1999/3/31 ComOS 3.9b8 Open Beta Release Note ________________ Introduction The new Lucent Technologies ComOS(R) 3.9b8 is now available for open beta for the PortMaster(R) 3 Integrated Access Server. This open beta release is provided at no charge to all Lucent customers. This open beta release is recommended only for customers who wish to test the new functionality before the FCS release of ComOS 3.9. This release note documents commands and features added between ComOS 3.8.2 and ComOS 3.9b8 on the PortMaster 3. The modem code in ComOS 3.9b8 is the same modem code included in ComOS 3.8.2 for the PortMaster 3. NOTE: Command syntax for new commands may change between this open beta release and the general availability (GA) release of ComOS 3.9. This release note applies only to the PortMaster 3. Before upgrading, thoroughly read "Limitations" and "Upgrade Instructions." WARNING! The amount of nonvolatile ram (NVRAM) available for saving configurations has been reduced from 128KB to 64KB. PortMaster products with configurations greater that 64KB will lose some of their configuration. For this reason, be sure to backup your PortMaster configuration before upgrading to this release. NOTE: Any PortMaster running ComOS 3.9b8 requires 4Mb of dynamic RAM (DRAM). Use 16MB if running BGP. _______________ Export Restrictions This open beta release of ComOS 3.9b8 does not include support for the DES and 3DES encryption methods, and is available to any Lucent customer worldwide. The AH MD5 authentication feature of the coprocessor card is available worldwide and is included in ComOS 3.9b8. Because of export restrictions, the DES and 3DES features for ComOS 3.9b8 will be handled on a case by case basis outside of the standard beta release process. Any U.S. or Canadian owned company wishing to participate in the beta of this feature should call Cary Hayward at 1-925-730-2637. This restricted release of ComOS 3.9b8enc168 which supports DES and 3DES is available in open beta to Lucent customers in the USA and Canada. To use DES or 3DES for encrypting data payloads you must install the Coprocessor Card (PM3-VPN). Versions of ComOS 3.9 supporting DES and 3DES on the coprocessor card will be made available to customers in other countries as export licensing permits. Licensing approval is being sought at this time. For more information, see the sections on "IP Security" and "Coprocessor Card for PortMaster 3". _______________ Contents Introduction Export Restrictions Bugs Fixed in 3.9b8 New Features Non-Facility Associated Signaling (NFAS) Layer 2 Tunneling Protocol (L2TP) IP Security (IPSec) Coprocessor Card for PortMaster 3 Network Address Translator (NAT) Assigned IP for Dial-Out Locations Enhanced PMVision Support Configuring NFAS Configuring L2TP Configuring IPSec Configuring NAT Limitations Upgrade Instructions Technical Support _______________ Bugs Fixed in ComOS 3.9b8 No bugs have been fixed in ComOS 3.9b8. _______________ New Features in ComOS 3.9b8 The following commands and features have been added in ComOS 3.9b8. _______ Non-Facility Associated Signaling (NFAS) Non-facility associated signaling (NFAS) is a service offered by telephone companies that permits a single D channel to provide the signaling for a group of PRIs. This service allows the channel that is normally used for signaling on the remaining PRIs to be used as a B channel. Because combining the signaling onto a single D channel increases the consequences if communication with that channel fails, some telephone companies use the D channel backup (DCBU) system. DCBU requires two D channels per NFAS group, one as a primary and one as a secondary. The Lucent ComOS implementation of NFAS supports both standard NFAS and NFAS with DCBU across up to 20 PRIs. See the section titled "Configuring NFAS" for NFAS configuration information. _______ Layer 2 Tunneling Protocol (L2TP) ComOS 3.9b8 on the PortMaster 3 supports Layer 2 Tunneling Protocol (L2TP). You can configure the PortMaster 3 as both an L2TP access concentrator (LAC) and an L2TP network server (LNS). See the section titled "Configuring L2TP" for L2TP configuration information. _______ IP Security (IPSec) ComOS 3.9b8 on the PortMaster 3 supports virtual private networks (VPNs) and IP Security (IPSec). A properly configured PortMaster is capable of tunneling using the IP Encapsulation within IP (IPIP) and IPSec protocols and a Lucent proprietary Proxy-Tunnel protocol. Tunneling allows you to create custom network topologies that are independent of the underlying physical topology of the network, with or without additional security and authentication. See the section titled "Configuring IPSec" for more information. _______ Coprocessor Card for PortMaster 3 ComOS 3.9b8 now supports the coprocessor card (PM3-VPN, PortMaster 3 Coprocessor Card). To use IPSec, the coprocessor card must be installed in the PortMaster 3, into the same interface on the motherboard used by the Stac compression card (PM3-CMP). The PortMaster 3 can support either the Stac compression card or the coprocessor card, not both. The PortMaster 3 does not require the coprocessor card to run the IPIP or Proxy-Tunnel protocols. The following message is displayed on the console port at boot time if the coprocessor card is installed correctly and operating: Found MIPS 4640 daughterboard with 512Kb bytes of memory The coprocessor card is booted from the file named "mipsboot" on the NVRAM file system. You can use the "show files" command to verify that it exists. If it does not, you must upgrade your release of ComOS. To see which encryption algorithms and protocols are supported, use the "show ipsec modules" command. _______ Network Address Translator (NAT) ComOS 3.9b8 supports the network address translator (NAT) based on the latest IETF NAT document draft-ietf-nat-traditional-01.txt. The basic network address translator (basic NAT) maps IP addresses from one group to another, transparently to users and applications. The network address port translator (NAPT) is an extension to Basic NAT, in which multiple network addresses and their TCP and UDP ports are mapped to a single network address and its ports. ComOS supports both basic NAT and NAPT for both outbound and inbound sessions. It also supports an "outsource" mode where all NAT processing is done on the server-side of the connection. See the section titled "Configuring NAT" for more information. _______ Assigned IP for Dial-Out Locations Use the following command to configure a dial-out location on the PortMaster 3 to receive a dynamically assigned address: set location Locname local-ip-address assigned Locname Name of a location table entry. In previous releases of ComOS for the PortMaster 3, dial-out locations could not receive a dynamic address. _______ Enhanced PMVision support Additional support has been added to ComOS 3.9b8 to allow PMVision(TM) to monitor and configure PortMaster features. See PMVision 1.4 release notes for details. _______________ Configuring NFAS Non-facility associated signaling (NFAS) is a service offered by telephone companies that permits a single D channel to provide the signaling for a group of PRIs. This service allows the channel that is normally used for signaling on the remaining PRIs to be used as a B channel. Because combining the signaling onto a single D channel increases the consequences if communication with that channel fails, some telephone companies use the D channel backup (DCBU) system. DCBU requires two D channels per NFAS group, one as a primary and one as a secondary. The Lucent ComOS implementation of NFAS supports both standard NFAS and NFAS with DCBU across up to 20 PRIs. See the "Limitations" section before using NFAS. _______ Configuration To configure a line for NFAS operation, use the following command: set Line0 nfas Mode Identifier Group Line0 line0 or line1. Mode: primary This PRI contains the primary D channel. secondary This PRI contains the secondary D channel. slave This PRI contains no D channel. disabled Clear this PRI's NFAS configuration. Identifier Number between 0 and 19 that is unique among all PRI interfaces in the same NFAS group. Group Number between 1 and 99 identifying which NFAS group this PRI belongs to. The following example shows how to configure four PortMaster 3s on a common Ethernet with two NFAS groups, one with DCBU and one without. Each group contains two PortMaster 3s. NFAS bundle #1 (with DCBU) PM3-1 (Line0 contains the primary D channel. Line1 is a slave line.): set line0 nfas primary 0 1 set line1 nfas slave 1 1 save all reboot PM3-2 (Line0 is a slave line, and Line1 contains the secondary D channel): set line0 nfas slave 2 1 set line1 nfas secondary 3 1 save all reboot NFAS bundle #2 (without DCBU) PM3-3 (Line0 contains the primary D channel, and Line1 is a slave line): set line0 nfas primary 0 2 set line1 nfas slave 1 2 save all reboot PM3-4 (Line0 and Line1 are slave lines): set line0 nfas slave 2 2 set line1 nfas slave 3 2 save all reboot _______ Displaying General Information Several commands are available to display statistics and information specific to NFAS operation. show nfas The "show nfas" command displays neighboring PortMasters in the same NFAS group as this one and shows in-service D channel information and slave status. show nfas history The "show nfas history" command displays the last 40 significant messages exchanged between this PortMaster and its neighbors. show nfas stat The "show nfas stat" command displays the status of NFAS calls for PortMasters in the same group(s) as this one. _______ Displaying Debugging Information A new debug command has been added to aid in diagnosing problems that might occur in testing. set debug nfas on | off This command enables or disables the logging of NFAS events to the console. Remember to use "set console" before using this command. _______________ Configuring L2TP ComOS 3.9b8 on the PortMaster 3 supports Layer 2 Tunneling Protocol (L2TP). You can configure the PortMaster 3 as both an L2TP access concentrator (LAC) and an L2TP network server (LNS). The implementation of L2TP in ComOS 3.9b8 is based on the latest IETF L2TP draft (revision 12 and 13 as of this writing). For specific details of operation and protocol implementation of L2TP, refer to the IETF Internet-Drafts. L2TP allows PPP frames to be tunneled as follows from one PortMaster that answers an incoming call (LAC) to another PortMaster that processes the PPP frames (LNS): End user--->incoming call--->LAC--->LNS--->network access _______ Description and Applications The Layer 2 Tunneling Protocol (L2TP) provides tunneling of PPP connections, to separate the functionality normally provided by a single NAS into two parts: * The L2TP access concentrator (LAC) provides the "physical" connection point between the telephone network (and therefore the dial-in user) and the host network. * The L2TP network server (LNS) terminates the PPP sessions and handles the "server-side" of the