How it Works
Hp
Loading...
sa3000
6.8.2 release notes
36 pgs143.11 Kb0
getting started guide
46 pgs234.93 Kb0

Hp sa3000 6.8.2 release notes

Download
hewlett-packard sa3000 series
vpn client
release 6.8.2 release notes
Hewlett-Packard Company
HP: 5971-0874
P/N: A52439-001
2
Hewlett-Packard SA3000 Series VPN Client
Disclaimer
Information in this document is provided in connection with Hewlett-Packard Company products. No license, express or implied, by estoppel or otherwise, to any intellectua l property rights is granted by this document. Except as provided in Hewlett-Packard C o mpan y’s Terms and Conditions of Sale for such products, Hewlett-Packard Company assumes no liability whatsoever, and Hewlett­Packard Company disclaims any express or implied warranty, relating to sale and/or use of Hewlett-Packard Company products including liability or warranties relating to fitness for a particular purpose, merchantability, or infringeme nt of any pate nt, copyright or othe r int e llectual property right. Hewlett-Packard Company products are not intended for use in medical, life saving, or life sustaining applications.
Hewlett-Packard Company may make changes to specifications and product de scriptions a t any time , without notice.
This Hewlett-Packard SA3000 Series VPN Client Release
6.8.2 Release Notes document as well as the software described in it is furnished under license and may only be used or copied in accordance with the terms of the license. The information in this manual is furnished for informational use only, is subject to change without notice, and should not be construed as a commitment by Hewlett­Packard Company. Hewlett-Packard C o mpan y assumes no responsibility or liability for any errors or inaccuracies that may appear in this document or any software that may be provided in association with this document.
Release 6.8.2 Release Notes
Except as pe r mitted by such license, no part of thi s document may be reproduced, stored in a retrieval system, or transmitted in any form or by any means without the express written consent of Hewlett-Packard Company.
Copyright © He w l e tt-Packar d Compa ny 2001.
3
4
Hewlett-Packard SA3000 Series VPN Client
Contents
DISCLAIMER 3
CONTENTS 5
INTRODUCTION 7
IMITATIONS TO THIS RELEASE
L
ARDWARE SERVICE AND TELEPHONE SUPPORT NUMBERS
H
SYSTEM REQUIREMENTS 10
RELEASE 6.8.2 FEATURES 12
UTHENTICATION SUPPORT FOR
A
EC SECONDARY AUTHENTICATION IMPLEMENTED
IPS
ACKETGUARD INCREASES USEFULNESS FOR REMOTE USERS
P
LIENT CO-OPERATES WITH PACKETPROTECT
VPN C
SPECIAL CONSIDERATIONS 14
KNOWN PROBLEMS 25
7
7
SST 12
12
12
13
Release 6.8.2 Release Notes
5
6
Hewlett-Packard SA3000 Series VPN Client
Introduction
This document describes the new f ea tures and improvements in Rel ease 6.8.2 of the HP SA3000 Series VPN Client.
This document includes the following sections:
System requirements
Release 6.8.2
Special considerations
Known problems
For information regarding Release 6.8.2 of the HP VPN Server Appliance SA3110/SA3150/SA3400/SA3450 and the HP SA3000 Series VPN Manager, refer to the Release Notes for that firmware and software.
Limitations to This Release
Windows Me Not Supported
Reference Numbers 617, 631, 632, and 760 In Release 6.8.2, the VPN Client on a Microsoft Windows
Millennium Edition (Me) syst em exhibits degraded performance or crashes, displaying a fatal exception error message. Performance problems include not being able to use IPSec over dial-up connections, and, if your implementation is for Windows NT domain logon, you will not see the three-bar logon window until after the VPN tunnel is connected. Hewlett-Packard Company recommends you do not use the Release 6.8.2 VPN products on a Windows M e s y stem.
Hardware Service and Telephone Support Numbers
Hardware service and telephone support information is provided next by geographical location.
Release 6.8.2 Release Notes
7
U.S. and Canada
In the U.S. and Canada, for hardware service and telephone support, contact an HP-authorized reseller or the HP Customer Support Center at 1-800-633-3600.
