Release Notes For: Bintec X1000/X1200 Software Version 5.3.1 Patch 13 With IPSec Version 1.0.4 Bugfixes: - When configuring IPSec for the first time using the IPSec Wizard, the IPSec- and IKE Proposal fields in the IPSec main menu are not set automatically. Now, the first Proposal in the list generated is automatically entered into the selection fields (IKE: Blowfish/MD%, IPSec: ESP(Blowfish/MD5)). - System crashed in some rare situations. Fixed - When a configuration was loaded some of the IPSec tables showed relicts of the configuration previously loaded. Fixed. - If a configuration was loaded onto the machine which contained a certificate which was not present on the machine before, the certTable demanded for a certificate for which the data was not present and the system crashed on bootup (certificate data is not exported together with the configuration). Now, the certificate is not loaded onto the system and is thus ignored (the certificates will be included in the configuration in future software releases). - ipsecGlobDefaultLocalId was always ignored for certificate based authentication. If an ID different from the subject name in the certificate should be used for authentication and was entered into the field ipsecGlobDefaultLocalId (which is also written by the field "Local ID" in the setup-tool main menu), this was ignored. The local ID used for authentication had to be entered into the ipsecPeerLocalId field for each peer instead to make settings work Fixed. - When many SA's were negotiated at the same time or in case of high system load, memory was consumed and IPSec SAs did hang in the table. - when a peer or traffic list had a loop in the index/next index order, the system crashed when the loop did not contain the first entry in the list (occured only in case of misconfiguration using the SNMP shell). Fixed. - in special configurations (granularity = port), system hang after a large number of negotiated IPSec SAs, which was evident in memory consumption. Fixed - Huge DNS Answers were not forwarded correctly by the DNS proxy Cause: compressed Names in packets were decompressed on receive but not compressed when forwarded which in rare cases resulted in exceeding the DNS Limit of 512 bytes. Now, name compression is built in. - Not all ip protocols could be selected in the ipsecTrafficTable. Cause: missing MIB enum values. Now, the missing enum values are added to the MIB, which is also reflected in the setup-tools select field in the traffic list edit menu. - IKE Phase 1 negotiation failed with syslog message "no proposal chosen" Cause: when creating a new peer (snmp or setup), its IkeGroup field was initialized to 1. If a different default group in the ipsecGlobals table was chosen, the setting in the peer entry was used which caused the policy mismatch with the other side. Now, the IkeGroup of a new peer is initialized to zero by default which causes the system correctly to use the default settings from the ipsecGlobals table (or the setup-tool setting). - Using CRLs with Radguard boxes failed Cause: if the flag ipsecGlobNoCrls was not set to true (default setting), CRLs were sent during IKE phase 1 negotiation which the radguard boxes did not understand. Now, the default setting of the flag ipsecGlobNoCrls is changed to true for maximum initial interoperability. The setting may be changed to false in the snmp table or in the new advanced menu of setup-tool (see below). - The generated certificate requests were unreadable/contained trash in the subject name Cause: one or more of the qualifiers in the subject name were unknown to the system, here: "dnQualifier", which is known as "DNQ" to the system. The system ignored the whole subject name and issued a certificate without a subject name, which was not expected by some CAs (e.g. openssl), leading to trash in the subject name when the certificate was issued or displayed. Some CAs also did not accept requests with any subjectAlternativeNames. Workaround for unknown qualifiers: specify the unknown qualifier using its corresponding object id. This requires the following syntax: OID[optional_whitespace][optional_whitespace]=[optional_whitespace] where _must_ start with a dot (e.g. ".1.2.3.4"). The term "OID" is case-insensitive here. Now, the term "dnQualifier" was added to the list of known qualifiers, unknown qualifiers cause an error instead of creating a request with a missing subject name. Moreover, an empty list of alternative names is supported now by specifying "-a NONE" on the commandline now (full certificate request generation is also supported in setup-tool now, see below). Additional Functionality: - Allowing specification of priority for IPSec demon in command line using option "-P" now (default: -10), see usage output of "ipsecd -h". - Changed logging for created SA's: More special information is logged via syslog on level "DEBUG", basic information on level "INFO". - Added IPSec global statistics MIB table: ipsecStatsTable This table contains global IPSec statistical information. Please see mibipsec for further information of the individual fields. - There are now additional fields in the ipsecSaTable which show the sort of traffic protected by an SA. These fields are also shown in setup tools IPSec SA