connection, such as authentication of the user, routing network traffic to and from the PPP user, and so forth. The LNS does not have any actual physical ports, only virtual interfaces. An outsourcer can use L2TP to provide dial-up ports to customers using a central and "shared" common physical dial-up pool. The pool resides in a shared access server (the LAC). The outsourcer's customers maintain a home gateway (the LNS) and some type of IP connectivity to the outsourcer. L2TP provides virtual dial-up ports to the outsourcer's customers. This use of L2TP is sometimes referred to as a virtual private dial-up network (VPDN). The service is transparent to the customer because users still terminate PPP sessions on the customer network via the LNS. RADIUS authentication, accounting, and IP address assignment are all done by the customer. The LAC does no PPP processing unless it is using partial authentication for determining the tunnel end point. It only accepts the call and establishes a tunnel to the LNS for that PPP session. The tunnel can be established based upon Called-Station-Id or User-Name (where partial authentication occurs on the LAC before tunnel establishment). For example, if you use Called-Station-Id and call-check with L2TP, the session follows these steps: 1. The end user places a call. 2. The LAC detects the incoming call. 3. The LAC using call-check sends an authentication request to a RADIUS server containing the Called-Station-Id and Calling-Station-Id check items before answering the call. 4. If the RADIUS server accepts the user, an access-accept message is returned to the LAC along with information on how to create the L2TP tunnel for this session: the type of tunnel, IP address of the LNS, and so on. 5. The LAC then creates a tunnel to the LNS by encapsulating the PPP frames into IP packets and forwarding those packets to the LNS. 6. The LNS negotiates PPP normally with the end user. _______ RADIUS Dictionary Updates for L2TP Add the following lines to your RADIUS dictionary: VALUE Service-Type Call-Check 10 VALUE NAS-Port-Type Virtual 5 ATTRIBUTE Tunnel-Type 64 integer ATTRIBUTE Tunnel-Medium-Type 65 integer ATTRIBUTE Tunnel-Server-Endpoint 67 string ATTRIBUTE Tunnel-Password 69 string VALUE Tunnel-Type L2TP 3 VALUE Tunnel-Medium-Type IP 1 The RADIUS daemon must be stopped and restarted to read the new dictionary. _______ RADIUS User Profiles for L2TP The user profiles for the LNS are the same as for your users who do not use L2TP. For the LAC, some new user profiles are required. Exactly which ones are dependent on whether you are using call-check or partial username-based tunneling on the LAC. The following profiles can be used on the RADIUS server serving the LAC for each scenario: # Using Called-Station-Id with Call-Check to route callers who dial # 555-1313 to the LNS "172.16.1.221". # Note that the LNS address must be enclosed in double quotation marks # because it is sent as a string, not as a 32-bit integer. DEFAULT Called-Station-Id = "5551313", Service-Type = Call-Check Service-Type = Framed-User, Framed-Protocol = PPP, Tunnel-Type = L2TP, Tunnel-Medium-Type = IP, Tunnel-Server-Endpoint = "172.16.1.221" # Same as the previous profile, but with a shared secret to # authenticate the session to the LNS. DEFAULT Called-Station-Id = "5551313", Service-Type = Call-Check Service-Type = Framed-User, Framed-Protocol = PPP, Tunnel-Type = L2TP, Tunnel-Medium-Type = IP, Tunnel-Password = "mrsparkle", Tunnel-Server-Endpoint = "172.16.1.221" In both these user profiles, the first line contains the RADIUS check item, with the Called-Station-ID being used to match the entry before the call is answered. The L2TP tunnel parameters from the matching entry are then sent in the RADIUS access-accept message. The Tunnel-Type specifies the tunneling protocol to be used. The Tunnel-Medium-Type specifies the transport medium over which the tunnel is created, IP for now. Tunnel-Server-Endpoint indicates the other end of the tunnel, the LNS in the case of L2TP. Note that the LNS address must be enclosed in double quotation marks because it is sent as a string, not as a 32-bit integer. If you are not using call-check and are instead providing partial authentication based on User-Name, the following user profile works. The user "bgerald" dials in to the LAC, which initiates a L2TP tunnel on the user's behalf to LNS 172.16.1.55. bgerald Password = "wackamole" Tunnel-Type = L2TP, Tunnel-Medium-Type = IP, Tunnel-Server-Endpoint = "172.16.1.55" _______ L2TP and RADIUS Accounting The LAC and LNS both log user sessions to RADIUS accounting, but different accounting data is available from each. If you are using call-check to establish the tunnel, the LAC's accounting data shows the Calling-Station-Id, but not the user's name because that information has not been passed over the link yet. The LNS accounting data shows both the Calling-Station-Id and the User-Name along with the assigned IP address. If partial authentication (instead of call-check) is taking place on the LAC, then the username might be available to it. In that case, the username appears in the RADIUS accounting logs for both the LNS and the LAC. In both cases, the LNS shows the NAS-Port-Type as "Virtual", while the LAC shows the NAS-Port-Type set to the actual physical interface's connection type. The LNS starts its NAS-Port numbering at 100. _______ Redundant Tunnel Server End Points To increase the robustness of L2TP, a user profile can be configured to contain redundant tunnel server end points. If the primary LNS fails, inbound L2TP tunnels can be redirected to other machines. Up to three redundant tunnel server end points can be specified. Any more than three are ignored by the LAC. The following example shows a RADIUS user profile with multiple redundant tunnel server end points. Each tunnel server end point is preceded by the tunnel medium type for that tunnel. DEFAULT Service-Type = Call-Check, Called-Station-Id = "5551234" Service-Type = Framed-User, Framed-Protocol = PPP, Tunnel-Type = L2TP, Tunnel-Medium-Type = IP, Tunnel-Server-Endpoint = "192.168.11.2", Tunnel-Medium-Type = IP, Tunnel-Server-Endpoint = "192.168.11.17", Tunnel-Medium-Type = IP, Tunnel-Server-Endpoint = "192.168.230.97" This feature provides redundant LNS backup, not load balancing. _______ L2TP Command Summary set l2tp noconfig | disable | enable lac | enable lns set l2tp authenticate-remote on | off set l2tp secret [ String15 | none ] show l2tp global | sessions | stats | tunnels reset l2tp [ stats | tunnel ] create l2tp tunnel udp Endpoint [ Password | none] set l2tp choose-random-tunnel-endpoint on | off set debug l2tp max | packets | rpc | setup | stats Use the following command to have the PortMaster load the L2TP feature on startup: set l2tp noconfig | disable | enable lac | enable lns noconfig Sets the PortMaster to have no configuration for L2TP. disable Sets L2TP off. L2TP is not used. enable lac Sets the PortMaster to be a LAC. enable lns Sets the PortMaster to be an LNS. When the PortMaster is configured to be an LNS, the line ports are configured for T1 and cannot be used for dial-in. The virtual S0 ports follow the W1 ports. Example: Command 0> set l2tp enable lns L2TP LNS will be enabled after next reboot After using the "set l2tp" command, you must use the "save all" command to save the configuration and the "reboot" command for the L2TP module to load. _______ Configuring L2TP to Initiate Authentication The following command configures L2TP to initiate tunnel authentication: set l2tp authenticate-remote on | off on The PortMaster initiates authentication with the other end point of the tunnel before a tunnel is established. off The PortMaster does not initiate authentication. This command determines only whether the PortMaster initiates the authentication. It does not determine how the PortMaster responds to an authentication request. The "set l2tp authenticate-remote" command functions the same on both a LAC and an LNS. _______ Configuring an L2TP Secret The "set l2tp secret" global command configures the L2TP password that the PortMaster uses to respond to all L2TP tunnel authentication requests. set l2tp secret String15 | none String15 0 to 15 character string used as a password when responding the L2TP tunnel authentication requests. none Removes the L2TP secret. This is the default. The "set l2tp secret" command sets the L2TP secret for the entire PortMaster. If a PortMaster configured as a LAC receives a tunnel authentication request, it uses the Tunnel-Password from the RADIUS access-accept packet, if present, instead of the global L2TP secret. _______ Displaying L2TP Information The following command shows information on how L2TP is functioning: show l2tp global | sessions | stats | tunnels The formats shown here are subject to change for the general availability release of ComOS 3.9. Command> show l2tp global debug packets debug stats debug setup Tunnel Authentication Enabled Initiation of Authentication Remote Tunnel Disabled Default Board Configuration Command> show l2tp sessions Id Assign-Id Tunnel-Id Portname 2305 1 1 S0 Command> show l2tp stats NEW_SESSION 1 NEW_TUNNEL 4 TUNNEL_CLOSED 3 HANDLE_CLOSED 3 L2TP_STATS_MEDIUM_HANDLE 3 INTERNAL_ERROR 14 CTL_SEND 9 CTL_REXMIT 1 CTL_RCV 10 MSG_CHANGE_STATE 4 WRONG_AVP_VALUE 3 EVENT_CHANGE_STATE 3 Command> show l2tp tunnels Id Assign-Id Hnd State Server-Endpoint Client-Endpoint 1 1 24 L2T_ESTABLISHE 192.168.6.13 192.168.10.28 _______ Resetting L2TP Use the "reset l2tp" command to reset an L2TP tunnel or the L2TP statistics counters. reset l2tp [ stats | tunnel Id ] stats Resets the L2TP counters displayed by "show l2tp stat" to zero. tunnel If no tunnel ID is specified, all the L2TP tunnels are destroyed. Id A tunnel ID from 1 to 100. If a tunnel ID is specified, then only that one tunnel is destroyed. The "show l2tp tunnels" command displays a list of active tunnel IDs. _______ Creating an L2TP Tunnel Manually The following command manually brings up a L2TP tunnel for testing and troubleshooting: create l2tp tunnel udp Endpoint [ Password | none ] Endpoint IP address of the L2TP tunnel end point. Password Password to use when responding to a tunnel authentication request from the peer. If none is specified, the global L2TP secret is used if configured. Example: Command> create l2tp tunnel udp 149.198.110.19 OK _______ Selecting a Tunnel End point The following command determines in what order to choose an end point when multiple tunnel end points are returned in a RADIUS access-accept packet. set l2tp choose-random-tunnel-end point on | off on Causes the tunnel end point to be chosen randomly from the list of tunnel end points returned by RADIUS. off Selects the first tunnel end point that can be reached. Normally, when L2TP is configured with multiple tunnel end points the end points are chosen serially, always beginning with the first. If a tunnel cannot be established with the first, then