Europe
In Europe, for hardware service and telephone support, contact an HP-authorized reseller or the HP Customer Support Center nea r est you:
Austria: 0660 6386
Belgium: Dutch: 02 626 8806; French: 02 626 8807
Czech Republic: 420 2 613 07 310
Denmark: 3929 4099
English (non-UK; see also: UK): +44 20 7512 5202
Finland: 02 03 47 288
France: 01 43 62 3434
Germany: 0180 525 8143
Greece: +30 (0) 16196411
Hungary: 36 1 382 1111
Ireland: 01 662 5525
Israel: 972 9 952 4848
Italy: 02 2 641 0350
Netherlands: 020 6068751
Norway: 22 11 6299
Poland: +48 22 8659800
Portugal: 21 317 6333
Russia: 7095 797 3520
South Africa: RSA: 086 000 1030; outside RSA: +27 11
258 9301
Spain: 902 321 123
Sweden: 08 619 2170
Switzerland: 084 880 1111
Turkey: 90 212 221 6969
United Kingdom:0870 842 2339
8
Hewlett-Packard SA3000 Series VPN Client
Asia
In Asia, for hardware service and telephone support, contact a n HP-aut hor ized reseller or one of th e following support ce nters:
Australia: 03-8877-8000
Hong Kong: 800-96-2598
India: 91-11-6826035
Indonesia: 0800-21511
Japan: 0120-220-119
Korea: +82-2-32700911
Malaysia: 60 3 2931811 or 1-800-881811
New Zealand: Upper North Island: 09-356-6640; Lower
North Island: 04-499-2026; South Island: 03-365-9805
Peoples Republic of China: 86-8008105959
Philippines: 63 2 811-0643
Singapore: + 65-2725300
Taiwan: +866-080-010055 or 886-2-7170055
8324155
Latin America
In Latin America, for hardware service and telephone support, contact an HP-authorized reseller or one of these support ce nters:
Release 6.8.2 Release Notes
Argentina: (541) 4778-8380
Brazil: Sao Paulo: (11) 3747-7799; All Others: 0800-15-
77-51
Chile: 800-360-9999
Columbia: 9-800-91-9477
Guatemala: 1-800-999-5305
Mexico: Ciud ad de Mexico: 5258-9922; All Others: 800-
472-6684
Peru: 0-800-10111
Puerto Rico: 1-877-232-0589
Venezuela: 207-8488; All Others: 800-47-777Thailand: 66
2 6613891
Vietnam: Hanoi: 84 4 9430101; Ho Chi Minh City: 84 8
9
System Requirements
The system require ments f or running the VPN Client Release 6.8.2 software are as follows:
PC or PC-compatible desktop computer
Windows 95 running on:
Intel Pentium® 90-MHz processor performance
level
5 MB free disk space
32 MB RAM
Dial-Up Networ k i n g (DUN) 1. 3
Winsock 2 (required for protocol 99 and IPSec
features)
Windows 98 running on:
Pentium 90-MHz processor performance level
5 MB free disk space
32 MB RAM
Windows NT 4.0 (Workstation or Server version with
Service Pack 3, Service Pack 4, Service Pack 5, or Service Pack 6a) running on:
Pentium 90-MHz processor performance level
5 MB free disk space
32 MB RAM
Windows 2000 Professional running on:
Pentium 133-MHz processor performance level
15 MB free disk space
64 MB RAM
10
Hewlett-Packard SA3000 Series VPN Client
Using Windows 95 (Gold or A) Versions
Because Microsoft Windows 95 Gold and Windows 95 A use DUN 1.0, these releases do not permit data to transfer over tunnels established over PPP dial-up connections. To view your Windows 95 version, select System Properties. Windows 95 B (OSR2) or Windows 95 C (OSR3) releases work successfull y .
If you use Windows 95 Gold or Windows 95 A and you are currently using a DUN version earlier than 1.3, upgrade to DUN version 1.3 before you install the VPN Client.
To check what version of DUN you are using:
1. In the Start menu, select Settings, then select Control Panel. The Control Panel window appears.
2. In the Control Panel icon box, select the Add/Remove Programs icon. The Add/Remove Programs Properties window appears.
3. In the Programs list box, look for Dial-Up Networking N.N, where N.N shows the DUN version you are using.
Release 6.8.2 Release Notes
4. If N.N is less t han 1.3, install the upgrade as described next.
To upgrade to DUN version 1.3:
1. Obtain the Windows 95 Dial-Up Networking (DUN) 1.3 upgrade. To obtain this upgrade, using your browser, go to URL: http://support.microsoft.com/support/ downloads/dp3267.asp. Click the upgrade file, msdun13.exe, then follow the instructions on your screen to download the file.
2. Install the Windows 95 Dial-Up Networking (DUN) 1.3 upgrade.
3. Reboot your PC.
11
Release 6.8.2 Features
The following major features are provided in Release 6.8.2 of the VP N Cli ent.
Authentication Support for SST
Reference Numbers 675P2-2 and 670P10GW-1 In Release 6.8.2 of the VP N Cl ient supports RADIUS,
SecurID, and Shiva Certificate Authority and Entrust certificate authentication in SST-type connections over unreliable connections.
IPSec Secondary Authentication Implemented
Release 6.8.2 of the VPN Client supports RADIUS and SecurID authentication for IPSec tunnels. Accordingly, changes have been made to the GUI to address the new IKE secondary authentication capability.
PacketGuard Increases Usefulness for Remote Users
In essence, PacketGuard is a simple packet-filtering firewall that functions on the VPN Clients PC during a VPN se ssion. The purpose of PacketGuard is to safely allow home-networking functions during a VPN session, specifically to enable local network sharing when a VPN tunnel is up, for example, allowing local access to shared printers and files, and so on. In Release 6.8.2, incorporating PacketGuard with the VPN Client gives remote users access to shared printers and files when a VPN tunnel is up.
12
Hewlett-Packard SA3000 Series VPN Client
To browse o ther computers on your l oc a l network while your VPN tunnel is connected, select the Enable Home network access check box in the Options window. To restrict traffic on your PC to traffic through the VPN tunnel, ensure this check box is clear. The default setting is enabled. This feature only applies to PCs on local networks, for example, networks with IP addresses such as 192.168.n.n and 10.0.n . n that are non-routable across the Internet; this feature does not apply to standalone PCs, for which the feature is not enabled. If you change this option, you must reconnect your VPN tunnel.
