hewlett-packard vpn server appliance sa3110/sa3150/sa3400/ sa3450, and hewlett-packard sa3000 series vpn manager release 6.8.
Hewlett-Packard VPN Server Appliance SA3110/SA3150/SA3400/SA3450
Disclaimer Information in this document is provided in connection with Hewlett-Packard Company products. No license, express or implied, by estoppel or otherwise, to any intellectual property rights is granted by this document.
Hewlett-Packard VPN Server Appliance SA3110/SA3150/SA3400/SA3450
Contents DISCLAIMER 3 CONTENTS 5 INTRODUCTION 7 LIMITATIONS TO THIS RELEASE STATEMENT OF ENTRUST SUPPORT HARDWARE SERVICE AND TELEPHONE SUPPORT NUMBERS 7 8 8 SYSTEM REQUIREMENTS 11 RELEASE 6.8.2 FEATURES 13 SNMP CAPABILITIES DHCP FUNCTIONALITY ADDED TO DEVICES CONFIGURING DHCP RELAY FOR SITE-TO-SITE VPN TUNNELS CONFIGURATION FILE DHCP EXAMPLES IPSEC SECONDARY AUTHENTICATION IMPLEMENTED IMPROVED AUTHENTICATION SUPPORT FOR SST ICSA.
Hewlett-Packard VPN Server Appliance SA3110/SA3150/SA3400/SA3450
Introduction This document describes the new features and improvements in Release 6.8.2 of the HP VPN Server Appliance SA3110/SA3150/SA3400/SA3450 and HP SA3000 Series VPN Manager. This document includes the following sections: • System requirements • Release 6.8.2 features • Special considerations • Known problems For information regarding the HP SA3000 Series VPN Client Release 6.8.2, refer to the Release Notes for that application.
Statement of Entrust Support Because of enhancements to the VPN Client and VPN firmware, HP VPN technology supports up to and including version 4.0 of Entrust Technologies' X.509 certificate authority (CA) product set provides a scalable, LDAPcompliant security system based on X.509. HP provides support for the Entrust CA through a licensed dynamic link library (.dll) file within the VPN Manager application. This file, named kmpapi32.dll, must be obtained from Entrust Technologies.
• • • • • • • • • • • • • • • • • • • Finland: 02 03 47 288 France: 01 43 62 3434 Germany: 0180 525 8143 Greece: +30 (0) 16196411 Hungary: 36 1 382 1111 Ireland: 01 662 5525 Israel: 972 9 952 4848 Italy: 02 2 641 0350 Netherlands: 020 6068751 Norway: 22 11 6299 Poland: +48 22 8659800 Portugal: 21 317 6333 Russia: 7095 797 3520 South Africa: RSA: 086 000 1030; outside RSA: +27 11 258 9301 Spain: 902 321 123 Sweden: 08 619 2170 Switzerland: 084 880 1111 Turkey: 90 212 221 6969 United Kingdom: 0870 842 2339
Latin America In Latin America, for hardware service and telephone support, contact an HP-authorized reseller or one of these support centers: • • • • • • • • • • 10 Argentina: (541) 4778-8380 Brazil: Sao Paulo: (11) 3747-7799; All Others: 0800-1577-51 Chile: 800-360-9999 Columbia: 9-800-91-9477 Guatemala: 1-800-999-5305 Mexico: Ciudad de Mexico: 5258-9922; All Others: 800472-6684 Peru: 0-800-10111 Puerto Rico: 1-877-232-0589 Venezuela: 207-8488; All Others: 800-47-777Thailand: 66 2 6613891 Vietnam: Hanoi
System Requirements This section provides the system hardware and software requirements for Release 6.8.2 VPN Manager The system hardware and software requirements for the VPN Manager Release 6.8.2 software are as follows: • PC or PC-compatible desktop computer • Windows 95 running on: • • Release 6.8.2 Release Notes − Intel Pentium® 200-MHz processor performance level − 10 MB free disk space − 32 MB RAM − Dial-Up Networking (DUN) 1.
• Windows 2000 Professional running on: − Intel Pentium 200-MHz processor performance level − 10 MB free disk space − 64 MB RAM Note: Release 6.8 and later software are the first releases of the VPN Manager software to support the Windows 2000 operating system. Launching the VPN Manager through Intel Device View Application Reference Number 436 Intel Device View (IDV) is management software for switches and routers.
Release 6.8.2 Features SNMP Capabilities SNMP functionality has been supplemented significantly in Release 6.8.2.
MIB every 60 seconds as the average utilization over the past 60 seconds. The utilization value stored in the MIB is compared against the user-defined or theoretical threshold every 60 seconds, and a trap is generated for a particular tunnel or for the aggregate total for the device if the corresponding threshold is exceeded. The failed tunnel command sends a trap when a tunnel connection fails to complete negotiation after a successful first contact with the peer.
DHCP Functionality Added to Devices DHCP functionality has been added in Release 6.8.2. Now a device’s physical Ethernet interfaces can be configured to obtain an IP address using DHCP (Dynamic Host Configuration Protocol). The DHCP functionality was implemented in the software by adding a dhcp option to the existing ip address command.
An extra parameter added to the current interface command in the configuration settings allows system administrators to turn on the relay capability for a particular interface. Also, system administrators can define a default gateway address for use by the rel ay agent. A DHCP broadcast then can be passed along to a DHCP server at the other end of a site-to-site tunnel using the configured gateway address.