the second is tried, and then the third. When this feature is on, a random tunnel end point is selected from those returned in the RADIUS access-accept packet. _______ Debugging L2TP The following command is used to troubleshoot L2TP problems: set debug l2tp max | packets Size | setup | stats max Provides the same debugging as setup, and stats combined. packets Shows a representation of the L2TP packets, similar to the "ptrace dump" command. Size 0 to 1500, number of bytes to display. setup Shows L2TP control messages and errors. stats Displays information that appears in "show l2tp stats" in more detail. _______________ Configuring IPSec ComOS 3.9b8 on the PortMaster 3 supports virtual private networks (VPNs) and IP Security (IPSec). A properly configured PortMaster is capable of tunneling using the IP Encapsulation within IP (IPIP) and IPSec protocols and a Lucent proprietary Proxy-Tunnel protocol. Tunneling allows you to create custom network toplogies that are independent of the underlying physical topology of the network, with or without additional security and authentication. For example, you can use VPN and IPSec to do the following on a PortMaster 3: * Encapsulate, encrypt, and/or authenticate IP packets * Outsource tunnels by user, location or interface * Redirect packets in the clear * Perform UDP packet forwarding services IPSec tunneling encapsulates, encrypts, and/or authenticates IP packets. IPIP ("IP within IP") tunneling encapsulates IP packets inside IP packets, with no encryption or authentication. Tunnel-Proxy is a Lucent proprietary tunneling protocol. Tunnel-Proxy places IP packets into UDP packets with the RSA Data Security, Inc. MD5 Message-Digest Algorithm signature for authentication. _______ Security Associations The security of the communications between two nodes is described manually by a security association (SA) table entry. This security association describes the parameters necessary to accomplish the desired security (security association bundle) between a pair of gateway nodes. Multiple security associations can be created to match different security policies for different peers or types of traffic. The following files are created in the PortMaster nonvolatile RAM file system: vpn Contains the saved security association table. random Contains random seed data for the next reboot. mipsboot Encryption card image. _______ IPSec Command Line Summary show sa Name show table sa show ipsec module add sa Name delete sa Name reset ipsec S0 set sa Name ah-inb-key | ah-inbound-key Key[/Bits] set sa Name ah-inb-spi | ah-inbound-spi SPI set sa Name ah-outb-key | ah-outbound-key Key[/Bits] set sa Name ah-outb-spi | ah-outbound-spi SPI set sa Name esp-inb-key | esp-inbound-key Key[/Bits] set sa Name esp-inb-spi | esp-inbound-spi SPI set sa Name esp-outb-key | esp-outbound-key Key[/Bits] set sa Name esp-outb-spi | esp-outbound-spi SPI set sa Name local-address @ether0 | @ipaddr set sa Name mode ipip-tunnel | proxy-tunnel | sec-ipip-tunnel | none set sa Name peer-identifier Ipaddress set sa Name proxy-destport Uport set sa Name proxy-localport Uport set sa Name proxy-secret Key[/Bits] set sa Name sec-proposal Method [Method2] Name Security association name up to 15 characters long. Key A number in decimal, hexadecimal or binary. Bits The key length in bits optionally follows the key value, separated by a slash "/". SPI Number in decimal, hex or binary---a 32-bit value 256 or higher. Ether0 Ethernet interface. Ipaddress IP address in dotted decimal format, or hostname up to 39 characters long. Uport UDP port between 1 and 65535. Method Supported security method. Method2 Supported security method. _______ Displaying Security Association Information The "show sa Name" command shows the entire configuration for the security association called Name. The output varies with the protocol used for that security association. The command also displays the status of the coprocessor card (PM3-VPN) if the card is not installed or not operating correctly. The "show sa table" command displays all security associations in a summary format. The "show ipsec module" command displays available IPSec methods. See the section titled "SEC-IPIP Commands" for more information. _______ Creating Security Associations Use the following commands to create the security association and define the mode (protocol) that it uses: add sa Name set sa Name mode ipip-tunnel | proxy-tunnel | sec-ipip-tunnel | none The "set sa Name mode" command can also be used to change the mode of an existing security association. Setting the security association mode erases any keys that were previously associated with this security association. ipip-tunnel Encapsulates packets into other IP packets. No security is provided. See the "IPIP Commands" section. proxy-tunnel This is a Lucent proprietary tunneling protocol. Tunnel-Proxy places IP packets into UDP packets with an MD5 signature for authentication. See the "Proxy-Tunnel Commands" section. sec-ipip-tunnel Encapsulates packets using the IPSec protocols in tunnel mode. See the "IPSec Commands" section. none Null configuration mode. Packets received on this security association are dropped. _______ Deleting Security Associations The following command deletes a security association: delete sa Name _______ Common Security Association Configuration Commands Each security association has a few common commands, and a few mode-specific commands. The common commands are listed in this section. The following command sets the IP address of the peer at the other end of this tunnel. set sa Name peer-identifier Ipaddress The following command sets the IP address of this end of this tunnel. The default is to use the address of the Ether0 interface. set sa local-address @ether0 | @ipaddr _______ IPSec Commands To set up an security association using IPSec, you must configure the following information. First create the security association and set the mode to "sec-ipip-tunnel" as follows: add sa Name set sa Name mode sec-ipip-tunnel Security Parameter Index: The Security Parameter Index (SPI) is a 32-bit number. The first 256 values are reserved and cannot be entered by users. The inbound SPI set on an IPSec gateway must match the outbound SPI set on the peer. Be careful not to assign the same SPI to two security associations on the same PortMaster. set sa Name ah-inb-spi | ah-inbound-spi SPI set sa Name ah-outb-spi | ah-outbound-spi SPI set sa Name esp-inb-spi | esp-inbound-spi SPI set sa Name esp-outb-spi | esp-outbound-spi SPI Examples: Command> set sa net172 esp-inbound-spi 11111111 Command> set sa net172 esp-outbound-spi 11110000 Command> set sa net172 ah-inbound-spi 11112222 Command> set sa net172 ah-outbound-spi 22220000 Authentication Header (AH) and Encapsulating Security Payload (ESP): Configure the security proposal to define the methods used for the Authentication Header (AH) and Encapsulating Security Payload (ESP) protocols. ESP is the method used to encrypt the actual data (the "payload") contained in a packet. AH is used to authenticate a packet. Authentication guarantees that the packet comes from the node with which you share a security association and was not tampered with during transit. Use the "show ipsec module" command to see which methods are available. To use both ESP and AH together, specify two methods. Otherwise, just specify one in the following command: set sa Name sec-proposal Method [ Method2 ] The following methods are supported in ComOS 3.9b8: esp-des-rfc1827 Uses the Data Encryption Standard-cipher block chaining (DES-CBC) encryption protocol defined in RFC 1827 and 1829. The keys must be exactly 64 bits in length. esp-3des-rfc1827 Uses the triple-DES (3DES) encryption protocol. The keys must be exactly 192 bits in length. ah-md5-rfc1826 Uses the message digest 5 (MD5) hashing protocol defined in RFC 1826 and 1828. The keys must be between 32 bits and 128 bits in length. Use the following commands to set inbound and outbound keys for the chosen protocols: set sa Name esp-inbound-key Key[/Bits] set sa Name esp-outbound-key Key[/Bits] set sa Name ah-inbound-key Key[/Bits] set sa Name ah-outbound-key Key[/Bits] Name Security association name up to 15 characters long. Key Decimal, hexadecimal, or binary key. Bits The key length in bits optionally follows the key value. Example: Command> set sa net172 esp-inbound-key 0x0123456789abcd/64 Command> set sa net172 esp-outbound-key 0x0123456789abcd/64 Command> set sa net172 ah-inbound-key 0x0123456789abcd/128 Command> set sa net172 ah-outbound-key 0x0123456789abcd/128 While these examples use the same key for both inbound and outbound, and for both ESP and AH, you can use different keys for each of these. _______ Entering Static Keys You can enter keys as the following types of numbers: * Hexadecimal (hex)---base 16, starting with 0x * Decimal (the default)---base 10 * Binary---base 2, starting with 0b The key value is optionally followed by a slash ("/") and the key length in bits. For example: * 0x12345678/32 is a 32-bit key in hexadecimal. * 65535/16 is a 16-bit key in decimal. * 0b1111000011110000/16 is a 16-bit key in binary. Keys must fall on 8-bit boundaries. Some protocols allow only specific key lengths, while others allow a range of lengths. Keys are displayed in hexadecimal format. High-order bits not specified are zero-filled. For example, 0x12/32 is the same as 0x00000012/32. Once the key is entered, you cannot see it again. The security of your network depends on picking appropriate keys. You can have the PortMaster generate a key by using the special key value "random". For example: set sa Name esp-inbound-key random This command generates a random key of the correct length for the protocol. You must then copy this key to the peer in a secure fashion. _______ IPIP Commands To use the IPIP protocol, set the security association to IPIP mode using the following command: set sa Name mode ipip-tunnel _______ Proxy-Tunnel Commands To use the Lucent proprietary Proxy-Tunnel protocol, set the security association mode using the following command: set sa Name mode proxy-tunnel Each end of the tunnel chooses a UDP port between 1 and 65535 for sending and receiving packets. Lucent strongly recommends using a port that does not conflict with well known services. The same port number can be used at both ends, if desired. set sa Name proxy-localport Uport set sa Name proxy-destport Uport Each end of the tunnel chooses a shared secret and configures it. Lucent supports secrets from 8 to 512 bits long, and each secret must be a multiple of 8 bits long. set sa Name proxy-secret Key/Bits Name Security association name up to 15 characters long. Key Number in decimal, hexadecimal, or binary. Bits Key length in bits. Uport UDP Port between 1 and 65535. Example: Command> add sa lu77 Command> set sa lu77 proxy-tunnel Command> set sa lu77 proxy-localport 1050 Command> set sa lu77 proxy-destport 1051 Command> set sa lu77 proxy-secret 