTP
applications that used the PASV option and that were in-proxied through the VPN
device's firewall.
This problem has been corrected in Release 6.9.

UDP Encapsulation Port Label Not Listed Correctly in CLI
Reference Number 1185
In Release 6.8.1, the UDP Encapsulation port label was not listed correctly in the
Command Line Interface (CLI). For example, when you issued a SHOW CON command
from the CLI, it listed Protocol 17 and not UDP-Encapsulation. However, if you had a
previously created secure-profile, it listed UDP-Encapsulation. This happened in both
SAFE and NORMAL configurations.
This problem has been corrected in Release 6.9.

SST Remote Tunnels Did Not Pass Traffic When Source IP
Changed
Reference Number 1025
In Release 6.8.1, SST remote tunnels did not pass traffic when the source IP address
changed. If you changed the IP address of the outside interface for the remote site VPN,
the tunnel should have been updated after receipt of new packets using the new IP
address by the VPN Gateway.
This problem has been corrected in Release 6.9.



38                Intel® NetStructure™ 3110/3120/3125/3130 VPN Gateway Release 6.9 Release Notes
L2TP Tunnel Traffic Blocked After Reconnect
Reference Number 1245
In Release 6.8.1, the VPN Gateway blocked tunnel traffic after an L2TP over IPSec
tunnel reconnected.
After the original L2TP tunnel went down, you could no longer reach the protected red
subnet from the VPN Client. On reconnect, both the VPN Client and the VPN Gateway
side, the IPSec tunnel and the new L2TP tunnel were still active but all subsequent
traffic to the protected red subnet of the VPN Gateway was blocked by the VPN
Gateway.
This problem has been corrected in Release 6.9.

Could Not Complete Tunnel Negotiation Using 2048-bit
Public Key
Reference Number GW682P1-1
In Release 6.8.1, you could not complete the negotiation of a tunnel using a 2048-bit
public key. On rekeying such a tunnel, the negotiation of the tunnel would fail.
This problem has been corrected in Release 6.9.

Insufficient Space To Display Model Numbers
Reference Number GW681P3-6
In Release 6.8.1, the need for more space in which to display VPN device model
numbers was identified.
This problem has been corrected in Release 6.9.

Display LanRover Product Name If Later Firmware Is
Installed On The Shiva®Hardware
Reference Number GW681P3-7
In Release 6.8.1, the need to display Shiva LanRover VPN device's name using Intel(R)
NetStructure(TM) VPN firmware was identified.
This problem has been corrected in Release 6.9.

Additional Check Needed To Protect Bootp Packets
Reference Number GW681P3-8
In Release 6.8.1, some bootp packets were accidentally deleted as a result of
accommodating the 0.0.0.0 source IP address. This pointed to the need for an additional
check to preclude bootp packets in such circumstances from being deleted.

Intel® NetStructure™ 3110/3120/3125/3130 VPN Gateway Release 6.9 Release Notes          39
This check has been added in Release 6.9.

Disallow A Remote Fixed Device's IP Address From
Changing
Reference Number GW681P3-9
In Release 6.8.1, you could create a network where you had a remote fixed device
forming a tunnel with a VPN Gateway. In this scenario, the remote fixed device's IP
address could change and be propagated to the VPN Gateway through an encrypted
packet. On decryption, the VPN Gateway would then change the remote fixed device's
(propagated) IP address within its secure table. This would cause the tunnel to be broken
and as a result require that the tunnel be renegotiated.
This problem has been corrected in Release 6.9. When the remote fixed device's IP
changes, and is propagated to the VPN Gateway, the VPN Gateway does not make any
changes to its secure table and thus the tunnel remains intact.

Password Length Error Not Advised
Reference Number 1058
In Release 6.8.1, the firmware did not check passwords and indicate to you if the length
was invalid. The minimum password length is six characters. If you did not use a long
enough password, you were stuck in a loop, with no indication about what was wrong.
This problem has been corrected in Release 6.9.

SNMP SA Table Command Improvements
Reference Number GW682P1-3
In Release 6.8.1, improvements were identified to the way in which the SNMP Security
Associations (SA) table command worked.
These improvements have been made in Release 6.9.

Security Profile and Tunnel Definitions Left When No
Configuration File
Reference Number GW681P3-13
In Release 6.8.1, the security profile and tunnel definitions were not removed although
there was no configuration file.
This problem has been corrected in Release 6.9.