monitoring menu (see below). - The ESP NULL transforms were not available in setup tool Cause: the IPSec wizard did not create these transforms. Now, these transforms are created automatically by the setup-tools IPSec wizard. - Setup-Tool: - Improved IPSec and IKE SA Monitoring. IPSec SA Monitoring menu now shows the sort of traffic protected by an SA. Some of the former fields are now not shown anymore in setup tool. The new menu looks like this: BINTEC-X4000 Setup Tool BinTec Communications AG [IPSEC][MONITORING][IPSEC SAS]: IPsec Monitoring - IPsec SAs mb10 _______________________________________________________________________________ S: Sec. Proto : E=ESP A=AH E: Enc. Alg. : D=3DES B=Blowfish C=Cast d=DES A: Auth. Alg. : M=MD5 S=SHA1 Direction : >=outbound <=inbound Address-Syntax: or + or / type 'h' to toggle this help Local LPort Pto Remote RPort SEA Bytes Pkts 192.168.157.1 8470 tcp <172.16.96.3 80 EDM 6040 10 = 192.168.157.1 8470 tcp >172.16.96.3 80 EDM 699 7 | 192.168.157.1 8542 tcp <172.16.96.3 80 EDM 6040 10 | 192.168.157.1 8542 tcp >172.16.96.3 80 EDM 699 7 | 10.1.1.0/24 0 all <10.1.2.1+9 0 EBS 6040 10 | 10.1.2.1+9 0 all >10.1.1.0/24 0 EBS 699 7 | 192.168.157.1 8553 tcp <172.16.96.3 80 EDM 6040 10 | 192.168.157.1 8553 tcp >172.16.96.3 80 EDM 699 7 | DELETE EXIT _______________________________________________________________________________ The help text may be hidden/shown-again by typing 'h'. The security protocol and the algorithms are shown reduced to only one character to make place for the SA selectors. an address range is shown as: +. a network is shown as: / a host is shown by its address only port 0 resembles all ports The IKE SA Monitoring menu also has changed: BINTEC-X4000 Setup Tool BinTec Communications AG [IPSEC][MONITORING][IKE SAS]: IPsec Monitoring - IKE SAs mb10 _______________________________________________________________________________ T: exch.-Type: B=Base I=Id-protect O=auth-Only A=Aggressive A: Auth-Meth.: P=Pre-sh-key D=DSA-sign. S=RSA-sign. E=RSA-encryption R: Role : I=Initiator R=Responder S: State : N=Negotiating E=Established D=Delete W=Waiting-for-remove E: Enc.-Alg : d=DES D=3ES B=Blowfish C=Cast H: Hash-Alg : M=MD5 S=SHA1 type 'h' to toggle this help Remote ID Remote IP Local ID TARSEH ipsec_1.bintec.de 10.1.1.1 ipsec_2.bintec. APIEBM DELETE EXIT _______________________________________________________________________________ There is now also a help text which may as well be hidden like in the IPSec SA menu. The num field is omitted now (quite uninteresting) and the algorithms are displayed strictly short to make more place for the remote ID (the prf alg is not shown anymore because it is a global setting). - IPSec configuration main menu has been restructured: The new menu looks like this now: X1200 Setup Tool BinTec Communications AG [IPSEC]: IPsec Configuration - Main Menu mbx1b _______________________________________________________________________________ Enable IPSec yes Monitoring... Configure Peers... (Index of first peer: 1) Settings Phase 1: Phase 2: Proposal : 1 (Blowfish/MD5) Proposal : 1 (ESP(Blowfish, MD5)) Lifetime : 600 Sec (1) Lifetime : 600 Sec (1) Group : 2 (1024 bit MODP) Use PFS no Auth Meth: Pre Shared Keys Mode : id_protect Local ID Certificate and Key Management... Advanced Settings... SAVE CANCEL _______________________________________________________________________________ Use to select - The new field "Enable IPSec" may now be used to switch IPSec on/off (which could be done by selecting peer list "none" formerly). - The fact, that the system always uses only one peer list is reflected better now: There is no possibility to select the peer list from this menu anymore now, which often lead to confusion. Instead, the index of the first peer in the list currently used is displayed on the right side. - When selecting "Configure Peers...", only the currently active peer list is shown. When the peer index is zero in the SNMP field ipsecGlobPeerIndex or there is no peer list configured yet, a new list is started automatically then. - Phase 1 (IKE-SA) and Phase 2 (IPSec SA) settings are now grouped in two columns - The default IKE group may be selected in the new field "Group" under Phase 1 - The default PFS group may be selected in the new field "Use PFS" under Phase 2 - The IKE (Phase 1) lifetime may now be configured using the select field "Lifetime" under Phase 1. This selection field contains a list of all lifetime entries currently configured on the system plus one entry for the default settings ("900 Sec/11000 Kb (def)"). The lifetime settings may be edited by pressing while the lifetime selection field is highlighted. To create a new lifetime entry in the ipsecLifeTimeTable, edit the default entry. - The IPSec (Phase 2) lifetime may now be configured using the select field "Lifetime" under Phase 2. This selection field uses the same list as the Phase 1 lifetime. Changes to an entry also affect the entries displayed for the Phase 1 lifetime and vice-versa. You can identify the lifetime entries by their unique index which is shown in brackets. - The Local ID field now uses a horizontally scrolling edit field to support long id strings - The field "Advanced Settings..." leads to a new menu with advanced global