NETGEAR™ ProSafe VPN Client
Release Notes
Version: 10.1.1, build 10 Release Notes Issued on: 09/29/2003
Product Description
The NETGEAR ProSafe VPN Client is a virtual private network (V PN ) client for
remote access and secure communications.
New Features and Enhancements
• Smart card removal clears keys option
• Phoenix Device-Connection Authentication support
• WAN maximum transmission unit (MTU) adjust settings for Windows 2000
and XP to better integrate running the client over DSL lines using Point-to-Point
Protocol over Ethernet (PPPoE)
.
Component Versions
Component Version
CSP Library (FIPS) 3.1.0b22
CSP Library (Non-FIPS) 3.0.1b22
Deterministic Networks (DNE) shim 2.20
Layer 2 Tunneling Protocol (L2TP) 4.29
Security Policy Editor 1.2.1 B10
Certificate Manager 1.2.1 B10
Phoenix Device-Connection Authentication CryptoOSD 1.2.3.2
Before Installing or Upgrading to This Version
When upgrading from an earlier version of the VPN client, take these required steps
before installing the client:
1. Uninstall the existing version through the Control Panel Add/Remove
Programs application.
2. Reboot your computer.
Note: The original Windows installation files may be required during installation,
depending on the specific version of Windows and your configuration . Make sure that
you have the CD-ROMs or files available before you start the installation.
Release Notes
Windows Compatibility
Supported Windows Version
95: versions 4.00.950 B and C Me
98 and 98 SE 2000 Professional
NT 4.0 Workstation: SP 5 and 6 XP Home and Professional
Unsupported Windows Versions (Not Y2K-Compliant)
95, versions 4.00.950 and 950a NT 4.0, SP 3
Install the latest Windows service pack, dial-up networking
upgrade, and Internet Explorer version.
Network Interface Cards
This version should be compatible with all NDIS-compliant Ethernet network
interface cards (NICs). Plug and play is supported on Windows 95, 98, Me, and 2000
only. Plug and play is not supported on notebook computers running Windows NT.
Compatibility Issues
• Windows XP Internet Connection Firewall with the SafeNet Virtual Adapter
The SafeNet Virtual Adapter must be “firewalled” with the Windows XP
Internet Connection Firewall if the connection used to create VA is Windows
XP “firewalled”; otherwise, packets will not pass.
• Driver signing warnings on Windows XP with Security Patch MS02-50
Description: Earlier versions of the MS02-50 Security Patch on Windows XP
caused unsigned driver messages when installing the client.
Workaround: Download the latest MS02-50 Patch from this page on the
Microsoft web site:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/securit
y/bullet in/MS02-050.asp
If the patch is no longer on this page, search for this patch on the Microsoft
support web site, support.microsoft.com.
• Nortel Contivity VPN Switch
Description: The elements of the distinguished name sent by the switch are
not in the standard order expected by the client. When entering the
distinguished name in the Connect using Nortel Co ntivity VPN Switch group,
select the Enter Subject Name in LDAP Format check box. Make sure
that the order of the elements matches the order from the switch, for
example:
LDAP Format
CN Name
S State
C City
OU Department
O Company
Certificate
Information
Workaround: The Nortel switch's firmware version 3.5 or later,
with Keep Alives disabled is required. If a message regarding
invalid hash length appears in the Log View, this means that the
keep alive feature is enabled. The Keep Alives option is controlled
through the IPSec section of the Group profile. The menu item in
IPSec is called Enable Client Failover Tuning.
• PPPoE software for DSL connections must be installed
and operational before the client is installed.
Description: Installing PPPoE software on a computer that the
client is already on removes some network components.
Workaround: If the computer doesn’t have the client installed,
install the PPPoE install the PPPoE software before you install the
client. If the client is already installed, uninstall, and save the
IPSec policy when prompted during the uninstall. After your
computer reboots, install the PPPoE software, and then install the
client again.
• Compatibility issue with 3Com Smart Agent software
Description: If the 3Com Smart Agent software is installed before
the client in
installed, the client doesn’t operate correctly.
Workaround: Install the Smart Agent software before installing
the client
• Errors when the gateway sends certificates with more
than 1024 bits to a client without the Microsoft Enhanced
CSP
Description: Log Viewer errors and connection failures occur on
the client when the gateway sends certificates larger than 1024 bits
on computers that don’t have a 128bit version of Internet Explorer
installed. Log errors can’t acquire enhanced provider verify context,
and signature verification fails.