40                Intel® NetStructure™ 3110/3120/3125/3130 VPN Gateway Release 6.9 Release Notes
Link Context and Filter Context Returned Wrong Messages
Reference Numbers 10 and 55
In Release 6.8.1, when the action or profile was not specified, exiting link context or
filter context returned wrong messages. For example:
box1[config][encryptor 1.1.1.1][link                          bob]:NORMAL#exit
this info will be discarded due to missing secure profile
info
this info will be discarded due to missing secure
profile/action info
Also, the ? (Console help) command returned inappropriate source and destination
context help.
These problems have been corrected in Release 6.9.

Shutdown Written To The Flash For The Interfaces
Reference Number GW681P3-16
In Release 6.8.1, shutdown was being written to the flash for the interfaces.
This problem has been corrected in Release 6.9.

Check Needed to Ensure Valid auth-key Existed
Reference Number GW681P3-17
In Release 6.8.1, the need was identified for a check to ensure that a valid auth-key
existed before allowing an IPSec negotiation to continue.
This check has been added in Release 6.9.

RADIUS Accounting Logging Did Not Work for DHCP-
Assigned Client-IP
Reference Number GW680p4-1
In Release 6.9, RADIUS accounting logging did not work for tunnels with DHCP-
assigned, client-IP addresses.
This problem has been solved in Release 6.9.




Intel® NetStructure™ 3110/3120/3125/3130 VPN Gateway Release 6.9 Release Notes            41
IPSec Tunnels Did Not Connect With Red and Black
Gateways Set
Reference Number 1251
In Release 6.9, you could not connect a remote-access IPSec tunnel from the VPN Client
through a router to the VPN Gateway for an IPSec tunnel with Red and Black (dual
default) gateways set.
This problem has been solved in Release 6.9.

IKE Packets Blocked If Outbound Interface Red
Reference Number 1006
In Release 6.9, IKE packets were blocked if the outbound interface was Red and the
other interface was shutdown. If the outbound interface was black, then traffic was
allowed.
This problem has been solved in Release 6.9.

SNMP Tables for IPSec Not Updated When SAs
Established/Terminated
Reference Number 982
In Release 6.9, SNMP tables for IPSec were not being updated when SAs were
established or terminated.
This problem has been corrected in Release 6.9.

In Bridge Mode, The Bridge Would Not Proxy-ARP for
Client-IP
Reference Number 965
In Release 6.9, when a VPN Client connects to a VPN Gateway configured in Bridge
mode, the Bridge would not proxy-ARP for the client-IP.
This problem has been corrected in Release 6.9.

Clear Tunnel Command Could Not Find Tunnel
Reference Number 901
In Release 6.8.1, when radius-client-logging was set to No and the tunnel
being negotiated was authenticated using SecurID, despite the fact that Show tunnel
displayed the tunnel name, a Clear tunnel command by tunnel name returned the
following error message:
Entry not found
42                Intel® NetStructure™ 3110/3120/3125/3130 VPN Gateway Release 6.9 Release Notes
This problem has been corrected in Release 6.9.

Radius-Client-Logging Parameter Could Be Changed When
Tunnel Active
Reference Number 680GWp3-1
In Release 6.8.1, you could change the radius-client-logging parameter even if a VPN
tunnel was active.
This problem has been corrected in Release 6.9.

Entry of Conflicting Gateways Permitted
Reference Number 1164
In Release 6.8.1, you could enter a gateway (red, black, or default) that conflicted with
the current gateway and not be informed of the conflict through an error message. The
multiple gateways caused problems with outbound routing and inbound proxies.
To work around the entry problem, you could clear either the Red Gateway and Black
Gateway check boxes or the Default gateway's check box before committing changes to
the configuration file.
These problems have been corrected in Release 6.9.

HP* OpenView* Demand Poll Problem
Reference Number 680GWp3-2
In Release 6.8.1, if there were multiple OIDs in a request, there was a problem with HP
OpenView demand polling.
This problem has been corrected in Release 6.9.

Intel NetStructure 3125 VPN Gateway Model Number
Incorrect
Reference Number GW681-1
In Release 6.8.1, the Intel NetStructure 3125 VPN Gateway model number was incorrect.
This problem has been corrected in Release 6.9.

Destination Unreachable Packet Had Incorrect Header
Reference Number GW681-2
In Release 6.8.1, the Destination unreachable packet did not contain the correct original
IP header.
This problem has corrected in Release 6.9.

Intel® NetStructure™ 3110/3120/3125/3130 VPN Gateway Release 6.9 Release Notes              43
SNMP Table Design Impeded Loading
Reference Number GW681-3
In Release 6.8.1, the SNMP table design did not facilitate efficient operation. This
problem has been corrected by removing the tunnel utilization table, adding its variables
to another table and by improving the Management Information Base (MIB). For
example, the MIB tree has been renumbered to ensure backward compatibility with
Release 6.8 and Release 6.7 and some duplicate MIB variables were removed.

