1999/12/08 (revised 12/10)

		ComOS 3.9b26 Open Beta Release Note
			for the PortMaster 3


________________ Introduction

The new Lucent Technologies ComOS(R) 3.9b26 open beta software release
is now available for the PortMaster(R) 3 Integrated Access Server.

This open beta release is provided at no charge to all Lucent
customers, but is recommended only for customers who wish to test the
new functionality before the general availability (GA) release of 
ComOS 3.9.

Command syntax for new commands might change between this open beta
release and the general availability release of ComOS 3.9.

This release note documents commands and features added between ComOS
3.8.2 and ComOS 3.9b26 on the PortMaster 3.  This release note applies
only to the PortMaster 3.

The modem code in ComOS 3.9b26 is the same modem code included in 
ComOS 3.9b22 and ComOS 3.9b24 for the PortMaster 3.

Before upgrading, thoroughly read "ComOS 3.9b26 Limitations" and
"Upgrade Instructions."

WARNING! Due to the increased size of ComOS, the amount of nonvolatile
RAM (NVRAM) available for saving configurations has been reduced from
128KB to 64KB. PortMaster products with configurations greater than
64KB will lose some of their configuration. For this reason, be sure to
back up your PortMaster configuration before upgrading to this
release.  You can check the amount of memory used for your
configuration with the "show files" command. Ignore any files that also
include an uncompressed size.

WARNING! The PortMaster 3 must be running ComOS 3.5 or later to upgrade
to ComOS 3.9b26. If you are running an earlier release of ComOS,
upgrade to ComOS 3.5 first, reboot, then upgrade to ComOS 3.9b26.

NOTE: Any PortMaster running ComOS 3.9b26 requires 4MB of dynamic RAM
(DRAM). Use 16MB if you are running the Border Gateway Protocol (BGP).


_______________ Export Restrictions

This release of ComOS 3.9b26, available to any Lucent customer
worldwide, does not include support for the Data Encryption System
(DES) and Triple DES (3DES) encryption methods.

However, the Authentication Header (AH) RSA Data Security, Inc.  MD5
Message-Digest Algorithm (MD5) authentication feature of the IPSec
encryption ("coprocessor") card is available worldwide and is included
in ComOS 3.9b26.

Because of export restrictions, the DES and 3DES features for ComOS
3.9b26 will be handled on a case-by-case basis outside of the standard
release process. Any US-owned or Canadian-owned company wishing to
obtain this feature should call Cary Hayward at 1-925-730-2637. This
restricted release of ComOS 3.9b26enc168, which supports DES and 3DES,
is available to Lucent customers in the United States and Canada only.
To use DES or 3DES for encrypting data payloads, you must install the
IPSec encryption card (PM3-VPN).

Versions of ComOS 3.9b26 supporting DES and 3DES on the IPSec 
encryption card will be made available to customers in other countries 
as export licensing permits. Licensing approval is being sought at this 
time.

For more information, see the sections on "Virtual Private Network
(VPN) Tunneling" and "IPSec Encryption Card for the PortMaster 3".


_______________ Contents

Introduction
Export Restrictions
Bugs Fixed in ComOS 3.9b26
Reconfiguring NVRAM
New Features in ComOS 3.9b26
	RADIUS Authentication Failover
	RADIUS Accounting Retry Interval and Count
	Non-Facility Associated Signaling (NFAS)
	Layer 2 Tunneling Protocol (L2TP)
	Virtual Private Network (VPN) Tunneling
	IPSec Encryption Card for the PortMaster 3
	Network Address Translator (NAT)
	Assigned IP for Dial-Out Locations
	Port Required for Telnet Device Service
	Enhanced PMVision Support
Configuring NFAS
Configuring L2TP
Configuring VPN Tunneling
Configuring NAT
ComOS 3.9b26 Limitations
Troubleshooting Modems
Upgrade Instructions
Technical Support


_______________Bugs Fixed in ComOS 3.9b26

* The Point-to-Point Protocol (PPP) counters are now always reset when
a port is initialized. Previously, incorrectly set counters sometimes
caused the second link of a PPP multilink connection to fail.