Workaround: For gateways that send certificates larger than 1024
bits to the client, upgrade to the 128-bit version of Internet
Explorer, which include the Microsoft Enhanced CSP.
• Automatic certificate selection may not work in Aggressive
Mode.
Description: Because Aggressive Mode sends an ID payload in the
first initiator packet, and no explicit certificate is selected, the
session may fail. The client make a best guess, and selects the first
certificate that meets the specified ID type, such as DN, email, or
IP address. This certificate, however, may not be a valid
certificate.
Workaround: Manually select the certificate when using
Aggressive Mode, or limit your certificates to one in the
Certificate Manager.
• Compatibility issues with EarthLink software
Description: The client is incompatibility with EarthLink Internet
software, version 5.02.
Workaround: EarthLink can still be accessed through a standard
dial-up networking configuration. Uninstall the EarthLink software.
EarthLink Technical Support is aware of the situation; contact
EarthLink for help in setting up a standard dial-up configuration for
EarthLink access.
• Compatibility issues with Sony Vaio and 3COM 3CCFE575CT
CardBus PC Card
Description: The 3COM 3CXFE575CT 10/100 LAN CardBus PC
Card isn’t compatible with Sony Vaio notebook computers; after
the client is installed, the computer requires an Ethernet cable to
be attached to boot. This NIC card works fine in other computers..
Workaround: Use hardware profiles to disable the NIC card, or
remove the NIC card when the computer isn’t attached to the
network.
• On Windows 95/98/Me, the Entrega USB has problems with
suspend/standby.
Description: The Entrega USB has problems when returning from
suspend mode in that the interface is not always present.
Workaround: Unplug the adapter, and then plug it back in.
• AOL 6.0 Compatibility
Description: AOL 6.0 software has installation problems on
Windows 95/98/SE/Me system with DNE. The AOL installation
continuously reinstalls TCP/IP and asks to be restarted.
Workarounds: Try one of these:
Boot into safe mode, remove DNE, and continue with the AOL
install. After AOL is
installed, reinstall DNE. AOL will still ask to be restarted on every
startup; click
No, and AOL work just fine.
Upgrade to AOL 7.0. On Windows XP using native XP PPPoE
connections, if an AOL 7.0 upgrade is performed on the client is
installed, repair the client. This will correct the PPPoE settings
that AOL overwrites.
• RequestLocalAddress failure and dialup interfaces are not
detected properly in the Log Viewer on clients that also have
the Nortel client installed and DN is bound to the Nortel
IPSECSHM
Description: Cannot connect using Windows 2000 and XP RAS
connections when DN is bound to the Nortel IPSECSHM.
Workaround: In the Windows Device Manager, if the IPSECSHM -
Deterministic Network Enhancer Miniport is disabled, the dialup interface
will be detected properly and sessions will establish.
Addressed Issues
Priority Classification Definition
C Critical No reasonable workaround exists
H High Reasonable workaround exists
M Medium Medium level priority problems
I Inconvenient Lowest level priority problems
E Enhancement New or changed feature request
In Version 1.2.1 (Build 10)
Issue # Priority Synopsis
QA004745
QA004746
QA004747
QA004748
QA004749
QA004750
QA004751
QA004752
QA018746
H Client doesn't guard for NAT-D payload overflow.
H
H Client doesn't guard against attribute payload overflow.
H Client packet log may contain extraneous characters.
L
M
L Multiple quick modes during VA session with WINS configuration
M
L
Client doesn't guard against buffer overflow in HASH_R
processing.
Client pop-up menu may be missing lower Manual Connection
separator.
Client doesn't handle mode config collisions correctly on
Windows XP.
MTU settings can result in packet loss. Introduced WAN MTU
adjust settings for all NT platforms.
On Windows NT, the VA connectoid may be created with PPTP
Port Spec.
In Version 1.2.0 (Build 32)
Issue # Priority Synopsis
4005 E
4103 H
4161 E
4162 E
4170 M
4173 H
4556 H RGW connections are not recognized in manual connections.
4667 H
4668 H
4676 H
Add mechanism to prevent the creation of duplicate connection
names.
Cannot enter and save PSK on Windows XP; error encrypting
PSK.