Relay Server/Encryptor IPs Not Removed When Interface
Mode Changed
Reference Number GW681-4
In Release 6.8.1, the DHCP relay server and encryptor IP addresses were not removed
when the interface mode changed from red to black.
This problem has been corrected in Release 6.9.

VPN Manager
Copying and Pasting From Release 6.7 ACL to Release 6.8
ACL Did Not Retain Shared Secret Field
Reference Number 859
In Release 6.8.1, if you created an ACL for a device running Release 6.7 VPN Firmware,
then dragged and dropped this ACL entry to the ACL for a device running Release 6.8
VPN firmware, the following error message appeared:
The item on the clipboard includes authorization data such
as keys or passwords. Do you want this data copied to the
new item?
When you clicked Yes, the item was added and all the fields were present except for the
Shared Secret, which was deactivated (greyed out).
This problem has been corrected in Release 6.9.

Copying Multiple Static Client-IP Addresses Corrupted
Count
Reference Number 860
In Release 6.8.1, if you had two devices with remote groups configured, and you defined
the Client-IP as static for both, that is, on both devices you defined an IP address of
192.168.5.1 50, and on one device you defined an additional scope of 192.168.5.100 10.
Then you copied and pasted these two scopes to the device with only one scope defined.

44                Intel® NetStructure™ 3110/3120/3125/3130 VPN Gateway Release 6.9 Release Notes
When asked if you wanted to overwrite, you replied yes. The scopes were added
correctly. If you repeated that same copy procedure, when asked if you wanted to
overwrite, again reply yes. The count of the second scope is changed to the count of the
first scope, that is, the Client-IP now looks as follows:
192.168.5.1 50
192.168.5.100 50
Instead of the correct:
192.168.5.1 50
192.168.5.100 10
Similar results were seen with DHCP.
This problem has been corrected in Release 6.9.

Enabling DHCP Relay on Black Interface Disabled UI
Reference Number 891
In Release 6.8.1, if you enabled DHCP Relay on a black interface and then selected
Server IP Address on the black, the following message appeared and the Intel
NetStructure VPN Manager user interface no longer worked:
Cannot set server IP for DHCP relay on black interface dhcp-relay-
server 0.0.0.0 0.0.0.0
If you attempted to select anything else in the Intel NetStructure VPN Manager, the
dialog box reappeared, prohibiting you from making any other selection.
This problem has been corrected in Release 6.9.

VPN Manager Should Not Have Allowed SNMP Trap to Be
Enabled Without SNMP Server Configured
Reference Number 1159
In Release 6.8.1, the VPN Manager allowed SNMP Trap to be enabled even if the SNMP
Server was not configured.
This problem has been corrected in Release 6.9.

SAs for Site-to-Site Tunnels Could Have Invalid Profiles
Reference Number 850DF and 851
In Release 6.8 and later releases, Security Associations (SAs) defined for Site-to-Site
Tunnels could have invalid profiles.



Intel® NetStructure™ 3110/3120/3125/3130 VPN Gateway Release 6.9 Release Notes            45
For example, if you opened a device configuration from the Intel NetStructure VPN
Manager, added a site-to-site tunnel using an ESP v2 (IKE) Security Profile, right-
clicked the tunnel to add an SA, and selected an ESP v1 Security Profile, the following
message correctly appeared:
Encryptor profile and SA profile do not match
However, if you then selected an L2TP Over IPSec security profile, you were
erroneously allowed to use it. Similarly, if you selected an ESP v2 (Man) Tunnel, you
could select an ESP v 1 SA and if you selected an L2TP tunnel, you could select an ESP
v2 (IKE) SA.
Similarly, if you created a site-to-site tunnel using an ESP v2 (IKE) security profile, then
you added an SA using this security profile, then you dragged and dropped the SA from
the manual tunnel to the IKE tunnel, the following message appeared:
Paste of item “SA1” failed
Encryptor Profile and SA profile types do not match
This problem has been corrected in Release 6.9.

255.255.255.255 Subnet Mask Not Accepted
Reference Number ESC1297
In Release 6.8.1, a VPN Manager running the Chinese version on Windows 2000 and
Windows 98 operating systems only accepted 255.255.255.25 instead of
255.255.255.255 as the subnet mask. As result, you could not create an
inbound/outbound proxy and the VPN Manager displayed the following error message:
Invalid format for subnet mask. Please Correct
To work around this problem, you could do one of the following:
•    Enter \32 to set the subnet mask.
•    Configure the subnet mask from the command line interface.
This problem has been corrected in Release 6.9 by adding an auto-scroll attribute to all
fields.

