Here are the release notes for GNAT Box 3.0.2.
Title: Release Notes
Product: GNAT Box 3.0.2
Date: Feb 2000
Introduction
This the first release of GNAT Box 3.0 with the IPSec VPN option enabled.
In this release the IPSec VPN encryption has been limited to
keylengths of 64 bits. This keylength restriction has been imposed
in order to provide a single version of GNAT Box software world wide.
Although in January 2000 the US export regulations were ammended to
allow for the export of stronger encryption, there are still
restrictions and various requirements depending upon the classification
of the software. Therefore we felt the quickest way to release
an exportable version of GNAT Box with IPSec VPN features was to
provide an implementation that could be approved quickly.
Our goal is to provide full strength IPSec VPN enabled GNAT
Box system software on a world wide basis. We are working toward
that goal, and working our way through the regulations.
IPSec Implementation
The IPSec implementation in this release only supports manual
keying. Later versions will have automated keying support as
per the IPSec IKE standard. The target for this release was
a network to network vpn configuration, (IPSec ESP tunnel mode)
Although remote clients should be interoperable with the GNAT
Box IPSec implementation they may not be usable with this
release unless they support manual keying.
Supported Transformations
- ESP tunnel mode
- AH tunnel mode
Note: ESP and AH transport modes are not supported.
The following encryption transformations are available in
GNAT Box 3.0.2:
IPSec AH
- Keyed MD5
- Keyed SHA1
- HMAC MD5
- HMAC SHA1
IPSec ESP
- Null 0 bits
- Simple 0-64 bits
- DES-CBC 56 bits
- BLOWFISH CBC 40-64 bits
- CAST128 CBC 40-64 bits
- RC5 CBC 40-64 bits
The NULL ESP Tunnel mode provides no encryption, however it does perform IP
encapsulation. This mode is useful when using protocols that are not
supported in the NAT mode by GNAT Box, (e.g. NetMeeting). Of course the
remote network (GNAT Box or a third party product) needs to be able
to be configured in a like mode.
Table of contents
-----------------
1. What's New Since Version 3.0.1
1.1 New Features in 3.0.2
1.2 Changes
2. Upgrading from previous versions
2.1 From GNAT Box 2.2
2.2 From GNAT Box 2.1
2.3 From GNAT Box 1.x
3. VPN Setup Outline
1. What's New Since Version 3.0.1
With the introduction of the IPSec VPN feature more load is
placed on the CPU when encryption is performed. Although
486 systems are capable of running the IPSec VPN depending
on the network, encryption and load such low-end CPUs may
not be desirable configuration.
1.1 New Features
o IPSec VPN is a standard feature in GNAT Box Pro
and the GB-100 firewall appliance.
o PSN is now an optional feature for GNAT Box Light
it can be enabled with an activation code.
o IPSec VPN is an optional feature for GNAT Box Light
it can be enabled with an activation code.
1.2 Changes
o Due to the size of the IPSec VPN code support for Token Ring in the
GNAT Box software only version has been removed. Token Ring is
available in the GB-100 Firewall Appliance.
o Email alarms now include the correct CRLF characters so that email
alarm messages are process correctly by mail client software.
o All user interfaces, (Console, Web and GBAdmin) have been updated
to support the creation and manipulation of VPN definitions.
1.3 Bug Fixes
o Console
- Additional IP protocols not added to the filter edit popup. Fixed.
- Popup lists one too big. Fixed.
- Popup lists could potentially overflow the screen. Fixed.
- Row displayed one entry past the end of list box for insertions
after last row. Fixed.
- Logic for setting "keep alive flag" backwards. Fixed.
- Missing "DEFAULT" button on protocols window. Fixed.
o Web Interface
- Embedded spaces in interface names caused name truncation. Fixed.
- "OK" from error in Pass Through Filter edit displayed Outbound
Filter screen. Fixed.
o GBAdmin
- Hangs when logging off from filter preference screen. Fixed.
- Hangs when connecting to new host from filter preference
screen. Fixed.
- Doesn't used real interface on network information screen. Fixed.
- "Save All" across the network doesn't load encryption key
before connecting. Fixed.
o System Software
- Missing entries for VX1 and VX2 devices for 3Com 3c595
EtherLink III have been added.
- Updated Token Ring driver for GB-100 system.
o All
- Problem loading config with 2.1.0 filter preferences. Fixed.
- GNAT Box Light configuration conversion to GNAT Box Pro improperly
converted RIP data. Fixed.
- Network Interface Card list is now displayed sorted order.
o GNAT Box Light
- Added PSN optional feature.
- Added VPN optional feature.
- Allow save all from GBAdmin.
- Disabled RMC filter by default.