IPSec settings which correspond to fields in the ipsecGlobalsTable. - The new IPSec advanced menu looks like this: X1200 Setup Tool BinTec Communications AG [IPSEC][ADVANCED]: IPsec Configuration - Advanced Settings mbx1b _______________________________________________________________________________ Ignore Cert Request Payloads : no Do not send Cert Request Payloads : yes Do not Send Full Certificate Chains: yes Do not send CRLs : yes Do not send Key Hash Payloads : no Trust ICMP Messages : no Use Zero ISAKMP Cookies : no Do Not Send Initial Contact : no SPI Size : 32 Max. Symmetric Key Length : 1024 Select Different Peer List... (Index of first peer: 1 ) SAVE CANCEL _______________________________________________________________________________ Use to select The meanings of the single fields are in detail: "Ignore Cert Request Payloads": This field specifies whether certificate request payloads should be ignored by IKE if received. "Do not send Cert Request Payloads": This field specifies whether IKE should suppress sending of certificate requests. "Do not Send Full Certificate Chains": This field specifies whether IKE should suppress sending of full certificate chains. "Do not send CRLs": This field specifies whether IKE should suppress sending certificate revocation lists during phase 1 negotiation. "Do not send Key Hash Payloads": This field specifies whether IKE should suppress sending of key hash payloads. "Trust ICMP Messages": This field specifies whether IKE should trust icmp port and host unreachable error messages. ICMP port and host unreachable messages are only trusted if there have not yet been received any datagrams from the remote host in this negotiation. "Use Zero ISAKMP Cookies": This field specifies whether zeroed ISAKMP cookies should be sent. "Do Not Send Initial Contact": This field specifies whether IKE should send initial contact messages in IKE negotiations even if no SA's exist with a peer. "SPI Size": A compatibility flag that specifies the length of the SPI in bytes, which is used when an ISAKMP SA SPI is sent to the remote peer. This field takes effect only if "Use Zero ISAKMP Cookies" is set to true. "Max. Symmetric Key Length": This field specifies the maximum length of an encryption key (in bits) that is accepted from the remote end. This limit prevents denial of service attacks where the attacker asks for a huge key for an encryption algorithm that allows variable length keys. "Select Different Peer List...": Selecting this option shows a full listing of all peer lists separated by dashed lines to make it possible to switch between multiple peer lists when configuring. Full peer list management is supported by the menu displayed. - The IPSec Peer list menu has been changed because it lead to some confusion: The field "NEW LIST" has been removed and replaced by a new field "APPEND". Selecting "APPEND" creates a new peer entry which is appended to the last peer entry shown in the list. The functionality of the "NEW LIST" button may be invoked now by hitting 'n'. If the list shown is empty, a new list is created automatically when selecting "APPEND". - The peers edit menu has also been changed because it lead to some confusion: Now, there is no possibility to select from different traffic lists anymore. This reflects the fact that each peer should have its own traffic list. If a new peer is created, it is initializen with an empty traffic list. In this case, when "Configure Traffic List..." is selected, an empty list is shown and a new list is started when selecting "APPEND". - The IPSec Traffic list menu has been changed because it lead to some confusion: The field "NEW LIST" has been removed and replaced by a new field "APPEND". Selecting "APPEND" creates a new traffic entry which is appended to the last traffic entry shown in the list. The functionality of the "NEW LIST" button may be invoked now by hitting 'n'. If the list shown is empty, a new list is created automatically when selecting "APPEND". - The generation of certificate requests using the setup tool has been extended: A new button "REQUEST CERT" has been added to the key list menu. The new certificate requests menu looks like this: X1200 Setup Tool BinTec Communications AG [IPSEC][CERTMGMT][ENROLL]: IPsec Configuration - Certificate Enrollment mbx1b _______________________________________________________________________________ Key to enroll: 1 (rsa_1024) Subject Name: Subject Alternative Names (optional): Type Value IP 192.168.157.2 DNS mbx1b.dev.bintec.de NONE Signing algorithm to use: md5WithRSAEncryption Server: Filename: base64 Start Exit _______________________________________________________________________________ Use to select The field "Subject Name" is now a horizontaly scolling edit field to support long subject names. Up to three subject alternative names may be requested by using the corresponding select/input fields. Please select "NONE" for all three types to suppress requesting any alternative names. - The key generation menu has been extended by the field "RSA Public Exponent", which allows the user to specify a custom Exponent for RSA keys. The default is 35, which is a common value. Please ask the administrator of your CA for the requirements concerning this parameter.