0x123456789/64 _______ Configuring Security Profiles An IPSec profile defines a set of characteristics -- the security association and the policy filter -- used on a router interface. A profile can be attached directly to a network interface, user, or location, or be assigned to a user with RADIUS. IPSec profiles use security association and policy filters to transfer packets. Profile names can be up to 15 characters long. Use the following commands to configure IPSec security profiles: show table sec-profile show sec-profile Name show ipsec stat add sec-profile Name delete sec-profile Name set S0 ipsec pda drop | icmp reject | passthrough set S0 | W1 | Ether0 ipsec active-profile Name set sec-profile Name blank set sec-profile Name Number pfilter | policy-filter PFName | none set sec-profile Name Number static-sa SAName | none set user Username ipsec outsource-profile Name set location Locname ipsec outsource-profile Name Name Security profile name up to 15 characters long. Number Rule number, 1 or higher PFName Policy filter name up to 15 characters long. SAName Security association name up to 15 characters long ________ Displaying Security Profile Information The "show table sec-profile" command displays a summary of all the sec-profiles. The "show sec-profile Name" command displays information about the security profile named. The "show ipsec stat " command displays a summary of all the sec-profiles, and the traffic generated: Router Profile Sec-Assoc Mode In-pkts Out-pkts In-Bad Out-Dropped port Type Name Pkts Pkts --- ------------------------------------------------------------------ ether0 Active-pr local sec-ip 3678 4534 0 0 ptp0 Active-pr remote ipip 2987 3768 0 0 _______ Adding Security Profiles Use the following command to add a security profile: add sec-profile Name Name Security profile name up to 15 characters long. _______ Deleting Security Profiles Use the following command to delete a security profile: delete sec-profile Name Name Security profile name. _______ Setting Security Profiles Use the following commands to configure a security profile after adding it: set sec-profile Name Number policy-filter PFName set sec-profile Name Number static-sa SAName A profile can be an active profile, a passive profile, or an outsource profile. An active profile is applied to outbound traffic and identifies a set of peers with which the PortMaster knows how to communicate. Passive profile is not supported in this release. An outsource profile refers to security associations established from any port of the PortMaster, based on the inbound traffic on a port. The policies set are based on the wire traffic, just as with the policies on other profiles. _______ Policy Filters Policy filters determine which data the PortMaster sends through its IPSec profiles. Policy filtering takes place right before the PortMaster routes a packet. The packet is compared against all the defined policy filters in a security profile. If none apply, the packet is routed as usual, without any VPN processing. NOTE: You must be very careful to not create security filters that might overlap each other in their coverage. For example, IP address ranges in two filters might overlap. If two filters overlap, only one security association is applied to the packet and you cannot determine which one. Policy filters are created like packet filters. For example, to process all packets destined for the network 10.200.1.0/24, you can create the following filter: add filter internal.sec set filter internal.sec 1 permit 0.0.0.0/0 10.200.1.0/24 Then you add and configure your security profile "examplespf": set sec-profile examplespf 1 policy-filter internal.sec You can also selectively process only certain types of traffic, and not others using "deny" statements. For example, you might use the following filter to encrypt all traffic except packets to TCP port 80 for HTTP: add filter internal.sec set filter internal.sec 1 deny tcp dst eq 80 set filter internal.sec 2 permit A "deny" keyword in a policy filter does not block packets that meet its criteria. Instead, the "deny" keeps the security association from being applied to those packets and passes the IP traffic through, unprocessed. If you want to block the traffic entirely, you must place input or output packet filters on the appropriate interface(s). _______ Attaching a Security Profile to a Network Interface Use the following commands to attach a security profile to a network interface: set S0|W1|Ether0 ipsec active-profile Name S0 Serial port. W1 Synchronous serial port. Ether0 Ethernet interface. Name Security profile name. _______ Attaching a Security Profile to a User Use the following command to attach a security profile to a user so that when the user logs in, the profile is attached to the user's interface: set user Username ipsec outsource-profile Name Username Name of a user in the user table. Name Security profile name. _______ Attaching a Security Profile to a Location Use the following command to attach a security profile to a location so that when the PortMaster connects to that location, the profile is attached to the resulting interface. set location Locname ipsec outsource-profile Name Locname Name of a location in the location table. Name Security profile name. _______ Filter Extensions The IPSec and IPIP protocols use their own protocols on top of IP, instead of using UDP or TCP. You can filter these protocols in packet filter rules, as in this example: add filter eg set filter eg 1 permit esp set filter eg 2 permit ah set filter eg 3 permit ipip You can also specify the protocol number in the filter as in this example: set filter eg 4 permit proto 4 IPIP is protocol type 4, ESP is protocol type 50, and AH is protocol type 51. _______ Resetting IPSec on a Port The following command resets VPN and IPSec on the designated port: reset ipsec S0 S0 Port name. _______ Debugging and Troubleshooting IPSec The profiles keep statistics of their traffic. Use the "show ipsec stat" command to show how much traffic was sent or received, and any invalid packets. Use the "set console" command, along with the following debug commands, to display any errors generated: set debug ipsec-max | ipsec-packets | ipsec-state [ on | off ] show ipsec modules The following command turns on all IPSec debugging: set debug ipsec-max on The following command shows packets going through the IPSec subsystem: set debug ipsec-packets on The following command shows state changes in the IPSec processor: set debug ipsec-state on The following command shows which protocols are in this ComOS, and provides version information for the "mipsboot" file that is run on the coprocessor card (PM3-VPN): show ipsec modules _______ IPSec Logging Use the following command to determine which IPSec activities are logged by the PortMaster: set Port ipsec log safail | sasuccess | syslog | console [ on | off ] The "safail" and "console" options are on by default. safail sasuccess syslog console _______ Policy Deny Action Use the following command for to determine what should be done with packets denied by policy filters. set Port ipsec pda drop | icmpreject | passthrough drop Default icmpreject passthrough _______ Using RADIUS IPSec parameters can be configured on a per-user basis with RADIUS. You must be running Lucent RADIUS server 2.1b6 or another RADIUS server that supports vendor-specific attributes. Add the following lines to your RADIUS dictionary, then stop and restart your RADIUS server: ATTRIBUTE Vendor-Specific 26 string ATTRIBUTE LE-Terminate-Detail 2 string Livingston ATTRIBUTE LE-Advice-of-Charge 3 string Livingston ATTRIBUTE LE-Connect-Detail 4 string Livingston ATTRIBUTE LE-SA-Id 5 string Livingston ATTRIBUTE LE-IPSec-Log-Options 9 integer Livingston ATTRIBUTE LE-IPSec-Policy-Deny 10 integer Livingston ATTRIBUTE LE-IPSec-Active-Profile 11 string Livingston ATTRIBUTE LE-IPSec-Outsource-Profile 12 string Livingston ATTRIBUTE LE-IPSec-Passive-Profile 13 string Livingston # # IPSEC PROTOCOL TYPES # VALUE LE-IPSec-Log-Options SA-Success-On 1 VALUE LE-IPSec-Log-Options SA-Failure-On 2 VALUE LE-IPSec-Log-Options Console-On 3 VALUE LE-IPSec-Log-Options Syslog-On 4 VALUE LE-IPSec-Log-Options SA-Success-Off 5 VALUE LE-IPSec-Log-Options SA-Failure-Off 6 VALUE LE-IPSec-Log-Options Console-Off 7 VALUE LE-IPSec-Log-Options Syslog-Off 8 # # IPSEC POLICY DENY ACTION VALUES # VALUE LE-IPSec-Policy-Deny Drop 1 VALUE LE-IPSec-Policy-Deny ICMP-Reject 2 VALUE LE-IPSec-Policy-Deny Pass-Through 3 Each RADIUS attribute or value corresponds to its command line equivalent. Refer to the usage information on a particular IPSec command in this release note for more information. Here is a sample RADIUS user profile for a user configured for IPSec: pepi Password = "notpepzi" Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = 255.255.255.254, Framed-IP-Netmask = 255.255.255.255, LE-IPSec-Log-Options = Console-On, LE-IPSec-Outsource-Profile = "mypro" _______ Example Configurations The following are three examples of IPSec configuration. In each example, a remote office is configured to connect back to headquarters via an ISP. The first example uses an IPSec tunnel, the second uses an IPIP tunnel, and the third uses a Proxy-Tunnel tunnel. The remote office has a Frame Relay connection to a nearby ISP. The office has been assigned the network 192.168.1.0/24. The corporate headquarters uses the network 172.16.0.0/16. Headquarters uses the packet filter rules for the AH and ESP protocols to configure a firewall that allows IPSec traffic from the 192.168.1.0/24 network to pass through. Each location is using a PortMaster 3. NOTE: These examples use simple keys for readability. For best results in your configurations, take advantage of the full length of the key. _______ Example 1: Using IPSec Both locations are using the PortMaster 3 with the coprocessor card and need to do both encryption (ESP) and authentication (AH) using DES and MD5. The headquarters firewall is configured to allow IPSec traffic from the 192.168.1.0/24 network through, using the packet filter rules for AH and ESP. For IPSec: * On the remote PortMaster 3, create security association "corp" with appropriate SPIs, keys, and filter. Then create security profile "corp-pro" and attach it to a synchronous serial port. * On the PortMaster at headquarters, create security association "remote" with appropriate SPIs, keys, and filter. Then create security profile "remote-pro" and attach it to a synchronous serial port. pm3-remote (192.168.1.254): add sa corp set sa corp mode sec-ipip-tunnel set sa corp peer-identifier 172.16.1.1 set sa corp esp-inbound-spi 1001 set sa corp esp-outbound-spi 1002 set sa corp ah-inbound-spi 2001 set sa corp ah-outbound-spi 2002 set sa corp sec-proposal esp-des-rfc1827 ah-md5-rfc1826 set sa corp esp-inbound-key 0x9876543210/64 set sa corp esp-outbound-key 0x1234567890/64 set sa corp ah-inbound-key 0x98761234/128 set sa corp ah-outbound-key 