* The PortMaster 3 no longer retains a remote router's Multichassis PPP
(MCPPP) master entry after the router disconnects.  Previously, under
certain conditions, the master entry remained after disconnection and
prevented the PortMaster from routing the packets of this remote router
when it dialed in again.

* Simple Network Management Protocol (SNMP) access to the serial table
for PortMaster user information now works properly. Earlier versions of
this release reported "No Response."

* A sporadic reboot problem has been fixed. The stack trace displayed
the message "Assertion failed: nbuf_p->bytes_left, file mdp_os.c, line
1586" when this problem occurred.

* Unauthorized Telnet connections are now timed out after 2 minutes.

* The "set maximum pmconsole" command now takes effect immediately.
Previously, active connections on port 1643 had to be reset before
changes were applied.

* Output for the "set debug ?" command has been enhanced.

* A RADIUS Login-User with the telnet login service no longer generates
a Framed-User start record erroneously.

* The AH and Encapsulating Security Payload (ESP) protocols now work
together.

* An administrative reset of a Layer 2 Tunneling Protocol (L2TP)
session now generates only one stop record instead of two.

* Accounting records for a RADIUS Administrative-User logging in to
port S0 now show the correct service type.

* Administrative logins logged to syslog no longer have the password
sent in clear text.

* The authentication packet sent for telnet logins now reports the
correct user type to the access log. Previously, the authentication
packet erroneously reported a user type of Outbound-User.

* Startup and shutdown accounting packets are now resent like other
accounting packets.

* When the PortMaster 3 receives an incoming V.110 setup request, it
now returns the message "Cause 88 Incompatible Destination."
Previously, the message "Release Complete with the Cause 17 User Busy"
was erroneously returned.

* The "show sessions" command no longer returns garbage characters at
the end of a 12-character location name.

* The "show table location" command now shows the full location name.

* The command "set user protocol ppp" no longer deletes the
Point-to-Point Protocol (PPP) asynchronous map.

* The attributes associated with the user are now deleted when the user
entry is deleted. For example, if a network user (netuser) named lee
configured with NAT is deleted, the old NAT configuration parameters
are no longer listed for any new user named lee.

* When the call-check feature has been enabled ("set call-check on"),
callback users specified through RADIUS are now authenticated.

* If a RADIUS menu user fails over a Telnet connection, an
administrative user is now allowed to telnet in. Previously, the
administrative user was rejected until the PortMaster 3 was rebooted.

* RADIUS accounting records for an L2TP access concentrator (LAC) now
include the Tunnel-Server-Endpoint information.  This information was
not provided in previous releases.

* When routing is disabled on a WAN port, the port status now reflects
this condition.

* BGP summarization settings that are configured with the "set bgp
summarization" command are now saved after you enter "save all" and
"reset bgp." Previously, only settings configured with the "add bgp
summarization" command were saved.

* Subnets included as part of an OSPF area range are now advertised as
internal OSPF routes. If not included as part of the range, they are
advertised as OSPF type 2 external (E2) routes. In previous releases,
the PortMaster 3 advertised routes in this way when they were part of
an assigned address pool, but not if they were subnets used to assign
static IP addresses.

* OSPF configuration information is now saved during an upgrade from
ComOS 3.7 to ComOS 3.9b26.

* Modem code fixes:

  - A downward spiraling upstream rate caused by an incorrect Link
    Access Procedure for Modems (LAPM) error check is fixed.

  - Rate reduction due to LAPM errors has been made less sensitive.

  - In the presence of LAPM retransmission errors, the modem code
    retrains to allow the link to adjust to a lower speed and improve
    throughput.

  - The number of disconnections from LAPM retrains within a retrain
    has been reduced.