Added Static Text Warning Regarding ACL Client IP
Reference Number ESC1248
In Release 6.8.1, the VPN Client froze if a faulty IP address was assigned by the VPN
Gateway through the Access Control List (ACL).
This problem has been corrected in Release 6.9 by adding a syslog message to warn the
VPN Gateway administrator that the ACL assigned client-ip is not on the correct subnet,
a DHCPNAK to the VPN Client, and timing out the tunnel to prevent the VPN Gateway

46                 Intel® NetStructure™ 3110/3120/3125/3130 VPN Gateway Release 6.9 Release Notes
from showing the tunnel up when there is no Client-IP available and to prevent the VPN
Client from automatically retrying to negotiate the tunnel.

Error Conditions Writing Local Files When Disk Full Not
Graceful
Reference Numbers 842, 1108 and 1253
In Release 6.8.1, the VPN Manager exhibited a number of problems when trying to
operate when the host machine's hard drive was full. For example, if you tried to open a
configuration file for a device, you received an error message indicating that errors have
been found in the configuration. When you clicked the details button, the field was
blank. Then, after clicking OK to proceed, the VPN Manager crashed. Also, the VPN
Manager could crash when trying to open an ACL or Configuration file when the hard
disk was full. If you did have a configuration file open and you selected View As Text
button, the following error message appeared:
VPN Device Manager
C:\TEMP\Gateway isbr.cfg was not found
This improvement has been made in Release 6.9.

Unclear Message Regarding Successful Paste of SAs With
Unmatched Profiles
Reference Number 851
In Release 6.8.1, the VPN Manager allowed the cut-and-paste of SAs that had unmatched
Security Profiles, for example, an ESP v2 (Manual) security profile and an ESP v2 (IKE)
security profile. If you dragged-and-dropped the SA from the manual tunnel to the IKE
tunnel, the SA was added with the security profile of the tunnel, in this case, the IKE
security profile, although the following error message appeared:
Paste of item "SA1" failed
Encryptor Profile and SA profile types do not match
This problem has been corrected in Release 6.9 by warning you with the following
message:
Encryptor profile and SA profile types do not match.                              The SA
Profile will be set to match this Encryptor profile

ESP Algorithm Naming Inconsistent Between
Configuration File and ACL
Reference Number 1164
In Release 6.8.1, there was a mismatch between the VPN Manager and the ACL for the

Intel® NetStructure™ 3110/3120/3125/3130 VPN Gateway Release 6.9 Release Notes           47
ESP Algorithm for Phase 2.
If you created a Security Association (SA) in the ACL, the security parameter to specify
the encryption algorithm was identified as Algorithm when it should have been specified
as ESP Algorithm in order to match the naming in the VPN Manager configuration.
This anomaly has been corrected in Release 6.9.

Deceiving Version Number Displayed
Reference Number 27
In Release 6.8.1, a Release 6.8.1 Manager managing a Release 6.7 VPN Gateway box
displayed deceiving Version numbers.
This problem has been corrected in Release 6.9.

Initial Value for Security Profile Differed from Parent Tunnel
Value
Reference Number 931
In Release 6.8.1, the initial value of a security profile differed from that of the parent
tunnel.
This problem has been corrected in Release 6.9.

Adding Chat and Modifying DHCP Option Could Cause
Crash
Reference Number 681P1Mgr-1
In Release 6.8.1, adding a Chat and modifying a DHCP Option could cause crashes.
These problems have been corrected in Release 6.9.

Firmware Upgrade Progress Staying at 0% Caused Crash
Reference Number 1269
In Release 6.8.1, when you used the VPN Manager to upload firmware to the VPN
Gateway, progress stayed at 0% even though the upgrade was occurring successfully. If
you tried to close the dialog box holding the progress bar, the VPN Manager would
crash.
This problem has been corrected in Release 6.9.




48                 Intel® NetStructure™ 3110/3120/3125/3130 VPN Gateway Release 6.9 Release Notes
Known Problems
This section describes known problems at the time of release and is divided into the
following sections:
•   Intel NetStructure 3110/3120/3125/3130 VPN Gateway
•   Intel NetStructure VPN Manager

VPN Gateway
An SA of 0.0.0.0 Does Not Pass Traffic On Site-To-Site
Tunnels
Reference Numbers 369P and 679
In Release 6.8.1, an SA with IP:0.0.0.0, Mask 0.0.0.0 does not pass traffic on site-to-site
tunnels and the destination device does not see packets.
A site-to-site tunnel cannot be used as a default gateway for outbound traffic. This
behavior is by design.
To work around this problem, define SAs for site to site tunnels which specify specific
subnets reachable through the tunnel

Tunnels Are Not Renegotiated After Being Deleted by a
Cisco* Router IOS 12.07T
Reference Number 451DF
In Release 6.8.1, tunnels between a VPN device and a Cisco device are not renegotiated.
No Quick SA delete notification is being sent from the Cisco device. Tunnels do not
renegotiate until the SA expires.
To work around this problem, shorten SAs’ lifetime settings.