0x12349876/128 add filter corp.sec set filter corp.sec 1 permit 192.168.1.0/24 172.16.0.0/16 add sec-profile corp_pro set sec-profile corp_pro 1 policy-filter corp.sec set sec-profile corp_pro 1 static-sa corp set w0 ipsec active-profile corp_pro save all pm3-corp (172.16.1.1): add sa remote set sa remote mode sec-ipip-tunnel set sa remote peer-identifier 192.168.1.254 set sa remote esp-inbound-spi 1002 set sa remote esp-outbound-spi 1001 set sa remote ah-inbound-spi 2002 set sa remote ah-outbound-spi 2001 set sa remote sec-proposal esp-des-rfc1827 ah-md5-rfc1826 set sa remote esp-inbound-key 0x1234567890/64 set sa remote esp-outbound-key 0x9876543210/64 set sa remote ah-inbound-key 0x12349876/128 set sa remote ah-outbound-key 0x98761234/128 add filter remote.sec set filter remote.sec 1 permit 172.16.0.0/16 192.168.1.0/24 add sec-profile remote_pro set sec-profile remote_pro policy-filter remote.sec set sec-profile remote_pro 1 static-sa remote set w48 ipsec active-profile remote_pro save all _______ Example 2: Using IPIP For IPIP, create a new security associations "corp-ipip" and "remote-ipip." Then create an IPIP tunnel and add each new security association to the appropriate security profile as a static security association. pm3-remote (192.168.1.254): add sa corp_ipip set sa corp_ipip mode ipip-tunnel set sa corp_ipip peer-identifier 172.16.1.1 set sec-profile corp_pro 1 static-sa corp_ipip pm3-corp (172.16.1.1): add sa remote_ipip set sa remote_ipip mode ipip-tunnel set sa remote_ipip peer-identifier 192.168.1.254 set sec-profile remote_pro 1 static-sa remote_ipip _______ Example 3: Using Proxy-Tunnel Protocol For the Proxy-Tunnel protocol, create a new security associations "corp-prox" and "remote-prox." Then create a proxy tunnel and add each new security association to the appropriate security profile as a static security association. pm3-remote (192.168.1.254): add sa corp_prox set sa corp_prox mode proxy-tunnel set sa corp_prox peer-identifier 172.16.1.1 set sa corp_prox proxy-localport 1050 set sa corp_prox proxy-destport 1051 set sa corp_prox proxy-secret 0x123456789/64 set sec-profile corp_pro 1 static-sa corp_prox pm3-corp (172.16.1.1): add sa remote_prox set sa remote_prox mode proxy-tunnel set sa remote_prox proxy-localport 1051 set sa remote_prox proxy-destport 1050 set sa remote_prox proxy-secret 0x123456789/64 set sec-profile remote_pro 1 static-sa remote-prox _______ Security Concerns Be aware of the following security concerns when using IPSec: * Denial of Service. If a large amount of random data has a valid SPI, the coprocessor card must decrypt the data and then dump it as invalid. The unnecessary decryption degrades performance and can cause denial of service for encrypted traffic. However, because the CPU on the coprocessor card handles only encryption, unencrypted traffic remains uninterrupted. Legitimate, but very heavy, traffic can also cause this problem. * No Byte Count. Most security protocols recommend that you do not use the same key for more than a certain number of bytes, depending on the protocol. Because the keys are manually configured, ComOS does not count the bytes sent with each key. As a result, you cannot automatically limit key use by byte count. This limitation will disappear when key management protocols are implemented in a future ComOS release. _______ References The implementation of IPSec in ComOS is based on the information in the following sources: * RFC 1321, The MD5 Message-Digest Algorithm * RFC 1825, Security Architecture for the Internet Protocol * RFC 1826, IP Authentication Header (AH) * RFC 1827, IP Encapsulating Security Payload (ESP) * RFC 1828, IP Authentication using Keyed MD5 (AH-MD5) * RFC 1829, The ESP DES-CBC Transform (ESPDES) * RFC 2003, IP Encapsulation within IP (IPIP) * "Applied Cryptography", Bruce Schneier. New York, NY: John Wiley and Sons, Inc., 1994. (ISBN 0-471-59756-2): - Diffie-Hellman algorithm - DES algorithm and DES-CBC method - Triple-DES (3DES) _______________ Configuring NAT ComOS 3.9b8 supports the network address translator (NAT) based on the latest IETF NAT document draft-ietf-nat-traditional-01.txt. The basic network address translator (basic NAT) capability maps IP addresses from one group to another, transparently to users and applications. The network address port translator (NAPT) capability is an extension to basic NAT in which multiple network addresses and their TCP and UDP ports are mapped to a single network address and its ports. ComOS supports both basic NAT and NAPT for both outbound and inbound sessions. It also supports an "outsource" mode in which all NAT processing is done on the server-side of the connection. While this release note only covers the PortMaster 3, other PortMaster products will also be supporting NAT and may be used in the examples in this section. None of the IP addresses or networks used in the examples are intended to refer to any actual real-world company or network assignment. _______ Quick Setup of Outbound NAPT ("Many-->One") Outbound NAPT is very common in a small office/home office (SOHO) situation. To configure, use the following command---entered all on one line: set Ether0 | S0 | W1 | location Locname | user Username nat outmap defaultnapt The port, location, or user is your connection to the outside world. For example, on a PortMaster dialing out to location "myisp" you enter the following: set location myisp nat outmap defaultnapt Then connect normally. You must reset the port if the connection has already been established. If this is a dial-on-demand location, then you must also reboot the PortMaster. With the "defaultnapt" NAT configuration, all the hosts behind the PortMaster will have their addresses translated to the IP address of the interface that is assigned to the location. _______ Concepts This section explains some of the terminology and hints to assist you in developing more complex NAT configurations in ComOS. For example, you might want to allow inbound connections---external connections into a web server that resides behind the PortMaster running NAT. Or you might need to renumber your network and want to use basic NAT to avoid renumbering the entire network. Private vs. Global IP Addresses: Global IP addresses are accessible from anywhere on the Internet. They are "external" to the PortMaster running NAT---at another branch office, for example, because NAT is not limited to the Internet. External hosts do not generally recognize any internal private IP addresses that you might have assigned to your local hosts. Private IP addresses are usually taken from one of the following ranges defined in RFC 1918, which are reserved specifically for this purpose: 10.0.0.0 - 10.255.255.255 (10.0.0.0/8) 172.16.0.0 - 172.31.255.255 (172.16.0.0/12) 192.168.0.0 - 192.168.255.255 (192.168.0.0/16) Lucent strongly recommends numbering your private IP network(s) with IP addresses from one of the reserved ranges rather then just selecting IP addresses randomly. Inbound vs. Outbound Sessions: A "session" in NAT is considered either inbound or outbound: * An inbound session is initiated to a client behind the NAT router by a host external to a private IP network. * An outbound session is initiated to an external host by a client within the NAT-covered private IP network. Basic NAT vs. NAPT: Basic NAT does a one-to-one mapping of a private IP address to a global IP address. You still must have a global IP address for every host with a private IP address that needs to connect to an external host at the same time. With basic NAT, you can configure dynamic IP address pools from which IP address allocations are made, allowing a number of private hosts to use a (possibly) smaller pool of global IP addresses. Or you can configure static IP address pools in which a static mapping exists for each host, requiring the size of the pool to match the number of hosts being translated. If you configure a dynamic pool and have fewer global IP addresses available than total private hosts, you will have a shortage of IP addresses if all the hosts try to access the external network simultaneously. This possibility needs to be accounted for in your planning. The network address port translator (NAPT) performs "port translation," allowing a number of hosts to communicate globally using only a single global IP address. Outsource Mode NAT: Outsource mode NAT allows a PortMaster to handle NAT processing and management for a connected network interface. If a remote router that the PortMaster is connected to can not run NAT locally, the PortMaster can perform NAT services for that device. All NAT configuration is handled on the PortMaster. A central site administrator can maintain all NAT mappings for all sites on the PortMaster without having to worry about the capabilities or management of a number of entirely separate routers. _______ Map Management NAT maps define the mappings and translations between global and private IP address space. The following map table commands are supported: show table map Shows all map files. show map Mapname Displays a map's contents. add map Mapname Creates a new map. delete map Mapname Deletes a map. save map Saves map contents into nonvolatile RAM. See the following section for map configuration commands. _______ Configuring Map Contents Entering NAT maps is very similar to configuring filters in ComOS. The basic command "set map Mapname" has five versions that you can use as follows---entered all on one line: 1. To define a single dynamic pool IP address map entry or range or list of entries, use the following command: set map Mapname Rulenumber addressmap Ipaddrxfrom Ipaddrxto | @ipaddr [log] 2. To define a single static pool IP address map entry or range or list of entries, use the following command: set map Mapname Rulenumber staticaddressmap Ipaddrxfrom Ipaddrxto | @ipaddr [log] 3. To define a static or dynamic TCP or UDP port range map entry or list of entries, use the following command: set map Mapname Rulenumber static-tcp-udp-portmap Ipaddxfrom:Tport1 | Uport1 | Portname Ipaddxto: Tport2 | Uport2 | Portname [log] 4 . To remove rule Rulenumber in a map file, use the following command: set map Mapname Rulenumber 5. To empty the contents of a map file, use the following command: set map Mapname blank Mapname Address map name of up to 15 characters. Rulenumber Integer between 1 and 20 Ipaddxfrom IP address or range or list of IP addresses to be translated. Ipaddxto IP address or range or list of IP addresses to translate to. Tport TCP number or range of numbers---between 1 and 65535. Uport UDP number or range of numbers---between 1 and 65535. Portname One of the following: telnet TCP port 23. ftp TCP ports 20 and 21. tftp UDP port 69. http TCP port 80. dns TCP/UDP port 53. smtp TCP port 25. @ipaddr IP address of the port being configured as the destination address. log Selectively logs events for this map entry. The following keywords have abbreviations for ease of entry: addressmap = amap staticaddressmap = samap static-tcp-udp-portmap = stupm Values for "Ipaddxfrom" and "Ipaddxto" can be a combination of the following, separated by commas (,): IP address/mask IP address - IP address IP address1,Ipaddress2, ... IP address The value for "Portnumber" can be a single port number or a range of ports such as "6000-6010" (for an inbound X Server) that you want statically mapped. This capability prevents your needing 10 map rules to accomplish the same mapping. Address mapping is applied to the first packet of the NAT session. When an inbound address map is defined for a port with this command, the translation succeeds only when the destination IP address of the first packet matches the "Ipaddrxfrom" address in the command. Example 1: An Office Router with IP address 192.168.129.129 is running NAT on a connection using the location "myisp". 