To use printing and file sharing with other computers on your local network while you have a VPN tunnel connected, select the Enable Home network access check box and the Enable File and Other Services check box in the Options window. The default setting is enabled. This feature only applies to PCs on local networks, not to standalone PCs, for which the feature is not enabled.
Note: For the PacketGuard feature to work, you must specify a 0.0.0.0 subnet for the Remote Group tunnel profile in the VPN Manager GUI or Console window and you must ensure that the operating system of the PC on which the VPN Client software resi des has a default gateway defined.
VPN Client Co-operates With PacketProtect
Reference Numbers 209P, 211P, 214P, 654, 655, and 656 PacketProtect is an implementation of VPN on the Intel
PRO/100 S Management or Server Adapter. PacketProtect helps protect IP traffic traveling on a LAN using IPSec, while offloading security tasks from the CPU to the NIC card. In Release 6.8.2, the VPN Client disables PacketProtect when connecting a VPN tunnel. The VPN Client encrypts the packets until it logs off, at which point it re-enables PacketProtect.
Release 6.8.2 Release Notes
13
Special Considerations
Windows 2000 Users Must Have Administrative Rights to Use Protocol 99
Reference Number 340PDF It appears that in the lates t versions of Windows 2000,
Microsoft has withdrawn the use of the registry key that allowed non-administrative users access to raw socket calls. As a result of this change, Protocol 99 now does not work for non-administrative users on Windows 2000 systems. If non-administrative users attempt to use Protocol 99 to connect to a device, the following error message appears:
Error unable transmit
Enabling the Use of Protocol 99 on Windows NT or Windows 2000 Systems
Reference Number 673DF On Windows NT and Windows 2000 systems, raw socket
security must be disabled for the VPN Client software to send out protocol 99 packets. You must have administrative privileges to disable raw socket security. You can disable raw socket security on Windows NT and Windows 2000 systems in one of the following ways:
In a mass deployment situation, the system administrator should disable raw socket security by using the vpnclient.ini file parameter available in Release 6.8.2 software. Set the disable raw security parameter to yes.
In a single installation, the administrator or user must log on with administrative privileges, and then select the Disable raw socket security for all users (required for protocol 99) check box in the Options window
14
Hewlett-Packard SA3000 Series VPN Client
Upgrading to Windows 2000 From Windows 95/98 or Windows NT
If you plan to upgrade from Windows 95/98 or Windows NT to Windows 2000, ensure that you remove the VPN Client software before upgrading.
AT&T Dialers Supported for Windows 95/98
If you use the AT&T Business Dialer with Windows 95 or Windows 98, use version 2.6 or later. If you use the AT&T VPNS Dialer with Windows 95 or Windows 98, use version
2.5 or later.
Network Connections Fail When Transport Mode SA is Connected
Reference Number 514DF When a transport mode SA is connected to a VPN device or
IPSec-capable workstation, only connections that match the protocol/port for that endpoint will be enabled. All other connections will fail.
Release 6.8.2 Release Notes
To resolve this problem, do one of the following:
Include SAs for all connection types required to the end-poin t, such as FTP, ICMP, and so on
Allow all traffic by assigning a protocol/port combination that is ALL
VPN Client on Windows NT/Windows 2000 Server With DHCP Server
Windows NT does not support VPN Client softwar e installed on the same desktop computer a s the DHCP (Dynamic Host Configuration Protocol) server.
The DHCP server installation on a Windows NT or Windows 2000 server requires a static IP address for the Ethernet NIC (Network Interface Card). DHCP for its own adapters is then disabled for this server. The VPN Client will not run properly if a DHCP server is installed and running.
15
VPN Manager and VPN Client Installed on Same PC
When the VPN Manager and the VPN Client are installed and configured on t he same PC, there is an active tunnel to a device, and you have either a route statement to the remote device or a non-bifurcated tunnel, specify the Client-IP of the tunnel in the VPN Manager's IP Address window.
Use the Manager Communication command in the Configure menu of the VPN Manager main window to set the IP address in the Configure Manager Communication window.
Browsing Your Network
If you use Microsoft Windows 95 Gold, SR1 (95A), or SR2 (95B) for your operating system and you have trouble browsing your network, check the version of Dial-Up Networking ( DUN) in your computer. If you are currently using a DUN version earlier than 1.3, upgrade to DUN version 1.3.
To check which version of DUN you are using:
1. In the Start menu, select Settings, then select Control Panel. The Control Panel window appears.
2. In the Control Panel icon box, select the Add/Remove Programs icon. The Add/Remove Programs Properties window appears.
3. In the Programs list box, look for Dial-Up Networking N.N, where N.N shows the DUN version you are using.
4. If N.N is less than 1.3, install the upgrade as described next.
To upgrade to DUN version 1.3:
1. Using your browser, go to the following URL:
http://support.microsoft.com/support/downloads/dp326
7.asp
16
Hewlett-Packard SA3000 Series VPN Client
2. Click the upgrade file, msdun13.exe, the n follow the instructions on your screen to download the file.
3. Install the upgrade, then reboot your PC.
Also, if you have trouble browsing through a tunnel and have NetBEUI installed in your network control panel:
1. Check the NetBIOS node type either on the VPN device or on the VPN Manager.
2. Remove the VPN Client software.
3. Remove the NetBEUI protocol from your network
control panel.