Synchronous Interface Using Frame Relay Cannot Be Used
As Default Gateway Or In A Static Route
Reference Numbers 353P, 10P, 642DF and 676P
A defined static route and default gateway can be used as a synchronous interface using
Frame Relay. In the case of Frame Relay interfaces, a single next hop cannot be set to
this physical interface since there are several DLCI that can be active on the interface.
Also, if you define a static route with A0 as the next hop interface, the route does not
show in the routing table.
Intel® NetStructure™ 3110/3120/3125/3130 VPN Gateway Release 6.9 Release Notes            49
An IP address must be used to define the default gateway.

Intel NetStructure 3110 VPN Gateway/LanRover VPN
Express Synchronous Interface Stops Transmitting
Reference Numbers 1029 and 1030
In Release 6.9, when the clock rate is E1, if you send traffic through one of the Ethernet
interfaces of an Intel NetStructure 3110 VPN Gateway, and then through the
synchronous interface, if the rate of traffic approaches or exceeds 2 Mbits, the
synchronous interface hangs.
Four times out of five, shutting down the interface clears the queue and restores the
interface to normal operation. One time in five, the Intel NetStructure 3110 VPN
Gateway must be rebooted.
Similarly, in Release 6.9, if you send a unidirectional stream of traffic at the synchronous
interface of the Intel NetStructure 3110 VPN Gateway, it cannot receive at wire speed.
Large packets are received faster than small ones, but are not received at wire speed. A
show int s 0 command shows RX overrun errors.

Lower Packet Forwarding Rate
Reference Number 439P
In Release 6.9, Intel NetStructure 3120/3130 VPN Gateway devices may demonstrate a
lowered packet-forwarding rate when small packets are forwarded and bi-directional data
is secured. The devices meet or exceed optimal performance expectations, that is, they
are able to transmit >90 Mbps of encrypted traffic in a best-case scenario, however,
under the aforementioned scenario, the devices forward traffic at between 70Mbits/sec
and 90Mbits/sec.
Observed traffic forwarding rates varies between 70 and 90 Mbits/sec.

Large Configuration File Takes Long Time to Reload
Reference Numbers 493P and 701
In Release 6.9, a configuration file containing 20,474 static routes takes more than 60
minutes to load.
Configurations with very large numbers of static routes take a long time to complete the
load. Loading 2000 routes can be achieved in under 1 minute.
To work around this problem, aggregate static routes by using network sub netting.




50                Intel® NetStructure™ 3110/3120/3125/3130 VPN Gateway Release 6.9 Release Notes
IP Route 0.0.0.0 Can Have Two Meanings
Reference Number 129P and 645
In Release 6.9, an IP route of 0.0.0.0 can be entered in the VPN Manager. However, the
0.0.0.0 route also can be used to specify a default gateway.
Adding a subnet of 0.0.0.0 mask 0.0.0.0 as a static route will cause the default gateway to
be ignored.
To work around this problem, do not use 0.0.0.0 as an IP route use the default gateway
option instead.

PCB Not Freed With Synchronous Interface After
Overwhelming Traffic
Reference Number 652
In Release 6.9, exceeding the throughput of the synchronous interface of a VPN device
may cause the interface to stop transmitting.
The synchronous interface does not pass traffic when the device is in this state and must
be re-powered to recover. This behavior was observed in a full bandwidth lab test and
has not been reported in the field.

Misleading Message Displayed When Changing ESP v1
Profile Authentication Header
Reference Number 835
In Release 6.9, if you create a new ESP v1 security profile and choose AH: Keyed MD5,
AH Key Length: 1 and you create a new site-to-site tunnel with this as its profile, if you
then set the AH Key, go back to the profile and change the AH to Keyed MD5 Replay,
then return to the tunnel and change the AH Key, the following message appears
although the You get the following message:
Key data does not match profile key length
ESP V1 is non-standard and has been superseded by ESP V2. This fact, as well as the
unusual sequence of events, indicates that little or no end user impact is expected.
To work around this problem, use ESP V2. If ESP V1 is required, do not switch between
the profile and the tunnel settings before committing the configuration.