1. Configure rule 1 for inbound NAT map myisp.inmap: set map myisp.inmap 1 static-tcp-udp-portmap 192.168.129.129:http 10.1.1.25 2. Configure the location: set location myisp nat inmap myisp.inmap BEFORE Inbound packet translation: Src: 130.65.2.3:12023 Dest: 192.168.129.129:80 (80 is http) AFTER translation using the above map: Src: 130.65.2.3:12023 Dest: 10.1.1.25:80 (80 is http) Using the "Ipaddrxfrom" and "Ipaddrxto" values for an address map allows you to configure one-to-one mappings of private IP addresses to global IP addresses. Using lists of addresses for these values allows the configuration of IP address allocation pools, from which global IPs can be dynamically or statically allocated for outbound sessions as they are required. Example 2: As a special case, the "Ipaddrxto" value for an address map can be set to "@ipaddr", when the address map is being used for outbound or outbound outsource. The special macro "@ipaddr" uses the IP address assigned to the port for which the address map is being used. The reserved map "defaultnapt" described in the section "Configuring Locations, Ports, and Users" is equivalent to the following map: 1 AddressMap 0.0.0.0/0 @ipaddr Log Example 3: Suppose you are using the "defaultnapt" map for outbound connections and want to allow an Internet host to connect to your internal FTP server, which is running on 10.4.2.9. To do so, you configure the following as an inbound map. You also have at least one global IP address, 192.168.2.4, assigned to your PortMaster as the global source address for all hosts residing behind NAT: 1. Configure rule 1 for inbound NAT map myisp.inmap: set map myisp.inmap 1 static-tcp-udp-portmap 192.168.2.4:ftp 10.4.2.9:ftp 2. Configure location myisp: set location myisp nat inmap myisp.inmap Example 4: Here is an outbound map that maps the host with the private IP address 10.5.3.6 to the global IP address 192.168.5.3. This is considered a basic NAT configuration. Notice that the two types of address maps are equivalent ONLY if you are mapping single IP addresses. 1. Configure rule 1 for outbound NAT map myisp.outmap: set map mysip.outmap 1 addressmap 10.5.3.6 192.168.5.3 (or) set map mysip.outmap 1 staticaddressmap 10.5.3.6 192.168.5.3 2. Configure location myisp: set location myisp nat outmap myisp.outmap Example 5: Here is a configuration using a global dynamic IP address pool range of 192.168.9.1 through 192.168.9.10 for hosts in the private network 10.9.9.0/24 for outbound NAT: 1. Configure rule 1 for outbound NAT map myisp.outmap: set map myisp.outmap 1 AddressMap 10.9.9.0/24 192.168.9.1-192.168.9.10 2. Configure the user, location, or port as shown in the previous examples. Example 6: The following creates a static IP address pool. The private IP address range 10.1.1.0/24 will be translated to the global IP address range 192.168.65.0/24 on the outbound transmission: 1. Configure rule 1 for outbound NAT map myisp.outmap: set map myisp.outmap 1 staticaddressmap 1 10.1.1.0/24 192.168.65.0/24 2. To allow inbound sessions to the same set of hosts, create an inbound map such as the following and apply it to the port: set map myisp.inmap 1 staticaddressmap 1 149.98.65.0/24 10.1.1.0/24 Note that both sides do not have to be using the same notation---the standard "Ipaddrxfrom" and "Ipaddrxto" syntax still applies. However, the total ranges on both sides must have the same number of IP addresses; otherwise, a one-to-one mapping is not possible. If you cannot do one-to-one mapping, create a dynamic IP pool, reduce the number of IP addresses being translated, or perhaps use NAPT for all or part of the private hosts instead. Although you have NAT configured for a specified port, user, or location, you are not required to translate the addresses of all the hosts behind the PortMaster running NAT. You can choose the hosts that NAT processing is done for by designing your maps around them. _______Configuring Locations, Ports, and Users The basic command "set Ether0 | S0 | W1 | location Locname | user Username" has five NAT versions that you can use as follows---entered all on one line---to configure the NAT connection to the outside world: 1. To set the maximum idle time for a NAT session, use the following command: set Ether0 | S0 | W1 | location Locname | user Username sessiontimeout tcp | other Number [minutes | seconds] 2. To set logging options for a NAT session on an interface, use the following command: set Ether0 | S0 | W1 | location Locname | user Username log sessionfail | sessionsuccess | syslog | console on | off 3. To set the default action that the PortMaster takes if a request for a NAT session is refused because the mapping configuration is invalid or does not exist, use the following command: set Ether0 | S0 | W1 | location Locname | user Username session-direction-fail-action drop | icmpeject | passthrough 4. To set the direction of an address map as inbound and optionally enable the outsource function, use the following command: set Ether0 | S0 | W1 | location Locname | user Username inmap Mapname [outsource] 5. To set the direction of an address map as outbound and optionally enable the outsource function, use the following command: set Ether0 | S0 | W1 | location Locname | user Username outmap Mapname [outsource] Leaving off the Mapname removes the map entry. You can assign the reserved map name "defaultnapt" to "outmap" for an outbound-only NAPT configuration, with the following results: * When "defaultnapt" is assigned as an outbound map, without the "outsource" option,all outbound IP sessions through the given port are subject to NAPT, using the IP address assigned to the port. * When "defaultnapt" is assigned to as an outbound map for the outsource port---using "outsource" in the command line)---all inbound IP sessions through the given port are subject to outsource NAPT using the IP address assigned to the port. NOTE: In the this release of NAT, inbound maps are restricted to static address maps and/or static TCP/UDP port maps only. Outbound maps do not have this limitation. _______ Using RADIUS Many NAT configuration parameters can also be configured via RADIUS on a per-user basis. For RADIUS to support the new vendor-specific attributes, you must be running Lucent RADIUS server 2.1b6 or later and must add the following to your RADIUS dictionary, then stop and restart your RADIUS server. RADIUS Dictionary Updates: ATTRIBUTE LE-NAT-TCP-Session-Timeout 14 integer Livingston ATTRIBUTE LE-NAT-Other-Session-Timeout 15 integer Livingston ATTRIBUTE LE-NAT-Log-Options 16 integer Livingston ATTRIBUTE LE-NAT-Sess-Dir-Fail-Action 17 integer Livingston ATTRIBUTE LE-NAT-Inmap 18 string Livingston ATTRIBUTE LE-NAT-Outmap 19 string Livingston ATTRIBUTE LE-NAT-Outsource-Inmap 20 string Livingston ATTRIBUTE LE-NAT-Outsource-Outmap 21 string Livingston VALUE LE-NAT-Sess-Dir-Fail-Action Drop 1 VALUE LE-NAT-Sess-Dir-Fail-Action ICMP-Reject 2 VALUE LE-NAT-Sess-Dir-Fail-Action Pass-Through 3 VALUE LE-NAT-Log-Options Session-Success-On 1 VALUE LE-NAT-Log-Options Session-Failure-On 2 VALUE LE-NAT-Log-Options Console-On 3 VALUE LE-NAT-Log-Options Syslog-On 4 VALUE LE-NAT-Log-Options Success-Off 5 VALUE LE-NAT-Log-Options Failure-Off 6 VALUE LE-NAT-Log-Options Console-Off 7 VALUE LE-NAT-Log-Options Syslog-Off 8 Each RADIUS parameter corresponds to its command line equivalent. Refer to the usage information on a particular NAT command in this release note for more information. The LE-NAT-Log-Options attribute, which sometimes requires multiple values, must have the values listed in succession one after another as in the following user profile: joe Auth-Type = System, Framed-Protocol = PPP Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = 255.255.255.254, LE-NAT-Outmap = "defaultnapt", LE-NAT-Sess-Dir-Fail-Action = Drop, LE-NAT-Log-Options = Session-Failure-On, LE-NAT-Log-Options = Console-On _______ Session Management NAT sessions can be managed, viewed, and reset in several ways. You can display the currently active NAT sessions using the following command: show nat sessions You can limit the display to the sessions for a single port, user, or location by appending a regular expression at the end of the command line, as you can do with the "show routes" command. You can also view real-time statistics on NAT: show nat statistics This command displays statistics on a per port basis, including successful translations, failures, address shortages when you are using IP pools, and unsuccessful translations and/or lookups due to timeouts. Use the following command for debugging and to see resource usage: show nat mapusage This command displays a list of active IP address and port bindings, including a list of the remaining resources---TCP/UDP ports or IP addresses---available for use. _______ Resetting NAT Sessions You can reset the entire NAT subsystem with the following command: reset nat [Ether0 | S0 | W1] The default resets all existing NAT sessions on the PortMaster---like the "reset all" command. Specifying the name of an interface resets all NAT sessions associated with the specified interface. Use the "ifconfig" command to see a list of interfaces. CAUTION! Resetting any or all interfaces while sessions are active might cause active connections on clients and servers to be left open or terminated abruptly. Lucent recommends NOT entering this command while the PortMaster is being used because doing so can leave connections in an unknown state between the two communicating hosts. Resetting NAT affects already active NAT sessions only. If the NAT configuration on an active port has been modified, you must reset the port directly. _______ Resetting Individual NAT Sessions You can delete individual NAT sessions by using the session ID. This value is displayed in the first column of a "show nat sessions" output. Determine the session ID and then enter the following command: delete nat sessions [Sessionid] _______ Administrative Concerns Be aware that you might need to do the following when configuring your network in the presence of a NAT. Stopping the Advertisement of