Add inventorying interfaces process after VA hang up to
eliminate residual active VA adapters with no SA.
Maintain VA while processing Initial Contact and in responder
mode.
In remote party ID, with Connect using checked, the wrong
default ID types are listed.
TDES and DES with Manual Keys fail with all hash alg. "Error
importing outbound key entry"
Clients using VRS (Internal IP) with no VA cannot pass
fragmented UDP traffic.
NSladapssl32v30.dll included with client is not compatible with
Sun or IPlanet 5.1 or later.
Interface detection failure on RAS devices introduced after
reboot.
4677 H Quick Mode starting before Extended Authentication completes.
4678 H
4679 H
4704 H Windows 2000 and XP Net Login Error 5719 in event viewer
4705 H Secure All types of manual connections to 2nd or 3rd connection
4721 H RSA Secure-ID Passcode is truncated for Secure-ID.
4733 H
Multiple XAUTH prompts are presented to user when XAUTH is
not completed.
CA certs imported into the personal cert store with IE cause Cert
Mgr crash when opening the personal (CA) cert.
causes single sign-on applications to fail. Modified to defer RAS
loading until either a point-to-point interf ace is detected or VA
activation is required.
tries to establish a connection to the 1st connection. Modified
manual initiation processing to avoid initiating inappropriate
connection for multiple Secure All configurations.
Windows 2000 and XP DNE MTU Adjust doesn't accommodate
enough overhead for all connection types.
In Version 1.1.1 (Build 14)
Issue # Priority Synopsis
4858 H
4892 H
5183 H
5221 H
5367 H Auto-retrieval of MSCEP certificate does not work
5419 H
5454 H
5458 H IPSecMon crashes when retrieving policy or certificate
5435 I
5437 I Secure All and Secure Other Connections display the manual
Double and Triple XAUTH prompt occurs on connections that
failover to a RGW.
Enternet PPPoE client doesn't work with client when using the
virtual adaptor, non VA connections work as expected.
Unable to release and renew IP addresses or renewals of DHCP
leases fail with the firewall build.
VPN.exe causes fatal application error when running vpn.bat
from a command prompt.
SPDedit Gateway IP address box remains enabled after unchecking Connect Using box
SpdEdit incorrectly chooses 1st cert with same label,
regardless of container ID
VA settings are not retained when moving within various
screens in the policy editor without saving first.
connect option when first selected or clicking the Secure radio
button.
5438 I Ghost Save and RGW buttons after importing an unlocked
policy over a locked policy; unable to save any changes or add
RGW.
5443 I SPDedit Other Connections ID type set to Any Gateway IP
Address remains enabled after clearing the Connect Using
check box
5457 I
Client loads wrong spi when AH and ESP proposed in the same
policy
Known Issues
Priority Classification Definition
C Critical
H High Reasonable workaround exists
M Medium Medium level priority problems
I Inconvenient Lowest level priority problems
This is a list of the issues known at time of release:
All Open Issues are prioritized and addressed in future releases when possible.
Known issues listed in the previous release note in the Known Issues section are still
present in this release unless listed in the Addressed Issues section.
Issue# Priority Synopsis
No reasonable workaround
exists
QA018812
4506 I Can't specify an interface and use the Virtual Adapter
I
Windows XP log-off causes intermittent ifcfg.exe Application
error.
Description: When logging off of Windows XP, you may
intermittently receive ifcfg.exe application error.
Workaround: Disregard this error, the log-off will complete as
expected.
Description: If the Internet Interface in the MY ID section of a
connection is set to something other than Any, a VA
connections will fail with the following errors: • 15:26:52.998
Failure finding or creating filter entry • 15:26:53.008 Failure
finding or creating filter entry • 15:26:53.008 Key download
failed. • 15:26:53.008 Error downloading key. •
15:26:53.008 Failed loading the keys Workaround: Set the
Internet Interface for the effective connection to Any or set VA
to disabled.
Issue# Priority Synopsis
4606 M Windows XP "Digital signature not found" for crypto OSD
adapter during install. Description: Selected option to install
Device Connect Authentication and Remote Upgrade for install
of client. During install on Windows 2000 received "Digital
Signature not Found" for Crypto OSD Adapter. Workaround:
Select OK to continue past message, and install will complete
successfully.
