Clavister Firewall Changes from v6.01V to v7.00.01V

Release date: 2001-10-25 [ISO]

Clavister Firewall Core v7.00.01V is the first VPN gateway of the v7 series. The standard core functionality is the same as the v7.00.01 core. The VPN gateway functionality descends from version 6.01. There are no major changes in VPN gateway functionality, although a few small changes have been made.

For changes to the standard core, please see Changes-7.00.00-to-7.00.01.htm.

This document outlines bug fixes as well as improvements for the v7.00.01 VPN gateway.
[Changes] [Bug Fixes] [Known Bugs / Problems]

For future reference: This document is stored in the "Docs" sub-folder of your Firewall Manager install folder.  


 VPN Gateway Changes           

  • ESP and AH cannot be configured with a "none" HMAC
    Proposals for ESP and AH cannot be set to have a "none" HMAC. It is however still possible to configure ESP with a "none" encryption algorithm.
 


 VPN Gateway Bug Fixes           

  • Memory leak fixed
    Issue: A small amount of memory was sometimes leaked during key management, i.e. when new SAs are negotiated.
    Results: With many VPN connections opening and closing, especially with short life times, all available RAM will sooner or later be consumed, leading to a reboot.
    Affects: All VPN gateways v5.11V -- v6.01V.
    Fixed: in v6.02V and v7.00.01V.

  • Key lengths were transmitted for ciphers with fixed key lengths
    Issue: During IKE negotiation, key lengths for ciphers with fixed key lengths were transmitted, even though they shouldn't be.
    Results: In situations where the Clavister VPN Gateway initiated SA negotiation, some IPsec implementations would not accept such proposals.
    Affects: All VPN gateways v5.11V -- v6.01V.
    Fixed: in v6.02V and 7.00.01V.

  • 'IkeSnoop' missed the first outbound packet
    Issue: The output of the 'ikesnoop' console command used to miss the first packet in an IKE negotation that was sent by the VPN gateway itself.
    Affects: VPN gateways v6.00V and v6.01V.
    Fixed: in v6.02V and 7.00.01V.
  


 VPN Gateway Known Bugs / Problems           

  • Fragmented IKE packets are dropped
    If an IKE packet sent to the VPN gateway is fragmented, either during transport, or by the originator, it will be dropped.
    Typically, this is not a problem, as IKE packets tend to be only a few hundred bytes of length - well below the MTU of commonly used network types. However, it will be addressed in a future release.
    Workaround: If this behavior causes problems, you may try decreasing the size of your proposal lists, which will decrease the IKE UDP datagram size.