Routing Information: NAT creates a private network that cannot be advertised outside the private boundary delimited by the NAT router. As a result, you must be sure to disable network advertisements on the NAT router's global interface. For example if you are running NAT on an IRX-211, with Ether0 as your private interface and Ether1 as your global interface with NAT enabled on it, you must disable RIP broadcasts: set ether1 rip listen Or use the "off" option if you do not need to listen to route updates at all. If you are using OSPF, you must specify the private IP address range as "quiet": set ospf area 0.0.0.0 range 10.0.0.0/8 quiet If you are using BGP, you must not advertise any private IP address blocks to the outside world. Rerouting Global IPs Used by NAT to Static Routing: Because NAT is not equipped to advertise routing, the global IP addresses (or networks) used by NAT, might require the addition of static routes on the routers that are external peers of the PortMaster. Particularly, if you are using basic NAT to manage a pool of global addresses, you must configure a static route for the pool of addresses on the next-hop router of the PortMaster. Avoiding Ethernet LANs: NAT does not provide Ethernet ARP services for the global IP addresses it uses. For this reason, Lucent recommends that NAT be configured on WAN interfaces instead of Ethernet interfaces. If you choose to configure basic NAT on a LAN interface, be sure to select for use with NAT a global IP address block that does not fall within the same network prefix of the LAN interface itself. Determining If Additional Security, Privacy, and/or Firewalls Are Needed: Security is viewed differently in different environments. Many people view NAT as a one-way (session) traffic filter, restricting sessions from external hosts into their network. In that context, NAT provides a certain degree of security that might not be acceptable for your situation. In addition, address assignment in NAT is often done dynamically. Dynamically assigned addresses can often hinder an attacker from pointing to any specific host in the NAT domain as a potential target of attack. Partial privacy is gained because tracing an individual connection to a particular user is more difficult. You can use firewalls with NAT maps to provide other ways to filter unwanted traffic. However, NAT maps cannot by themselves transparently support all applications and often must co-exist with application-level gateways (ALGs)---for example, SOCKS. If you use NAT, you must determine the application requirements first so that you can assess the extensions to NAT and the security they provide. NAT routers have a security limitation that allows NAT and/or its application-level gateway extensions to read the packet data in the end user traffic that passes through them. This limitation is a security problem if the NAT routers are not in a trusted boundary. Although you can encrypt NAT traffic, NAT must usually be the end point to such an encryption-decryption setup. For example, you cannot configure end-to-end IPSec with NAT routers in between. The end point(s) must be a router running NAT. Lucent does not guarantee NAT as an complete security solution. Although placing your private network behind NAT might make it seem inaccessible to the outside, this is not the intention of NAT. You must evaluate the particular configuration, network topology, and security requirement of your organization to determine whether simply installing NAT eliminates the need for further security measures such as a firewall. Mapping for DNS: When configuring DNS on the hosts behind NAT, if you add a map similar to the following on the internal interface---usually Ether0 on an Office Router---you can enter the IP address of your Office Router as the DNS server. This is a useful feature if you do not always have the same DNS server, because of multiple providers, but do not want to reconfigure all your private hosts. Use the following commands---enter each all on one line: set map dns.inmap 1 static-tcp-udp-portmap @ipaddr:dns set ether0 nat inmap dns.inmap set location Locname nat outmap defaultnapt Handling Changes to On-Demand Locations: Because of the way that on-demand locations and their corresponding interfaces are traditionally handled within ComOS, NAT configuration changes might not take effect in the way you expect. To get around this problem, you can either reboot immediately after changing the settings for a location that is currently set to on-demand, or do the following: 1. Enter "set location Locname maxports 0". 2. Enter "reset dialer". 3. Change whatever settings you need to. 4. Enter the following: set location Locname maxports Manually dialed locations are unaffected. _______ NAT Examples 1. Dial-Out Location Using defaultnapt with a Dynamically Assigned PPP IP Address: Your Office Router OR-U is dialing into a corporate network's PortMaster 3 (192.168.2.5). The PortMaster 3 has one dynamically assigned IP address for the Office Router in a NAPT configuration. Everything behind the Office Router is subject to NAPT. You configure the Office Router as follows: add location corporate set location corporate phone 5558583 set location corporate username joeuser set location corporate password secrets set location corporate destination 192.168.2.5 set location corporate max 2 set location corporate idle 15 minutes set location corporate on-demand set location corporate local-ip-address assigned set location corporate nat outmap defaultnapt 2. Preventing Address Renumbering Using Basic NAT on an Office Router: Company ABC, Inc. (198.34.4.0/24) has just merged with Big Company (25.0.0.0/8) and must renumber its hosts to access Big Company's network. ABC has an ISDN connection from its Office Router to Big Company's network. Big Company has just assigned ABC the IP range 25.9.1.0/24 to use. ABC configures its Office Router as follows: add map abc.outmap set map abc.outmap 1 addressmap 198.34.4.0/24 25.9.1.0/24 add location bigcomp set location bigcomp phone 5558583 set location bigcomp username abc set location bigcomp password bigsecret set location bigcomp destination 25.1.1.7 set location bigcomp max 2 set location bigcomp idle 15 minutes set location bigcomp on-demand set location bigcomp local-ip-address 25.9.1.254 set location bigcomp nat outmap abc.outmap The abc.outmap NAT map will assign IP addresses dynamically as needed. If ABC wants to have static translations, abc.outmap on the Office Router must be changed as follows: set map abc.outmap 1 staticaddressmap 198.34.4.0/24 25.9.1.0/24 3. Address Redirection to Perform Server Maintenance Using an IRX-211: The following two servers on your Ether1 provide inbound FTP and Web service: * primary.web.com at 129.65.2.1 * backup.web.com at 129.65.2.2 The IP addresses of primary and backup are global IP addresses. However, you need to take primary off-line to perform some maintenance work. Just before shutting down primary, you configure an inbound map on Ether0 that statically maps primary's address to backup. You use a basic NAT setup as follows: add map ether0.inmap set map ether0.inmap 1 addressmap 129.65.2.1 129.65.2.2 set ether0 nat inmap ether0.inmap reset nat As part of this configuration, you might also want to set the NAT session-direction-fail-action (SDFA) to passthrough: set ether0 nat sdfa passthrough This setting prevents NAT from intercepting outbound packets from the remapped host when primary returns to service and you want to run a telnet or FTP session from it. 4. T1 or Fractional T1 (WAN) Link Using defaultnapt for Outbound and Providing Inbound HTTP Service: Line1 on your PortMaster 3 is a T1 (WAN) link with a private network 10.0.0.0/8 behind it. The T1 point-to-point interfaces are numbered with global addresses (local: 192.168.44.99, dest: 192.168.44.254). The HTTP server in the private network resides at 10.1.1.10. You configure the PortMaster 3 as follows: set w24 address 192.168.44.99 set w24 destination 192.168.44.254 set w24 nat outmap defaultnapt add map w24.inmap set map w24.inmap 1 static-tcp-udp-portmap 192.168.44.99:http 10.1.1.10:http set w24 nat inmap w24.inmap reset w24 5. Dial-In User Using defaultnapt in Outsource Mode: You want to provide NAT service to a user by connecting him or her in an outsource-mode NAPT configuration using the defaultnapt map on a PortMaster 3 (192.168.96.162). The global IP address 192.168.129.130 is assigned to the dial-up router and will be used to run NAT from. Because this configuration uses the defaultnapt map, you do not need to account for the IP addresses that the client's network is using. You configure the PortMaster 3 as follows: add netuser joeuser set user joeuser password mysecret set user joeuser max 2 set user joeuser protocol ppp set user joeuser destination 192.168.129.130 set user joeuser local-ip-address 192.168.96.162 set user joeuser nat outmap defaultnapt outsource No NAT configuration is required on the dial-up router (client) side. If the client also wants to run an FTP server with a private IP address of 192.168.5.1 on his network and have it accessible globally, you can configure further as follows: add map joeuser.inmap set map joeuser.inmap 1 stupm 192.168.129.130:ftp 192.168.5.1:ftp set user joeuser nat inmap joeuser.inmap outsource 6. Dial-Out Location using a Dynamic IP Address Basic NAT Map: Your ISP gives you a small address block (192.168.129.129/29), but you have more hosts then global IP addresses available. You do not want to request more global IP addresses because of the added expense. In addition, because not all workstations use the connection at the same time, additional addresses will be wasteful. You want to use a dynamic IP address pool map instead. You configure your PortMaster as follows: add map isp.outmap set map isp.outmap 1 addressmap 10.1.1.0/24 192.168.129.129/29 add location isp set location isp phone 5558583 set location isp username mycompany set location isp password bigsecret set location isp destination negotiated set location bigcomp max 2 set location bigcomp continuous set location bigcomp local-ip-address assigned set location bigcomp nat outmap isp.outmap 7. Dial-Out Location Using a Static IP Address Basic NAT Map: Your ISP gives you an address block (192.168.130.0/24). You can use a dynamic IP address pool for your workstation IP addresses because they do not need Internet access at the same time. However, you must give two of your trusted systems static IP addresses for security reasons---to perform packet filtering, for example. You configure your PortMaster as follows: add map isp.outmap set map isp.outmap 1 addressmap 10.1.1.1 192.168.130.1 set map isp.outmap 2 addressmap 10.1.1.2 192.168.130.2 set map isp.outmap 3 addressmap 10.1.0.0/16 192.168.130.3-192.168.130.254 add location isp set location isp phone 5558583 set location isp username mycompany set location isp password bigsecret set location isp destination