4. Reinstall the VPN Client software.
Inconsistent Behavior When Initial Client­IP Address Changes
If you change the initial Client-IP address by enabling DHCP using the Setup, Options sequence of menu commands, the VPN Client will display inconsistent behavior. For example, the outcome may be that either the initial Client-IP address rema ins unchanged from the initial IP address, or an IP address somewhat different than the one assigned will be displayed.
Release 6.8.2 Release Notes
This behavior is e xhibit e d becaus e the Client-IP address can be adjusted based on the VNIC (virtual network interface card) number. Since the mask = 8, the last octet may vary by 7.
Using HP SA3000 Series VPN Client With Novell NetWare 5
Reference Number 6.7S-1 Connecting to a Novell Network Directory Services (NDS)
tree through a VPN Client SST (Shiva Smart Tunneling) tunnel is possible if you allow the Novell client workstation to find the NDS tree. The way in which you arrange for the workstation to find the NDS resources depends on the version and network protocol running on your Novell NetWare server.
17
Beginning with NetWare 5, the Novell servers and clients allow for support of na tive IP (Internet Protocol). This means that the native IP stack installed on your client workstation is the protocol used to communicate with the server. No additiona l prot oc ols or service s are necessary.
Use the latest Novell client with service pack that is appropriate to your operating system: Windows 95, Windows 98, or Windows NT. Then, when you install the Novell client software, select the op tion appropriate to the Novell server version: the IP option for a NetWare 5 server (the IPX option is not necessary for NetWare 5).
With Novell NetWare 5, the Novell client and server can use native IP, including Microsoft IP, to connect with IP addresses. NetWare 5 resolves resources through its Network Directory Services (NDS). NDS is the equiv alen t of DNS to the Internet or WINS to Mi c rosoft. With NDS, you are authenticated to the tree, much like being authenticated to the domain in Microsoft networking. With NDS, you normally enter the tree name and not a specific server when logging in. The NDS tree structure usually identifies resources, such as servers, through names.
For example, you might call your authentication server auth_server.
However, NDS names cannot be resolved in the same manner through a VPN Client tunnel as they can on the LAN. This is because broadcasts and multicast protocols do not function th r ough the VPN Client tunnel.
To work around this, try one or both of the following:
1. On your local workstation, add a file that maps the name to the IP address. For Windows 95/98, call the file NWHOST and put the file in the directory Novell\Client
32. For Windows NT, call the file HOSTS and put the file in the directory [system root directory]\system 32\drivers\etc, where system root directory means the name of the directory in which Windows NT is located on your workstation. See Sample Novell Map File.
18
Hewlett-Packard SA3000 Series VPN Client
2. Use the IP address of the server you want to use for authentication, instead of using its name. For example, use 10.250.113.1 instead of auth_server. To specify the IP address for NDS to use, when the Novell client logon window appears, click Advanced. The Advanced section appears. In the Tree Name field, enter the IP address of the Novell NDS server on the LAN that logs you into the NDS directory services.
To use the VPN Client software with Novell NetWare 5, first install and then configure the Novell client. Next, install and then configure the VPN Client software.
In addition to the previou s steps, for NetWare 5, for Windows 98 only, a patch is required. The patch is a Novell file called trannta.nlm. Replace the existing trannta.nlm file that was loaded on your computer when you installed the Novell client. The patch is in Beta release, but there are no known problems associated with it. To obtain the patch, call Novell technical support using the telephone number you obtain as follows.
To obtain the Novell technical support telephone number for your area, follow the links on the following URL:
Release 6.8.2 Release Notes
http://support.novell.com
To work with Novell NetWare 5, no action is required in the VPN Client software.
Sample NWHOST Map File
To allow the Novell client to find the NetWare/IP server and/or tree:
Use an NWHOST file.
Use a Domain SAP/RIP Server (DSS) or DNS (for DNS
to work, the client must be configured to use a tree name that looks like a DNS name, for example, novell_tree.nwip.shiva.com).
19
A sample NWHOST file provided by Novell Client 32 installation follows.
;
; NetWare Host File entries are formatted as follows
;
; <treename> IP Addr
; <servername> IPAddr
;
;
; TEST_SERV 255.65.8.1
; TEST 255.65.8.1
;
; For treenames, specify the address of the server
; to connect to in the tree.
;
; IP addresses are in A.B.C.D format.
;
; Use ';' or '#' for comments. The Win95 Client looks
; for the host file "NWHOST" in the NOVELL\CLIENT32 directory.
;
; The NT Client looks for the host file "HOSTS" in the
; %SYSTEM_ROOT%\SYSTEM32\DRIVERS\ETC directory.
;
Full Class C Route Should Not Be Added to VPN Client Route Table
Reference Number 104092 If a tunnel is created from the VPN Client to a VPN device
using a net-include of 172.16.20.0 mask 255.255.255.248, a route print from the VPN Client side of the tunnel disp l ays the following route:
172.16.20.0 255.255.255.0 client-ip address
172.16.20.0 255.255.255.248 client-ip address
The first route should not be added to the route table. This behavior results from the Client-IP on the VPN device
falling within the subnet defined through an address IP on the VPN device of 172.16.20.1 with a mask of 255.255.255.0.
20
Hewlett-Packard SA3000 Series VPN Client
When the DHCP request is submitted to the VPN device, the device must respond with an IP address and subnet mask. To determine the subnet mask, the VPN device searches its interfaces f or the first match in which the Client-IP resides on the network defined by the interface's IP address and subnet mask.