Default Settings for SAs Defined for Site-to-Site Tunnels
Are Not Dynamic
Reference Numbers 850DF and 851
In Release 6.9, Security Associations (SAs) defined for Site-to-Site Tunnels can have

Intel® NetStructure™ 3110/3120/3125/3130 VPN Gateway Release 6.9 Release Notes           51
invalid profiles. The default settings are not updated with each command line
modification.
The default security profile for an SA will match the profile defined for the tunnel. The
problem only occurs if the user changes this setting. This is an unlikely scenario.
To work around this problem, do not change the security profile from the SA dialog box.

Intel NetStructure 3110 VPN Gateway/LanRover VPN
Express Synchronous Interface Becomes Unreliable at E1
Speed
Reference Numbers 573DF, 699, and 727DF
In Release 6.8 and later releases, the Intel NetStructure 3110 VPN Gateway/LanRover
VPN Express synchronous interface is unreliable at E1 speed.
Although the synchronous interface synchronizes to a provided clock of 2 Mbits per
second (E1), the device does not operate reliably at this speed. Failure symptoms for
high-speed Frame Relay connections include CRC errors and lost packets.
To work around this problem, operate the Intel NetStructure 3110 VPN
Gateway/LanRover VPN Express at a maximum recommended clock of 1.54 Mbps, the
T1 rate.

Protocol Intermittently Stays Down On Device’s 100 Mbits
Interface
Reference Numbers 258DF and 662DF
In Release 6.8 and later releases, the protocol intermittently stays down on an Intel
NetStructure 3110/3120/3125/3130 VPN Gateway device’s 100 Mbits interface.
Changing the E1 interface, which is connected to a 10/100 Mbits hub, from 10 Mbits half
Duplex to 100 Mbits half Duplex does not help and the protocol remains down.
When the Safe mode setting is 10 Mbits, the problem occurs when Normal mode begins.
The Intel NetStructure 3110/3120/3125/3130 VPN Gateway switches from 10 to 100
Mbits without proper negotiation, creating collisions on the hub as the hub still expects
that the link is 10 Mbits.
To work around this problem, when using a 10/100 Mbits hub, ensure the bandwidth is
set to Auto (the default setting).

Site-to-Site IPSec Tunnel Memory Leak
Reference Number 1027
In Release 6.9, a site-to-site IPSec tunnel configuration stress test may create a

52                 Intel® NetStructure™ 3110/3120/3125/3130 VPN Gateway Release 6.9 Release Notes
performance-degrading memory leak on one of the two devices providing the tunnel end-
points.
To work around this problem, reboot the device exhibiting the memory problem.

Intermittently WAN-IC 500 Synchronous Interface Sends
the Same Packet More Than Once
Reference Number 1031
In Release 6.9, about one time out of three, the WAN-IC 500 card on a synchronous
interface sends the same packet more than once.

Packet Byte Discrepancy With WAN-IC 500 Card
Reference Number 1032
In Release 6.9, when you are using a WAN-IC 500 card, after sending five 100-byte
pings from the other end of the PPP link, a sh int s 0 command shows a discrepancy in
the counters of 4 bytes for packet.

WAN-IC 500 Cannot Transmit Fast Enough
Reference Number 1033
In Release 6.9, with unidirectional throughput testing on a VPN Gateway that has a
WAN-IC 500 card at the synchronous interface, it may be observed that the synchronous
interface cannot transmit at wire speed.
A 30-second burst of large packets approaching wire speed takes 36+ seconds before the
queue is cleared.
To work around this problem, use another card.

Parity Error When Trying To Send Traffic In ESP-V1 Tunnel
Reference Number 1240
In Release 6.9, you encounter a parity error when you try to send traffic through an ESP-
V1 tunnel. When you create an ESP-V1 profile for two VPN Gateway devices, provide
the devices with a matching default configuration (3DES, AH header = none, IV = 64),
and create a site-to-site tunnel between them, then copy the encapsulation Key copied
between the two through the clipboard (SPI = 256, mode red), the SAs are created. When
the tunnel comes up, issue a ping from a PC on device #1's red interface to a PC on
device #2's red interface. The show tunnel command on device #1 shows that packet are
encrypted, while a show tunnel command on device #2 shows that there are decryption
parity errors.