  - The modem code now suspends LAPM transactions during any rate
    changes or retrains and thereby eliminates some connection
    failures, connections without error control, and some
    disconnections.

  - U.S. Robotics (USR) Telepath V.34 modems can now establish
    LAPM error correction. Previously under certain conditions, the 
    modem was choosing too high a connection rate and was unable 
    to establish LAPM error correction. The modem code now detects 
    these conditions and forces the connection speed down by one rate 
    to allow LAPM to be negotiated. 

  - For all modems, retrain detection has been improved to prevent some 
    client disconnections. 

  - For modems with Rockwell Semiconductor Systems (RSS) K56flex
    chipsets, fast rate changes now work properly. Previously, a retrain 
    was forced after a rate change. (RSS is now Conexant Systems Inc.) 

  - A NO EC (no error control) connection problem with Cirrus Logic 
    modems is fixed, and overall performance with Cirrus Logic 
    modems is improved. Cirrus Logic modems are now supported by
    Ambient Technologies.

  - The number of rate renegotiations with USR/3Com and Cirrus 
    Logic modems has been reduced because ComOS now allows 
    the client modem to specify spectral shaping. 

  - USR/3Com modem connections are now more reliable. 

  - Rate renegotiation and retrain problems with USR/3Com and Rockwell 
    HCF modems are fixed. 

  - Connectability with USR/3Com and Rockwell HCF modems and 
    LT Winmodems is improved. 

  - Motorola SM56 modems can now connect with V.90. 

  - A V.90-to-V.34 fallback problem, which can result in a disconnection,
    is fixed by earlier V.34 detection. 

  - A-law V.90 connectability is improved. 

  - K56flex connectability is improved by an increase in a K56flex timeout.


_______________ Reconfiguring NVRAM

After loading the new ComOS 3.9b26 and rebooting, look for messages
like the following on the console screen to verify that ComOS has
loaded successfully:

Testing System Memory.... 1024K
Checking Boot Rom....
Calibrating.... 33MHz
Starting FLASH Boot.....
Loading Image at 0fff0000
17110  flash copy complete
Verifying Load Module Checksum...
Starting Load Module ...
Loading kernel... 691260 bytes
Testing High Memory ... . 4096K
Loading kernel extensions... 125952 bytes
Async found in slot 1
Found 11 ports....
ether0 active ... 16K shared-RAM
Reconfiguring FLASH...
   Malloc size 65534 at 18a208
   Opened modules STD file
   Read 64506 bytes at 18a208
   read 1 buffers
   Call flash format
   Call freecntl
   Call save
   Call f_open
   Write 64506 bytes at 18a208
done - rebooting


_______________ New Features in ComOS 3.9b26

The following commands and features have been added in ComOS 3.9b26.


_______ RADIUS Authentication Failover

Authentication failover allows the PortMaster to dynamically switch 
primary and alternate RADIUS authentication servers according to 
their response. Use the following commands:

  set authentication interval Seconds
  set authentication failover on | off

The first command sets the response interval. The PortMaster sends a
RADIUS access-request packet every "interval" number of seconds. If no
response is received from the primary RADIUS server, the PortMaster
switches or "fails over" to the secondary authentication server. The
secondary RADIUS server then is treated as the primary, and is marked
with an asterisk (*) in "show global"output.

  set authentication interval Seconds

Seconds		A value between 1 and 255. The number of seconds that
		must elapse between RADIUS access-request
		retransmissions if the PortMaster receives no response.
		The default is 3 seconds, and 0 resets the value to the
		default. If the primary server does not respond,
		failover occurs after two times the Seconds value. For
		example, if "set authentication interval 6" is used,
		failover occurs in 12 seconds.