If the intention is to include only the 172.16.20.0 mask
255.255.255.248 subnet as reachable through the VPN
device an interface (for example, 172.16.20.1 mask
255.255.255.248). The Client-IP also should be within that
network, for example, 172. 16.20. 2 - 6. In other words, when a VPN Client connects using
WINS/DNS to a VPN device that returns a Client-IP and mask that is different from the defined subnet reachable behind the VPN device, a route is added to the subnet defined by the Client-IP and mask.
This route causes traffic to enter the virtual adapter. If, however, there is no matching subnet listed in the Connections tab after the tunnel is negotiated, packets sent to the Client-IP network are discarded.
To illustrate the foregoing, given a VPN device that has a group defined with Client-IPs starting at 10.1.1.1, with an IP address defined on an Ethernet interface which is
10.1.1.254 mask 255.255.255.0, the first Client-IP/mask is
10.1.1.1 mask 255.255.255.0.
Release 6.8.2 Release Notes
Note: The Client-IP’s subnet mask comes from the first IP address whose subnet matches the Client-IP. When the VPN Client establishes a tunnel, t he following route is added on the Windows workstation, regardless of the fact that there is no subnet defined in the VPN Client connection or as a net-include for the tunnel:
10.1.1.0 255.255.255.0 10.1.1.1 1.0.1.1
One approach to this problem is to support a subnet mask for the Client-IP command. The Client-IP address/mask could then be used by the VPN Client to, by default, tunnel all traffic to the network received in the DHCP reply. This means that a net-include would not be necessary if only a single subnet is reachable through the tunnel.
21
Using Mass Deployment Authentication Password Twice
Reference Numbers 104125 and 104126DF In a mass deployment of VPN Client software, the VPN
Client is installed using an encrypted vpnuser.ini file. This section provides two ways to decrypt this file.
First, during installation following mass deployment, the VPN Client asks you for the decryption key. The VPN Client then decrypts the file and loads the tunnel definitions , but if the vpnuser.ini file is opened through a plain text editor, such as Notepad, it is still encrypted.
To change your logon password , yo u can go into the directory where the user information is held, and delete the solo.pwd file that stores the user's password. Then you can load the VPN Client, enter the new password twice (once in the logon window and once in the Verify Password window) and then enter a decryption key.
What is unknown to you is that the decryption key has changed. When the file was originally decrypted, it was encrypted with your password. Thus, the new decryption key is the user's old password.
Secondly, in a mass deployment, the notice of the availability of the VPN Client software update includes a unique authentication password, which is a randomly generated alphanumeric sequence of characters.
The user is required to enter the authentication password twice; first to log on to the Web site to obtain the update, which is a zipped file. Then after the file is saved to the user's hard drive and unzipped, when the installer is running, the authentication password is required again to have the vpnuser.ini part of the file decrypted.
Users are encouraged to use their local password when the VPN Client Log in window appear s. The software recognizes that this is not the authentication password and then the user is prompted to enter the authentication password in a second Authentication prompt window.
22
Hewlett-Packard SA3000 Series VPN Client
Once this password is entered, the encrypted vpnuser.ini file is decrypted and the software update proceeds. When the local and authentication passwords are entered in this order, the VPN Client software recognizes the validity of the local password for future use.
For first-time VPN Client users, however, if the authentication password is entered in the VPN Client Login window instead of in the Authentication prompt window, then the authentication password becomes the local password and, therefore, the valid password for future logon to the VPN Client software.
In this way, the authentication password becomes the first­time user's local password. This change creates a problem if the user did not memorize the authentication password or retain the e-mail message containing this password. Network administrators should request that first-time VPN Client users save their e-mail messages until after their software update is successfully installed and the validity of their local password is verified.
This situation does not occur when a prior version of the VPN Client software is installed on the user's computer.
Release 6.8.2 Release Notes
Windows Protection Error Upon Installing VPN Client Before AOL 4.0 or 5.0 Is Installed
The VPN Client may cause a Windows protection error if the VPN Client software is installed before installing America Online (AOL) v. 4.0 or 5.0. To preclude having this problem, the installation process for AOL v. 4.0 or 5.0 software and the VPN Client is as follows:
1. Install the AOL v. 4.0 or 5.0 software using the down l oaded setup program, following all defaults in the setup program.
2. Reboot upon completion.
3. Install Release 6.8.2 of the VPN Client, following all defaults.
4. Reboot upon completion.
23
Notes:
1. Ensure that you remove the VPN Client software before removing the AOL v. 4.0 or v. 5.0 software.
2. AOL v. 5.0 has no IP connectivity when the VPN Client is also installed with the vpnclient.ini file Enable AOL flag set to Yes or if this flag is not present in the .ini file.
56-Bit DES and 168-Bit 3DES Versions
There are two versions of the software. One version provides 56-bit DES encryption, while the other version provides 168-bit 3DES encryption.
As a result of certain count r ie s' import and export restrictions on security technology, use of encryption encapsulation algorithms that exceed 56 bits may be limited. If you are using the software in one of these countries, please disregard instructions concerning encryption greater than 56 bits in the online Help file as both software versions include the same online Help file.
24
Hewlett-Packard SA3000 Series VPN Client
Known Problems
This section describes known problems at the time of release.