Configuration File DHCP Examples To illustrate this new DHCP capability, sample configuration file excerpts are provided that use the following values: Remote device red interface’s IP address: 192.168.1.10 Remote device black interface’s IP address: 10.250.145.3 Central device black interface’s IP address: 207.37.244.51 (used as default gateway) Central device red interface’s IP address: {not used for this command set} DHCP server’s IP address: 192.168.1.
For this example, the following information appears: Prompt> int e 0 ip address 10.250.145.3 255.255.0.0 … dhcp-relay enable int e 1 ip address 207.37.244.51 255.255.255.0 dhcp-relay enable dhcp-relay-server 192.168.1.10 207.37.244.
Also, improvements were made to the way in which Phase 2 and Phase 3 packets were handled, including replies for Phase 3 packets in the event of a dropped packet, and the retries and retransmits of Phase 2 packets. These improvements were made in Release 6.8.2. ICSA.net Certification Extended to Reflect Additional Logging Reference Number 675P2-2 In Release 6.8.2, access logging capability accommodated unsuccessful attempts to gain access to the VPN device.
Special Considerations Outbound Proxy Rule With Dual-Default Gateways Requires Static Route Reference Number 262DF Although a VPN device may have a red default gateway defined, a black default gateway defined, an outbound proxy rule, and a requirement to reach services, such as a RADIUS server or an ACE/Server, you will not be able to reach the service from the VPN device unless a specific static route is defined.
Specifically, the range should not overlap any of the ClientIP addresses specified in the ACL. Configuration of Both DHCP and Static IP Addresses on One Tunnel The VPN Manager allows you to configure both DHCP and static Client-IP addresses on the same remote-use tunnel, but should not since this configuration is not sup ported.
The DHCP information returned for the first VPN Client is: IP Address: 10.20.1.17 Subnet Mask: 255.255.255.240 DHCP Server: 10.20.1.18 If the VPN device is configured to relay requests to a DHCP server on an inside network, there must be a secondary IP address that maps into the address space of the pool of addresses that the DHCP server issues.
SST Tunnel Renegotiation Requirements Two hours before the key lifetime expiration for an SST tunnel, the tunnel renegotiates, which is normal. The reason for this behavior is that if your VPN device has a large number of active tunnels, it may take that amount of time (2 hours) to renegotiate all the tunnels.
Net-Include and Static Route Shortfalls Overcome by SAs for IPSec Tunnels Reference Number 185DF When you want to route subnet traffic to a destination that is within the tunnel destination, use a Security Association (SA) to define the tunnel end-points. SAs override netincludes and static routing statements. Frame Relay Sprint Certification Testing Release 6.8.2 passed all Frame Relay Sprint certification testing except for one suite of tests that was not run.
Known Problems This section describes known problems at the time of release and is divided into the following sections: • VPN device • VPN Manager VPN Device Simultaneous Upload Of lrvg.exe and isbr.exe Files Fails Reference Numbers 602 and 736 In Release 6.8.2, simultaneous upload of lrvg.exe and isbr.exe files to device devices with Release 6.8.2 firmware fails.
An SA of 0.0.0.0 Does Not Pass Traffic On Site-To-Site Tunnels Reference Numbers 369P and 679 In Release 6.8.2, an SA of 0.0.0.0 does not pass traffic on site-to-site tunnels and the destination device does not see packets. Some Running SAs Are Not Renegotiated After Being Deleted by a Cisco Device Reference Number 451DF In Release 6.8.
Static Route and Default Gateway Do Not Work For Synchronous Interface Using Frame Relay When Next Hop Is Physical Interface Reference Numbers 353P, 10P, 642DF and 676P A defined static route and default gateway do not work for a synchronous interface using Frame Relay when the next hop is a physical interface. In the case of Frame Relay interfaces, the next hop cannot be set to a physical interface since there are several DLCI that can be active on the interface.
Large Configuration File Takes Long Time to Reload Reference Numbers 493P and 701 In Release 6.8.2, if you TFTP a configuration file containing 20,474 static routes to a device and then do a reload, the reload with this large routing table takes more than 60 minutes and the device is entirely occupied with the task. 100 Mbps TX LED Stays Lit When LAN Cable Unplugged Reference Number 425P In Release 6.8.2, the 100 Mbps TX LED is not turned off when the LAN cable is unplugged. IP Route 0.0.0.
VPN Manager Free Disk Space Can Be Calculated Incorrectly Reference Numbers 559 and 722 In Release 6.8.2, if you try to commit changes, the free disk space on the device can be calculated incorrectly. When this miscalculation occurs, a VPN Manager dialog box appears displaying the following message: [host name]: This device does not have enough free disk space to upload the isbr.cfg. To close the dialog box, click OK. Your next attempt to commit changes should succeed.
Cannot Upload New Firmware and View Configuration at the Same Time Reference Numbers 607 and 739 In Release 6.8.2, uploading new firmware and attempting to view that device's configuration at the same time from the VPN Manager does not work. The configuration window opens blank (empty) and remains blank and static showing the progress indicator at 100%. To work around this problem, do not attempt to upload new firmware and to view the device's configuration at the same time.
tunnel and change the AH Key, although the Key data does match the profile key length, the following message appears: Key data does not match profile key length SAs Defined for Site-to-Site Tunnels Can Have Invalid Profiles Reference Number 850DF and 851 In Release 6.8.2, Security Associations (SAs) defined for Site-to-Site Tunnels can have invalid profiles.
using a Pentium III 600 MHz microprocessor performance level with 128 MBytes of RAM. Unexpected ACL Characteristics If Cancel Selected During Upload Reference Number 875 In Release 6.8.2, if you select the Cancel button when an ACL file is being uploaded, all of the fields in the ACL window are selectable. These fields should only be selectable as long as the check box on the right of the field is enabled.