The second command enables the failover feature on the PortMaster 3:

  set authentication failover on | off

on	If the primary server fails to respond three times in a row,
	the PortMaster sends the packet to both the primary and
	secondary servers for the next seven retransmissions. If the
	secondary server replies before the primary server, the
	PortMaster switches the primary and secondary servers. 
	Then on the next login attempt, the PortMaster tries the 
	secondary server first.  If the secondary server fails to 
	respond three times in a row, the PortMaster sends the 
	packet to both servers and designates the server that replies 
	first as the new primary server.

off    	The PortMaster 3 always tries the primary server first, same as
	the current behavior. This is the default.


_____RADIUS Accounting Retry Interval and Count

The PortMaster attempts to send each RADIUS accounting packet every
"interval" seconds, and sends it the "count" number of times before
giving up. If an acknowledgement is received from the RADIUS 
accounting server, the PortMaster no longer tries to resend the 
accounting packet. If no acknowledgment is sent from the primary 
server in response to the first packet, the PortMaster sends the packet 
to both the primary and secondary RADIUS accounting servers.

   set accounting count Number
   set accounting interval Seconds

Number 		A decimal number between 1 and 99. The number of  
		times the PortMaster sends a RADIUS accounting  
		packet without acknowledgement from a RADIUS 
		server. 

Seconds		A decimal number between 1 and 255. The number of 
		seconds that must elapse between RADIUS accounting
		packet retransmissions if not acknowledged by the
		accounting server. The default is 30 seconds.

Use the "show global" command to view the Accounting Count and the
Accounting Interval settings.

Examples:

Command> set accounting count 45
Accounting retry count changed from 23 to 45

Command> set accounting interval 60
Accounting retry interval changed from 30 to 60 sec


_______ Non-Facility Associated Signaling (NFAS)

Non-facility associated signaling (NFAS) is a service offered by
telephone companies that permits a single D channel to provide the
signaling for a group of ISDN Primary Rate Interfaces PRIs. This 
service allows the channel that is normally used for signaling on the 
remaining PRIs to be used as a B channel.

Because combining the signaling onto a single D channel increases the
consequences if communication with that channel fails, some telephone
companies use the D channel backup (DCBU) system. DCBU requires two
D channels per NFAS group, one as a primary and one as a secondary.

The Lucent ComOS implementation of NFAS supports both standard NFAS 
and NFAS with DCBU across up to 20 PRIs.

See the section titled "Configuring NFAS" for NFAS configuration
information. For more information about NFAS commands, see the 
PortMaster Command Line Reference. For detailed configuration 
information, see the PortMaster Configuration Guide.


_______ Layer 2 Tunneling Protocol (L2TP)

ComOS 3.9b26 on the PortMaster 3 supports Layer 2 Tunneling Protocol
(L2TP). You can configure the PortMaster 3 as both an L2TP access
concentrator (LAC) and an L2TP network server (LNS).

See the section titled "Configuring L2TP" for L2TP configuration
information.

For more information about L2TP commands, see the 
PortMaster Command Line Reference. For detailed configuration 
information, see the PortMaster Configuration Guide.


_______ Virtual Private Network (VPN) Tunneling

ComOS 3.9b26 on the PortMaster 3 supports virtual private networks
(VPNs) and IP Security (IPSec). A properly configured PortMaster is
capable of tunneling using the IP Encapsulation within IP (IPIP) and
IPSec protocols and a Lucent proprietary Proxy Tunnel protocol.
Tunneling allows you to create custom network topologies that are
independent of the underlying physical topology of the network, with or
without additional security and authentication.

See the section titled "Configuring VPN Tunneling" for more 
information.

For more information about VPN tunneling commands, see the 
PortMaster Command Line Reference. For detailed configuration 
information, see the PortMaster Configuration Guide.


_______ IPSec Encryption Card for the PortMaster 3

ComOS 3.9b26 now supports the IPSec encryption ("coprocessor") card 
for the PortMaster 3 (PM3-VPN).  To use IPSec, you must install the 
IPSec encryption card in the PortMaster 3, into the same interface on 
the motherboard used by the Stac compression card (PM3-CMP).  The
PortMaster 3 can support either the Stac compression card or the
IPSec encryption card, not both.