IPSec Tunnel With Single IP SA Routes Entire Network Through Tunnel Adapter
Reference Number 224DF If there is an IPSec tunnel configured with SAs with access
to a single IP address, the VPN Client will still have a route to the entire network to go through the tunnel adapter. For example, if you have an SA for the client to get to 10.2.2.10 only, there will be a route on the client as follows: 10.2.2.0
255.255.255.0 <client IP>. However, if you try to connect to
10.2.2.1, it will not go out the working Ethernet adapter but
go to the tunnel adapter.
Error Message Rate High for Encryption 2 and 3 Errors on Windows 2000
Reference Numbers 324DF and 670 A VPN Client on a Windows 2000 Professional PC has a
higher than expected number of Encryption 2 and Encryption 3 error messages from an SST tunnel connection to a device running continuous pings.
Release 6.8.2 Release Notes
These messages, which appear in the Counters window, do not affect functioning, but they are distracting if you are debugging the software.
Selecting Four VNICs At Installation May Result In Unusual Behavior on Windows 2000
Reference Number 389 Selecting four VNICs at installation may result in unusual
behavior on Windows 2000 systems.
25
For example, an IP address of 192.168.255.7 may be assigned to a VNIC.
Behavior varies depending on how many adapters you already have instal led on your Windows 2000 system.
Initial Cursor Appearance Misleading on Windows 2000
Reference Number 461P After installing Release 6.8.2 software and rebooting, the
cursor is flashing in the first field (username) in the window, but you cannot type in anything until you use your mouse to put your cursor in that field. Also, the upper title bar is not blue for the active window.
To work around this problem, either put your cursor in the username f i e ld, or wait two minute s for the bar to turn blue and the cursor to allow typing in the field.
Automatic Use of IKE Configuration Window Settings Not Enabled
Reference Number 256P Automatically using the settings in the IKE configuration
window when creating a new IPSec tunnel is not enabled so the Always use these settings when creating a new tunnel check box on the Internet Key Exchange (IKE) window is not available for selection.
VLSM Net-Excludes Do Not Work As Expected
Reference Number 421P In Release 6.8.2, variable-length subnet masks (VLSM) net-
excludes do not work as expected. For example, having a net-include of 0.0.0.0/0 and a net-exclude of
192.168.200.0/24, and a Clien t-IP address of 192.168.200.50,
should restrict traffic from the VPN Client to the destination of 192.168.200.0/24. The problem is that the VPN Client is able to reach r emote networks in the add r ess span of the exclude network space.
26
Hewlett-Packard SA3000 Series VPN Client
The same case holds true to a network in a VLSM class; a net-include of 192.168.200.0/24 and an exclude statement of
192.168.200.128/25. Logically speaking, all traffic from the
lower half of the 192.168.200.0 network should be permitted, while the upper half of the network should be denied. This, ho wever, is not the case.
VPN Client for Windows 2000 Reconnection May Fail
Reference Number 548P If the VPN tunnel is reconnected, it may fail to obtain its IP
and WINS information after successful authentication. If the scenario is repeated with the VPN Client being logged off before the PPTP session is initiated, then the result is still the same.
To work around this problem, reboot the client
Certain Characters in Distinguished Names Not Accepted
Reference Number 104218DF
Release 6.8.2 Release Notes
The VPN Client does not accept certain characters for distinguished name information.
Given the following sequence of events:
Set up an Entrust server to provide a VPN Client PC with a certificate in which one of the fields of its distinguished name is surrounded by quotation marks and contains a comma.
Create a remote-group IKE tunnel using Entrust CA authentication, and ad ju st the devices ACL to match by distinguished name.
Once the VPN Client successfully logs into the Entrust server, attempt to negotiate the tunnel.
The VPN Client should successfully match with the ACL on the device, but the device reports as follows:
[ipsec]: ike aggressive mode packet received from 10.250.2.254, port 500
[ipsec]: INVALID_CERTIFICATE from
27
10.250.2.254, port 500
[debug]: CERT payload - validation failed from 10.250.2.254
[ipsec]: notification packet sent to
10.250.2.254, port 500
To avoid this problem, for Release 6.8.2 of the VPN Cl i ent, do not use certain special characters, specifically (",+=<>#;"), or leading/trailing spaces, in distinguished names, although their use is specified in RFC 1779. You can use quotation marks to surro u nd a distinguished name field, and commas can be placed within, as well as consecutive spaces within a field.
Installation on Windows NT With a 3Com NIC Displays Restart Window Twice
Reference Number 102569DF When a 3Com Fast EtherLink Ethernet card is installed, an
executable file called daconfig is installed in the Winnt/System32 directory. This file is loaded automatically when the PC boots. The file version is 1,2,0,8 and is from 3Com Corp.
During Release 6.8.2 VPN Client installation on a computer running Windows NT, the daconfig file presents the same restart window twice, following the window that asks Do
you want the Hewlett-Packard Company
SA3000 Series VPN Client to start
automatically every time Windows restarts
(recommended)?
The first restart window, labeled 3Com Dynamic Access Setup dialog, is displayed in front of the window that asks Do you want a shortcut? Then, a second, identical 3Com dialog box appears. The message, You must
restart your computer. Do you want to
restart now? appears. Click No.
To preclude this problem for Windows NT, disable the service.