negotiated set location bigcomp max 2 set location bigcomp continuous set location bigcomp local-ip-address assigned set location bigcomp nat outmap isp.outmap _______ NAT-Unfriendly Applications: The following applications are considered NAT unfriendly, either because they embed the IP source and/or destination addresses in the packet data, are multicast or broadcast based, or rely on end-to-end node security: * Multicast-based applications * Routing protocols RIP and OSPF * DNS zone transfers * End-to-end IPSec * Anything that embeds the IP source and/or destination address(es) into the packet data. _______ Debugging and Troubleshooting Tips * Verify obvious values like correct IP addresses in map entries. * Make sure your maps match the flow of the session (inbound or outbound). Check "show nat sessions" output to make sure the correct translations are taking place. * Watch "show nat statistics" output for failed translations that can indicate incorrect session flow direction and possibly incomplete maps. * Watch the source and destination IP addresses of packets going through the PortMaster. You can find a simple ptrace debug filter for this purpose in the PortMaster Troubleshooting Guide. If you are running NAT on your WAN link, look for private IP addresses that are exiting the ptpXX interface untranslated, which can indicate either a problem with your NAT maps or that NAT is not active on the port. * Make sure that you reset the active network interface to make its NAT configuration take effect. In the case of an Ethernet interface, enter "reset nat ether0". * If a location is set to dial-on-demand, you might need to reboot the PortMaster for configuration changes to take effect. * If a port loses its network connectivity---the modem drops carrier---NAT maintains the state of any existing sessions ONLY if the IP address assigned to the port remains the same. * Because of the nature of NAT operation, some applications that work under basic NAT, might not work with NAPT. If you are using a particular application under NAPT and it is not working, try using basic NAT and see if the situation improves. _______ Logging Control You can activate syslog and console logging on a per-port basis to identify configuration errors and for auditing purposes. Enter the following command to configure logging of all NAT sessions that fail for any reason to the PortMaster console: set Ether0 | S0 | W1 | location Locname | user Username log sessionfail console on To log to syslog instead, enter "syslog" instead of "sessionfail". Syslog logging is logged at the priority level shown in "show syslog" output. If you have not set the PortMaster global option for logging NAT information to syslog, then no logging takes place, regardless of the logging options configured on any particular port. Lucent recommends that you do NAT logging at the same priority as packet filters: set syslog nat auth.notice You can also more selectively do logging for only certain map entries by appending the "log" keyword at the end of a particular map entry you want logged. For example: set map abc.outmap 1 addressmap 192.168.1.1 172.16.1.1 log Whenever a session from 192.168.1.1 is successfully translated to the global IP address 172.16.1.1 via this outbound map, a syslog message is sent to your loghost. Here is some sample syslog output: Mar 24 17:28:11 nat-or NAT: ptp3: Out TCP (192.168.3.1:34172)-> (192.168.247.6:80) Xlation failed: Session may have prematurely timed out. Mar 24 17:28:40 nat-or NAT: ptp3: Out TCP (192.168.3.1:34172)-> (192.168.247.6:80) Xlation failed: Session may have prematurely timed out. Mar 24 17:28:57 nat-or NAT: ptp3: Out TCP (192.168.3.1:34177)-> (192.168.247.6:80) translated to (192.168.129.129:20001)->(192.168.247.6:80) Mar 24 17:29:23 nat-or NAT: ptp3: Out TCP (192.168.3.1:34178)-> (192.168.247.6:80) translated to (192.168.129.129:20002)->(192.168.247.6:80) Mar 24 17:29:36 nat-or NAT: ptp3: Out TCP (192.168.3.1:34172)-> (192.168.247.6:80) Xlation failed: Session may have prematurely timed out. Mar 24 17:30:22 nat-or NAT: ptp3: Out TCP (192.168.3.1:34179)-> (192.168.247.6:80) translated to (192.168.129.129:20003)->(192.168.247.6:80) Mar 24 17:34:18 nat-or NAT: ptp3: Out TCP (192.168.3.1:34172)-> (192.168.247.6:80) Xlation failed: Session may have prematurely timed out. Mar 25 11:02:03 nat-or NAT: ptp3: Out TCP (192.168.3.1:34185)-> (192.168.65.50:23) translated to (255.255.255.254:20001)->(192.168.65.50:23) Mar 25 11:02:40 nat-or NAT: ptp3: Out TCP (192.168.3.1:34185)-> (192.168.65.50:23) translated to (192.168.129.129:20001)->(192.168.65.50:23) _______ Debug Commands The following commands set ComOS debugging options for NAT: set debug nat-ftp on | off Displays FTP payload processing. set debug nat-icmp-err on | off Displays ICMP error payload processing. set debug nat-rt-interface on | off Displays NAT parameters changes during interface binding. set debug nat-max on | off Enables full NAT debugging. _______ Network Diagnostic Tools Because NAT includes ICMP and UDP translation, the two most common network diagnostic tools, ping and traceroute, can still be used---with the following restrictions: * When using NAPT, you will not be able to run traceroute or ping inbound to the private hosts because you cannot reach them directly from the outside. But you can use the tools in an outbound direction without any problems. * When using basic NAT, you can run traceroute and ping inbound but only if you have an inbound map active. You still must include an entry for the actual host you are trying to ping or trace routes to. As with NAPT, you can do all network diagnostics in outbound mode. _______ References * draft-ietf-nat-traditional-01.txt, The IP Network Address Translator (NAT) * RFC 1918, Address Allocation for Private Internets _______________ Limitations * Support for the obsolete "True Digital V.34 Card" (MDM-PM3-8 and MDM-PM3-10) has been removed from this release, except for support of the V.110 protocol. The "True Digital 56K Card" (MDM-56K-8 and MDM-56K-10) is still supported. * Downgrading a PortMaster 3 from ComOS 3.9b8 to a previous release requires two successful downgrades. After the first successful downgrade the PortMaster is operational, but without system messages. The second downgrade applies the system messages. * The PortMaster 3 can support either the stac compression card or the IPSec coprocessor card, not both. Both cards use the same interface on the PortMaster 3 motherboard. * Neither the Internet Key Exchange (IKE) protocol nor the Internet Security Association Key Management Protocol (ISAKMP) is supported in this release. * IPSec passive profiles are not supported in this release. * NAT and IPSec cannot be configured to work together on the same port in this release. * This release does not support mixing of NFAS and non-NFAS PRIs in the same chassis. If one line is used for NFAS, the other line must be used for NFAS or left empty. * NFAS operates only on National ISDN (NI-2) switch types. * Configuring NFAS settings on a line that is not configured for ISDN or unable to perform ISDN functions makes the line behave strangely. * When you are using NFAS and a problem occurs on the physical PRI line with the D channel, the line sometimes does not return to service until you reset the D channel. * When a PortMaster running NFAS is rebooted, you must sometimes reset the D channel to return the PRI to service. _______________ Upgrade Instructions You can upgrade your PortMaster 3 using PMVision 1.3, or pmupgrade 4.0 from PMTools. Alternatively, you can upgrade using the older programs pminstall 3.5.3, PMconsole 3.5.3, or PMconsole for Windows 3.5.1.4, or later releases. You can also upgrade using TFTP with the "tftp get comos" command from the PortMaster command line interface. See ftp://ftp.livingston.com/pub/le/software/java/pmvision13.txt for installation instructions for PMVision 1.3. *** CAUTION! If the upgrade fails, do NOT reboot! Contact *** Lucent Remote Access Technical Support without rebooting. The upgrade process on the PortMaster 3 erases the configuration area from nonvolatile memory and saves the current configuration into nonvolatile memory. Never interrupt the upgrade process, or loss of configuration information can result. WARNING! The amount of NVRAM available for saving configurations has been reduced from 128KB to 64KB. PortMaster products with configurations greater than 64KB will lose some of their configuration. For this reason be sure to backup your PortMaster configuration before upgrading to this release. You can check the amount of memory used for your configuration with the "show files" command. Ignore any files that also include an uncompressed size. IMPORTANT: Any PortMaster running ComOS 3.9b8 requires 4MB of RAM. If you are running BGP, 16MB of RAM is required. The installation software can be retrieved by FTP from ftp://ftp.livingston.com/pub/le/software/, and the upgrade image can be found at ftp://ftp.livingston.com/pub/le/upgrades: ComOS Upgrade Image Product _________ _____________ _____________________________________ 3.9b8 pm3_3.9b8 PortMaster 3 ________________________________________________________________________ Copyright and Trademarks Copyright 1999 Lucent Technologies. All rights reserved. PortMaster, ComOS, and ChoiceNet are registered trademarks of Lucent Technologies, Inc. RADIUS ABM, PMVision, IRX, and PortAuthority are trademarks of Lucent Technologies, Inc. All other marks are the property of their respective owners. Notices Lucent Technologies, Inc. makes no representations or warranties with respect to the contents or use of this publication, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Lucent Technologies, Inc. reserves the right to revise this publication and to make changes to its content, any time, without obligation to notify any person or entity of such revisions or changes. Contacting Lucent Remote Access Technical Support Lucent Technologies Remote Access Business Unit (previously Livingston Enterprises) provides technical support via voice, fax, electronic mail, or through the World Wide Web at http://www.livingston.com/. Specify that you are running ComOS 3.9b8 when reporting problems with this release. Internet service providers (ISPs) and other end users in Europe, the Middle East, Africa, India, and Pakistan should contact their authorized Lucent Remote Access sales channel partner for technical support; see http://www.livingston.com/International/EMEA/distributors.html. For North and South America and Asia Pacific customers, technical support is available Monday through Friday from 7 a.m. to 5 p.m. U.S. Pacific Time (GMT -8). Dial 1-800-458-9966 within the United States (including Alaska and Hawaii), Canada, and the Caribbean, or 1-925-737-2100 from elsewhere, for voice support. Otherwise, fax to 1-925-737-2110, or send email to support@livingston.com (asia-support@livingston.com for Asia Pacific customers).