Intel® NetStructure™ 3110/3120/3125/3130 VPN Gateway Release 6.9 Release Notes          53
Enable Password Should Be Changed During Setup
Reference Number 1309
In Release 6.9, you were not instructed to change the Console password when you ran
the Setup command script. Changing the console password is advisable to support the
security of your VPN Gateway, so it is recommended to use the password command to
do it when you set up the initial configuration.
To change your console password during Setup:
1. At the [hostname] prompt, type password, then press Enter.
2. At the [password] prompt, type the default console password of admin, then press
   Enter.
3. At the [new password] prompt, type the new password, then press Enter.
4. At the [re-enter password] prompt, retype the new password, then press Enter.
The new Console password takes effect immediately.
Note: Do not use the disable RESET command to change the console password unless
you want to erase the entire current configuration at the same time.
The console password must be between 6 and 64 characters in length, and can include
any printable characters (numbers from 0 to 9 and any letters of the alphabet). It cannot
include spaces, brackets or punctuation marks.

Possible Replay Attack Warned By AES-128 Only
Reference Number 1359
In Release 6.9, the possibility of a replay attack is warned by AES-128 only, not by AES-
192 or AES-256. Under a stress/throughput environment, the following message appears
for AES-128:
%INTEL3130-7-602007 [ipsec]: Invalid ESP sequence number received 105797, last seq
processed 171332
%INTEL3130-6-601054 [ipsec]: Invalid sequence, possible replay attack for tunnel with
IP 020113C0

Daylight Savings Time Change Delayed One Week
Reference Number ESC 1336
In Release 6.9, if you have a VPN Gateway that is running Release 6.9 VPN firmware on
a PharLap* operating system, the device does not execute a Daylight Savings Time
(DST) time change when it should even though it is set to DST. For example, in 2001,
the clocks moved forward on April 1st, but a VPN Gateway configured as described did
not change the time until April 8th. The behavior does not occur with dates that are set in

54                Intel® NetStructure™ 3110/3120/3125/3130 VPN Gateway Release 6.9 Release Notes
GMT time zones.
The anomalous behavior occurs in DST computations when Daylight Savings Time
begins on the first day of the month or ends on the last day of the month. For example,
the following dates meet these criteria in the United States (through the year 2025):
4/1/2001, 4/1/2007, 4/1/2012, 4/1/2018, 10/31/1999, 10/31/2004, 10/31/2010, and
10/31/2021.
Other dates may apply in other countries. This patch will correct the problem whenever
daylight savings time begins/ends on the first/last day of the month, not just for these
specific dates.
For further information regarding this behavior, go to the PharLap Web site at the
following URL:
http://www.vci.com/tech_support/etsanddosextender/ets91/DaylightSavings.html
To work around this problem, you can leave the device undisturbed and it will change
time correctly one week late.
Also, when you notice the problem within the one-week delay, you can do one of the
following:
•   Set the time zone on the gateway to GMT, then modify the clock to the correct GMT
    time.
•   Set the time zone to one hour less than the current value, for example, EST 5 EDT
    should be changed to EST 4 EDT.

VPN Manager
Free Disk Space Can Be Calculated Incorrectly
Reference Numbers 559 and 722
In Release 6.9, if you try to commit changes, the free disk space on the device can be
calculated incorrectly. When this miscalculation occurs, a VPN Manager dialog box
appears displaying the following message:
[host name]: This device does not have enough free disk
space to upload the isbr.cfg.
To close the dialog box, click OK. Your next attempt to commit changes should succeed.
To work around this problem, close the dialog box and try again.

Unexpected ACL Characteristics If Cancel During Upload
Reference Number 875
In Release 6.9, if you select the Cancel button when an ACL file is being uploaded, you
can incorrectly select all of the fields in the ACL window. This behavior occurs only

Intel® NetStructure™ 3110/3120/3125/3130 VPN Gateway Release 6.9 Release Notes            55
when you cancel the operation.
To work around this problem, close the ACL window and re-open the ACL.

Error Message Appears When Copying an IPSec Security
Profile Between Devices
Reference Number 838
In Release 6.8 and later releases, if you have two devices, one running Release 6.7
firmware and the other one running Release 6.8.1 firmware, that are managed by a
Release 6.8.1 Intel NetStructure VPN Manager, if you copy an ESP v2 (IKE) Security
Profile from the Release 6.8.1 device to the Release 6.7 device, although the parts of the
Release 6.8.1 Security Profile recognized by the Release 6.7 firmware are added, the
following error message appears:
Paste of item <profile name> failed Invalid Command