28
Hewlett-Packard SA3000 Series VPN Client
Machine Hangs When Moving from Nortel Extranet Connection
Reference Number 104298 On a Windows 98 computer, if a user opens a Nortel
Extranet connection, then closes it, then tries to start a VPN Client tunnel connection, the computer could hang.
A cold reboot is required to recover from this problem.
Selecting Maximum Number of WINS Tunnels Degrades Performance on NT
Reference Number 6.6-1 During the VPN Client installation on a Windows NT
workstation, you can enter the maximum number of tunnels for the Client. If you select 4 WI NS-capable tunnels, the performance of the VPN Client is slow.
Absence of VNICs Causes Windows NT Blue Screen Crash
Reference Number 104100DF
Release 6.8.2 Release Notes
Given a Windows NT system with the VPN Client installed, if the VNICs (Virtual Network Inter face Card s) are not present, for example, if they have been disabled or deleted, the next time the VPN Client software is started, the computer blue screen crashes. To avoid this problem, do not delete or disable VNICs. Ensure that you have the NT recovery disks on hand.
If this problem occurs, use your NT recovery disks to restore your original configuration, or rename your icvnic.sys file to temporarily disable the VPN Client.
If the system is formatted with NTFS and no recovery disks are available, you may need to use an NTFS file rename utility, such as NTFSDOS Tools, available from sysinternals. Using your browser software, go to the following URL:
http://www.sysinternals.com
29
In the left panel of the Web site, click Utilities for Windows NT.
Scroll thr ough the Web page that appears until you reach the Utilities se c tion, then select NTFSDOS.
Windows Protection Error Upon Adapter Uninstall When Using AOL v. 4.0
Reference Number 103843DF Adding or removing network adapters before removing the
VPN Client may cause a Windows protection error. For example, using AOL (America Online) v. 4.0:
1. Install the AOL 4.0 software using the downloaded setup program, following all defaults in the setup program, including reboot upon completion.
2. Install Release 6.8.2 of the VPN Client, following all defaults, including reboot upon completion.
3. Remove the AOL 4.0 software completely, then reboot your PC when finished.
A Windows Protection Error occurs during the re boot until the user ente rs Windows in Safe mode and removes the VPN Client.
This problem occurs in both Windows 95 and Windows 98 systems.
To preclude having this p roblem, remove the VPN Clien t software before removing the AOL 4.0 software.
AOL Windows 2000 Beta Client Disconnects Dial-Up Link When All-Zeros Tunnel Is Up
Reference Number 552P and 719 In Release 6.8.2, the AOL Beta client for Windows 2000
times out when an all-zeroes tunnel is up.
30
Hewlett-Packard SA3000 Series VPN Client
Using the VPN Client With Novell NetWare 4
Reference Number 670S-2 The Novell NetWare 4 server uses IPX (Internet Packet
Exchange), however, the VPN Client does not support IPX through a tunnel.
Theoretically, to work around this, Novell NetWare/IP can be used. NetWare/IP encapsulates IPX information in an IP (Internet Protocol) packet that can be sent to any IP address.
Connecting to NDS (Novell's Network Directory Services) running on NetWare 4.x or IntranetWare requires special support for communications by means of IP. The special support is c a lle d NetWare/IP .
Use the latest Novell client with service pack that is appropriate to your operating system: Windows 95, Windows 98, or Windows NT. Then, when you install the Novell client software, selec t the option appropriate to the Novell server version: the IPX option for a NetWare 4 server (the IP option is not useful for NetWare 4).
Release 6.8.2 Release Notes
On a Windows 95 or Windows 98 client, NetWare/IP is added as a protocol. On a Windows NT workstation, NetWare/IP is added as a service, after which it appears as an adapter.
On the NetWare 4 or IntranetWare server, NetWare/IP is installed on the server as an additional product.
A DNS (Domain Name Service) server with appropriate entries to identify NetWare resources in the NetWare/IP domain also is required. A Domain SAP/RIP (Service Advertising Protocol/Routing Information Protocol) Server (DSS) is required to provide information about network services to the servers and clients.
It is also possible to connect to NetWare servers running IPX through an IP-to-IPX gateway.
31
NetWare/IP support must be installed on the NetWare 4 server you specified from the Novell Client Login window. This support allows decoding the NetWare/IP packets and if the server is an IP-to-IPX gateway, then IPX-only servers are reachable through the IP-to-IPX gateway.
However, while network traces may show that while the client and server may communicate over the tunnel, the client is not a lwa y s able to use the information to complete a successful login.
It is difficult to get NetWare/IP to work with the VPN Client. However, once working, they continue to work together until, for example, you remove either the VPN Client software or the Novell NetWare/IP software. Sometimes, when you have difficulty getting NetWare/IP and the VPN Client to work together, you can try one of the following procedures. If you reconnect the same workstation either to the LAN or through a Dial Remote Access Server (RAS), then return to the VPN Client tunnel, NetWare/IP works.
A workstation that does an initial logon to NetWare through a Dial Remote Access Server (RAS) or on the LAN likely succeeds in subsequent attempts to log on to NetWare through the SST (Shiva Smart Tunneling) tunnel. A workstation that could make an initial NetWare logon through an SST tunnel most likely fails if you completely remove the NetWare client and then reinstall this software.