4657 H SCEP Request to SMC CA with an underscore in the common
name causes the CN to be corrupt. Description: SCEP request
to SMC in the clear causes with an underscore in the CN causes
the Common Name to be corrupt after retrieval. The Common
Name retrieved is a # sign followed by a long numeric string.
Workaround: Only use numeric and alphanumeric characters
for the CN during SCEP request.
4687 I Windows 9x: Dial-up VA Required sessions complete even
when VA isn't created Description: When attempting a dial-up
VA session with only one dial-up adapter present on the
machine (i.e., improper configuration), the IPSec SA completes
even though the VA adapter is not added. The log shows a
virtual interface constructed but no message for virtual adapter
added. Workaround: Verify that two dial-up adapters are
present on the machine before attempting dial-up VA sessions.
4933 H Unable to Map drives on Windows NT with Enternet 1.5 PPPoE
software over a secure connection. Description: System
hangs when trying to map a drive over a secure PPPoE
connection and may require a system restart. Workaround:
The client will Map drives using RASPPPoE software. Get this
from this free download link: http://user.cs.tuberlin.de/~normanb/#Download
5317 H Manual connect fails when connecting to a subnet via a
gateway set to Hostname or an RGW on Windows 9X.
Description: Manual connect on Windows 9x platforms to a
remote subnet (or range) specified with an address, which is
apparently (by address class) a subnet address, will report a
RequestLocalAddress failure. This is because Windows 9X will
not generate traffic to such addresses. Workaround: Initiate
traffic to establish the tunnel such as a ping, web, email, or
FTP traffic.
Issue# Priority Synopsis
5318 H Error updating filter record when saving a policy with an
Internet Interface on connections that have RGWs specified.
Description: Log Viewer reports "Error updating filter record"
when specifying an Internet Interface on connections that have
RGWs specified. Workaround: Do not specify an Internet
Interface on connections that have RGWs. Use the manual
connect only option or specify "any" Internet Interface.
5395 H Route add fails when using the VA and both peers are NAT'd
and the private IP addr. on both nets are the same
Description: In a NAT'd environment, if both private networks
have the same address space (in the test it is 172.16.x.x
255.255.0.0), the phase 1 completes as expected. When the
mode config attributes are applied, the VA is created, but when
the route add is issued (route add 10.100.200.254 mask
255.255.255.255 172.16.50.1), it fails with error code
(0000003A). Workaround: If the VA is not used, the
connection works as expected. If the mode config address and
the physical address are not on the same logical subnet, the
VA works as expected.
5444 I Non-Admin Logon SCEP request will not retrieve the RA
Certificate Description: If logged on as Non-Admin, the
Import Personal Cert window remains open with no prompt or
error message after attempting to place the cert in the local
machine store, which is the default setting in Advanced
properties. Workaround: Open the Advanced tab in the SCEP
request form, and uncheck the box to place certificate in local
machine store if logged on as non-admin when importing a
personal cert.
5446 I Non-admin login Personal Cert Import displays no error
message after attempt to place cert in local machine store
Description: If logged on as Non-Admin, the Import Personal
Cert window remains open with no prompt or error message
after attempting to place the cert in the local machine store
due to the check box. Workaround: The check box for Place
cert in local machine store should be unchecked if logged on as
non-admin when importing a personal cert.
DNE Known Issues and Workarounds
This is a list of the issues known at time of release for DNE 2.2.0, extracted from
the DNE release notes.
• Windows NT-disabled protocols are enabled when DNE is installed
Description: On Windows NT 4.0 only, if protocols are disabled, and you install
DNE, the protocols become enabled.
Workaround: Disable the protocols through the Control Panel or remove the
protocols after installing DNE.
• Windows NT Plug and Play Drivers
Description: Windows NT doesn’t support Plug and Play even on laptops
running whose manufacturers attempted to create Windows NT Plug and Play
support through a custom utility. DNE can't work with these custom, nonstandard, non-NDIS-compliant utilities.
Workaround: Disable the utility and obtain the latest NIC driver from the
vendor (not the special prepackaged one that the laptop vendor supplies with
the utility).
• The client is incompatible with the ATT Dialers’ VPN componen t
Description: The VPN component included with the ATT dialer is incompatible
with DNE.
Workaround: Clear the VPN component check box when installing the ATT
dialer.
Loading...