2. How to Update
2.1 From GNAT Box Version 2.2
2.1.1 Install the software.
o If you downloaded the GNAT Box 3.0 software
The software is available in various packages:
o Full package with Win95/NT installer
o Runtime OS only in zip format
o Full package in Unix tar format (gzip)
o Runtime OS only in gzip format
o If are installing from a 3.0 CDROM
o Win95/98/NT
Click the "Install" icon on the CDROM follow the
installers instructions and answer the questions. The
installer will install the Win95 utility programs along
with the runtime GNAT Box diskette image. It will also
create a new GNAT Box runtime diskette at the end of the
installation.
o Win3.x
Click the "Install" icon on the CDROM follow
the installers instructions and answer the questions.
The installer will install the Win 3.x utility programs
along with the runtime GNAT Box diskette image.
Although the new GBAdmin utility is not available for
Windows 3.x, although GBUtil is a Win 3.x program that
can read/write GNAT Box floppy diskettes. A new GNAT
Box runtime diskette will also be created at the end of
the installation process.
o DOS
Mount the CDROM and change directory to \GB\DOS. Run
the Install.bat file. All the DOS utility programs
along with the runtime GNAT Box diskette image will be
installed on your hard disk. A new runtime diskette
will also be created.
o Unix
Mount the CDROM and change directory to /GB/Unix
directory. Copy the runtime image to a directory on a
mounted r/w filesystem.
o Mac
Mount the CDROM and open the Mac folder inside the GB
folder. Copy the runtime image file to your hard
disk. You can use DiskDup+ or Apple Disk Copy 6.3 to
copy the image to floppy diskette.
2.1.2 Create the runtime floppy diskette
o If you use the Win95/NT installer, you will have the
option to have the diskette created for you.
o If you download only the runtime OS then use the
GBUTIL.EXE program under Win/Win95/NT. Under DOS use
GBWRITE.EXE.
o If you are on a Unix/Linux system use the 'dd' command:
dd if=gbp300.flp of=/dev/rfd0c bs=18k
o On a Macintosh system you can use the DiskDup+ utility or
Apple's Disk Copy 6.2.
2.1.3 Save your current configuration
Windows/Win95/NT Users
o Use the new GBAdmin.exe program to save your configuration.
or
o Use gbMakeFloppy.
- Start gbMakeFloppy
- Select the GNAT Box 3.0 runtime image
- Click the icon in the top left corner of the titlebar to
display a menu. Select "merge" from the menu and select
the source for your old configuration data.
- Once your configuration data is loaded an icon will be
displayed in the gbMakeFloppy application indicating
a configuration has been loaded.
- Click "Make floppy" to create a new floppy with the 3.0
runtime and your old configuration.
or
o Use the gbconfig.exe program to save your current 2.2.x
configuration.
Example:
gbconfig -s A myconfig.cfg
Unix/Linux Users
o Use the 'dd' command to save your 2.2.x configuration.
Example:
dd bs=18k skip=78 if=/dev/rfd0c of=myconfig.cfg
Note: Your floppy disk device may be different.
2.1.4 Restore your current configuration
Windows/Win95/NT Users
o Use the GBAdmin.exe program to merge your previous
configuration with the new runtime OS image.
1. Use File->Open to read in the new 3.0 runtime OS
image (e.g.. gbp300.flp).
2. Use Configuration->Merge.. to read in your saved
configuration.
2. Make any modifications.
4. Use File->Save As.. to create a floppy diskette.
OR
o Use the gbconfig.exe program to restore your previous
2.2.x config on to the new 3.0 diskette.
When the 3.0 system is booted up it will detected your
older configuration data and convert it to the 3.0
format and save it. New features will be set to the
default values.
Example:
gbconfig -r A myconfig.cfg
Unix/Linux Users
o Use the 'dd' command to restore `your 2.2.x configuration
onto the 3.0 diskette.
Example:
dd bs=18k seek=78 if=myconfig.cfg of=/dev/rfd0c
Note: Your floppy disk device may be different.
2.1.5 Reboot your GNAT Box with the new 3.0 diskette.
2.2 From GNAT Box Version 2.1.x
Although GNAT Box version 3.0 can read version 2.1.x configuration
data and the update procedure described in section 2.1 of this
document can be used, it is probably more desirable to use the
following method.
2.2.1 Print a hard copy of your 2.1.x configuration report and
have it available. Follow the procedure in section 2.l to load
your 2.1.x configuration data into GBAdmin 3.0. Next click on the
Remote Access Filter section to display it, then click the
"default" icon to generate a set of default filters for your
configuration. Next add and modify the filters that were created
to match your previous configuration. Do the same for Outbound
filters.
The reasoning for this procedure is that many of the default
filters have changed; some have been removed entirely converted to
"Automatic filters" which no longer require explicit filters to be
in place. Also with the introduction of the "filter disable"
facility in the 2.2.x release additional optional filters have
been added to the default list and then disabled. This way if you
wish to utilize optional facilities there is no need to key in the
filters by hand, since they can simply be enabled.