Copying Security Profile With DH Groups > 2 to Firmware
Causes An Error
Reference Number 1217
In Release 6.9, if you paste an IKE or L2TP security profile from a VPN device running
Release 6.9 firmware to a VPN device running Release 6.8.1 or Release 6.7 firmware, an
error message appears indicating the paste failed even though the security profile is
added. Only groups 1 and 2 are currently supported for IKE negotiation.
If you paste an IKE or L2TP security profile from a VPN device running Release 6.9
firmware to a VPN device running Release 6.7 firmware, the following error message
appears although the security profile is added with the DH Group 1:
Paste of item 'ike1' failed.
Invalid Command
If you paste an IKE or L2TP security profile from a VPN device running Release 6.9
firmware to a VPN device running Release 6.8.1 firmware, the following error message
appears although the security profile is added with the DH Group 2:
Paste of item 'ikeike' failed

Copying ACL Entries With DH Groups > 2 to Firmware
Causes Errors
Reference Number 1218
In Release 6.9, if you copy ACL entries with DH Groups greater than 2 from a VPN
device running Release 6.9 firmware to a VPN device running Release 6.8.1 firmware,
errors result although these ACL entries have SAs defined for all four types of matches.

56                Intel® NetStructure™ 3110/3120/3125/3130 VPN Gateway Release 6.9 Release Notes
If you copy an ACL entry with the DH Group greater than 2 from a VPN device running
Release 6.9 firmware to a VPN device running Release 6.8.1 firmware, the following
error message appears and the match is added but the SA is not:
Paste of item 'name.com' failed
Invalid Command
If you try to copy a group of matches, you receive the message:
Warning: Paste partially completed
failed at item 'name.com'
invalid command

Unable to Delete User Defined DHCP Option
Reference Number 1273
In Release 6.9, you are unable to delete a User-Defined DHCP Option in the VPN
Manager. The VPN Manager returns a deletion error message and the Option remains.
You are able to commit it and the VPN Gateway accepts it. Reloading the configuration
file shows the options remain as they were before.

Unable to Add Serial IP Address After Changing
Encapsulation
Reference Number 1281
In Release 6.9, if you configure a device's serial port to use PPP Encapsulation, add an IP
Address, commit the changes, reload the configuration and delete the Serial IP Address,
and then change the encapsulation to Frame Relay, if you try to add an IP address, you
cannot.

Inconsistent Use Of /0 For Subnet Mask
Reference Number 1395
In Release 6.9, the VPN Manager permits inconsistent use of /0 for the subnet mask. For
example, the VPN Manager accepts /0 in the ACL action subnet field and interprets this
correctly as 0.0.0.0. However, /0 is not accepted in the subnet mask field of a tunnel net-
include. The / command is accepted, but the 0 is not accepted. A / command with no
following 0 is interpreted the same as a /32 and results in a 255.255.255.255 mask when
the cursor moves to the next field.

Blue Progress Bar Not Displayed During Upgrade
Reference Number 1399
In Release 6.9, when you upgrade the firmware, you do not see the blue progress bar that
shows the progress of the upload although the title bar of the window does show the
Intel® NetStructure™ 3110/3120/3125/3130 VPN Gateway Release 6.9 Release Notes           57
percentage of the upload increasing.

Copying IKE Security Profiles Using 40-Bit DES from
Release 6.7 to Release 6.8+ Causes Incorrect Message
Reference Number 1221
In Release 6.9, if you create an IKE security profile that uses 40-bit DES as the algorithm
for a device running Release 6.7 firmware, then copy this security profile to a device
running Release 6.8 or later firmware, although the security profile is added using 3-DES
as the encryption algorithm, the following error message appears:
Paste of 'ike1' failed:
40 bit DES is no longer supported.

Invalid IPSec Site-To-Site Configuration Allowed and Not
Warned
Reference Number 1354
In Release 6.9, you are permitted to create an invalid IPSec configuration from the VPN
Manager GUI without being issued a warning. The configuration is a site-to-site tunnel
configured for Aggressive mode and certificate authentication, which is an invalid
configuration because the certificates seek a UserID that does not exist because there is
not a single user.

Unable to Set Secondary Autoprovision Server IP
Reference Number 1403
In Release 6.9, you are not able to set the Secondary Autoprovision Server IP in the VPN
Manager although you can on the Console. On the command line, you can set two server
IP addresses for auto provisioning. In the VPN Manager, however, if you edit the boot
configuration of a device, there is only one field in which to enter a server IP address
(the primary server's IP address); the ability to specify a secondary server IP address is
missing.

Simultaneous Opening of Configuration Files Could Cause
Crash
Reference Number 1415
In Release 6.9, the VPN Manager could crash on the rapid simultaneous opening of
configuration files.




58                Intel® NetStructure™ 3110/3120/3125/3130 VPN Gateway Release 6.9 Release Notes

								
To top