Before attempting to connect, ensure that the following services related to NetWare/IP are running on the NetWare Server:
DNS (Domain Name Service)
DSS (Domain SAP/RIP Server)
NWIP Server
Also, ensure that your workstation is capable of logging into an IS P thr o u g h Di al-Up Network i n g (DUN) and that it has functional TCP/IP capabilities.
32
Hewlett-Packard SA3000 Series VPN Client
Note: Because of the difficulties getting NetWare/IP to work with the VPN Client, you may not be able to get a client connection through your VPN tunnel even though you have followed all of the suggestions in this section.
Installation Problem
Reference Number 670F2F-1A When installing the VPN Client software in boot mode on a
Windows NT system on which there is a third-party gina installed, a message indicates a third-party gina is already installed. If the user selects yes, installation proceeds and completes. How ever , o n startup, the VPN Logon p r ompt fails to start and domain login through a tunnel is not possible.
Removal Problem
Reference Number 670F2F-1B Occasionally, removal of the VPN Client appears to
complete correctly, but the VNICs actually are not removed. When the VPN Client is reinstalled, it does not work until the VNICs are manually removed or, in extreme cases, the Operating System (OS) is reloaded. The issue is extremely hard to replicate, but has happened on a number of occasions. It has only occurred on Windows 98 SE machines thus far.
Release 6.8.2 Release Notes
Card Bus Ethernet Adapter Movement Not Handled
Reference Number 104575 If a Card Bus Et he rne t card is moved from one slot to
another, the VPN Clie nt does not handle it well. When an incorrect card is selected, the VPN Cl ien t
connects a tunnel but the tunnel either is unable to obtain Client-IP or is unable to encrypt traffic or the DHCP request from the VPN Client.
Any traffic intended to be tunneled goes out in the clear. Note: This has only been seen on Card Bus cards, on 16-
bit PC Cards.
33
VPN Client on NT4 System Does Not Bind To 3COM 3C515 NIC
Reference Numbers 554P and 721 In Release 6.8.2, the VPN Client on an NT4 Workstation
and Server with SP6 will no t b in d to a 3COM 3C515 NIC. When you try to establish a tunnel, this NIC is not listed in the Tunnel Properties window in either IPSec or SST.
Static IP Interface Route Is Removed After Tunnel Disconnect
Reference Number 618 If a machine is multihomed and has static routes, you may
see the routes disappear after the VPN tunnel is disconnected. When the static IP interface route statement is removed on a multihomed interface. This results in the host not being able to contact local nodes in the subnet.
Device Name Not Displayed If Used In Place of IP Address
Reference Number 768 If you connect the VPN Client using the device name in
place of the IP address, the devices address is displayed as the Peer IP instead of the device name. This happens only when using IPSec, not when using SST.
Transport Mode IPSec Tunnel Connection Eliminates Non- Tunnel Packets
Reference Number 706DF When a Transport mode IPSec tunnel is up between a VPN
Client on Windows NT (SP4) and an HP VPN device running Release 6.8.2 code, and the packets are targeted towards either of the devices interfaces, non- negotiated packets disappear. When the Transport mode tunnel is down, packets such as ICMP pings and VPN Manager UDP traffic go through to the device in the clear.
34
Hewlett-Packard SA3000 Series VPN Client
Windows 9x Dial Up Connection Passes Local Traffic Down Tunnel With 0.0.0.0 Subnet
Reference Number 770 In Release 6.8.2, on Windows 9x, When you dial up to
establish a tunnel with a 0.0.0.0 subnet, all traffic goes down the tunnel and you can no longer ping the local subnet.
The problem does not a ppe ar on Windows NT or Windows
2000.
Coexistence With Microsoft Windows 2000 VPN Client Causes Subsequent Failure To Obtain Client-IP
Reference Number 717 In Release 6.8.2, the coexistence of the VPN Client with the
Microsoft Windows 2000 VPN client caus es a failure to obtain a Client-IP on a subsequent connection. The V PN Client performs correctly obtaining IP and WINS information on successful authentication initiated through an Internet connection. Then if the VPN tunnel from the VPN Client is dropped and a PPTP connection is made, the latter connection is successful.
Release 6.8.2 Release Notes
However, if the VPN Client VPN tunnel is reconnected now, it fails to obtain its IP and WINS information after successful authentication.
To recover from this problem, reboot the VPN Client.
Opening the Properties of an IPSec Definition Reconnects Tunnel
Reference Number 868 In Release 6.8.2, simply opening the properties of an IPSec
profile in the VPN Client window causes the VPN tunnel to reconnect. This action happens regardless of whether or not a change has been made to the security profile.
35
IPSec Tunnel May Not Connect if interfaceIP=0.0.0.0 and autoconnect Set
Reference Number 888 In Release 6.8.2, you may encounter a situation whereby
the progress bar appears on your screen but an IPSec tunnel will not connect. This res ult s from an interfaceIP=0.0.0.0 setting (in the vpnuser.ini file) and autoconnect not working together.
To work around this problem, open the vpnuser.ini file in a text editor such as Notepad, delete the following line and save the modified vpnuser.ini file:
interfaceIP = 0.0.0.0
Alternatively, you may change the interfaceIP= setting in the vpnuser.ini file to the current interface IP address. Either of these workarounds allows the tunnel to autoconnect.
36
Hewlett-Packard SA3000 Series VPN Client
Loading...
Buy Points How it Works FAQ Contact Us Questions and Suggestions Privacy Policy Cookie Policy Terms of Use