2.3 From GNAT Box Versions 2.0.x and 1.x
Since the configuration data from these versions are no longer
supported a new configuration should be created from scratch.
Print off a copy of your configuration to use as a reference when
creating your 3.0 configuration.
3. VPN Setup Outline
This outline is a guide to configuring a VPN on GNAT Box 3.0.2.
Overview
1. Define the VPN Security Association
2. Create a Remote Access Filter to allow the remote site to connect
to the local GNAT Box firewall with IPSec protocols.
3. Create IP Pass Through VPN filters to allow both inbound and
outbound traffic to flow on the VPN.
Detailed Setup Outline
I. Open VPN Edit Box (Authorization->VPN)
A. Enable VPN
B. Description: Enter description.
(Will be used in filter definitions later).
C. Enter the destination address. This should be the address of the
network behind the target GNAT Box.
D. Gateways:
1. Local Gateway: your External NIC's IP number or an alias on
the External NIC.
2. Remote Gateway: IP number on the External Interface of the
GNAT Box Firewall you are connecting to.
E. Authentication Header:
1. AH Method Options:
a. none
b. hmacs-md5
c. hmacs-sha1
d. keyed-md5
e. keyed-sha1
2. AH Key type: ASCII or HEX
3. AH key:
a. "hmacs-md5" and "keyed-md5" require 128 bit key. Length of the
key MUST be 16 characters in ASCII or 32 characters in HEX.
b. "hmacs-sha1" and "keyed-sha1" require 160 bit key.
Length of the key MUST be 20 characters in ASCII or 40
characters in HEX.
F. Encapsulation Security Protocol: (ESP)
1. EH Methods
a. None (Not a valid option if none selected above.)
b. NULL
c. Blowfish
d. Cast128
e. DES
f. Rc5
2. ESP Key: type: ASCII or Hex
3. ESP Key:
a. NONE: 0 to 160bits.
b. Blowfish: key length must be between 40 and 64 bits
(ASCII between 5-8 chars, Hex is between 10-16 hexadecimal
numbers).
c. Cast128: key length must be between 40 and 64 bits
(ASCII between 5-8 chars, Hex is between 10-16 hexadecimal
numbers).
d. Des: key length must be 64 bits (ASCII 8 characters, Hex is
16 hexadecimal numbers)
e. Rc5: key length must be between 40 and 64 bits (ASCII
between 5-8 characters, Hex is between 10-16 hexadecimal
numbers).
G. Security Parameter Index (SPI): Must be a number greater
than or equal to 4096.
Inbound SPI: Hex or decimal >= 4096
Outbound SPI: Hex or decimal >= 4096
II. Create A Remote Access filter to allow the VPN connection
(Filters->Remote Access)
A. Default filters: this will automatically set up the appropriate
filter. (Optional).
B. Define remote access filter:
Type: Accept
Interface: External
Protocol: ESP or AH
Source IP: IP number on the External Interface of the GNAT Box that
will be creating the VPN connection.
Source Port: 0
Destination IP: IP number of the External NIC or an alias on
the External NIC.
Destination Port: 0
C. Save Remote Access Filter set.
III. IP Pass Through filter to control access through the VPN.
(IP PassThrough -> Filters)
A. Default Pass Through Filter: this will automatically set up
the appropriate filter set (Optional).
B. Define the Appropriate filters for your security policy.
The Networks involved will be you protected network and the
destination network from the GNAT Box VPN definition.
C. Default IP Pass Through VPN Filter Set:
1 #DEFAULT: VPN, deny inbound (Connection to X.X.X.X).
DISABLED -
Type: Deny Interface: "EXTERNAL" Protocol: ALL
Source IP: 192.168.11.0 Mask: 255.255.255.0
Destination IP: "ANY_IP"
2 #DEFAULT: VPN, allow outbound (Connection to X.X.X.X).
Type: Accept Interface: "PROTECTED" Protocol: ALL
Source IP: 192.168.11.0 Mask: 255.255.255.0
Destination IP: "ANY_IP"
Note: Valid hexadecimal values are 1 2 3 4 5 6 7 8 9 A B C D E F.
-------------------------------------------------------------------------
Paul Emerson Tel: +1.407.380.0220 x106
Global Technology Associates, Inc. Fax: +1.407.380.6080
3505 Lake Lynda Drive Mobile: +1.407.310.8564
Suite 109 Pager: +1.888.440.8232
Orlando, Florida 32817 Email: [EMAIL PROTECTED]
USA Web: http://www.gta.com
Mobile Email: [EMAIL PROTECTED]
-------------------------------------------------------------------------