The PortMaster 3 does not require the IPSec encryption card to run the 
IPIP or Proxy Tunnel protocols.

The following message is displayed on the console port at boot time if
the IPSec encryption card is installed correctly and operating:

  Found MIPS 4640 daughter board with 512Kb bytes of memory

The IPSec encryption card is booted from the file named "mipsboot" 
on the NVRAM file system. You can use the "show files" command to 
verify that this file exists. If it does not, you must upgrade your 
release of ComOS. To see which encryption algorithms and protocols 
are supported, use the "show ipsec modules" command.


_______ Network Address Translator (NAT)

ComOS 3.9b26 supports the network address translator (NAT) based on 
RFC 2663.

The basic network address translator (basic NAT) maps IP addresses from
one group to another, transparently to users and applications. The
network address port translator (NAPT) is an extension to basic NAT, in
which multiple network addresses and their TCP and UDP ports are mapped
to a single network address and its ports.

ComOS supports both basic NAT and NAPT for both outbound 
and inbound sessions. It also supports an "outsource" mode in 
which all NAT processing is done on the server side of the 
connection.

See the section titled "Configuring NAT" for more information.

For more information about NAT commands, see the PortMaster 
Command Line Reference. For detailed configuration information, 
see the PortMaster Configuration Guide.


_______ Assigned IP for Dial-Out Locations

Use the following command to configure a dial-out location on the
PortMaster 3 to receive a dynamically assigned address:

  set location Locname local-ip-address assigned  | Ipaddress

Locname		Name of a location table entry.

In previous releases of ComOS for the PortMaster 3, dial-out locations
could not receive a dynamic address.


_______ Port Required for Telnet Device Service

The "set S0 service_device telnet" command now requires a TCP port number. 

  set S0 service_device telnet Tport

Tport	Specifies the TCP port for the connection. The range is from 
	1 to 65535.

Previously, if the port number was omitted, the PortMaster listened on
port 23, the default Telnet port. This behavior caused problems for
users telnetting to the PortMaster.


_______ Enhanced PMVision support

Additional support has been added to ComOS 3.9b26 to allow PMVision(TM) 
to monitor and configure ComOS 3.9b26 features on the PortMaster. See 
the most recent PMVision release note for details.


_______________ Configuring NFAS

Non-facility associated signaling (NFAS) is a service offered by
telephone companies that permits a single D channel to provide the
signaling for a group of PRIs. This service allows the channel that is
normally used for signaling on the remaining PRIs to be used as a
B channel.

Because combining the signaling onto a single D channel increases the
consequences if communication with that channel fails, some telephone
companies use the D channel backup (DCBU) system. DCBU requires two
D channels per NFAS group, one as a primary and one as a secondary.

The Lucent ComOS implementation of NFAS supports both standard NFAS and
NFAS with DCBU across up to 20 PRIs.

See the "ComOS 3.9b26 Limitations" section before using NFAS.


_______ NFAS Configuration

To configure a line for NFAS operation, use the following command:

  set Line0 nfas primary | secondary | slave | disabled Identifier Group

Line0		line0 or line1.

primary		This PRI contains the primary D channel.

secondary	This PRI contains the secondary D channel.

slave		This PRI contains no D channel.

disabled	Clears this PRI's NFAS configuration.

Identifier     	Number between 0 and 19 that is unique among all PRI
		interfaces in the same NFAS group.

Group          	Number between 1 and 99 identifying which NFAS group
		this PRI belongs to.

Example:

The following example shows how to configure four PortMaster 3s on a
common Ethernet with two NFAS groups, one with DCBU and one without.
Each group contains two PortMaster 3s.

NFAS bundle #1 (with DCBU)
  PM3-1 (Line0 contains the primary D channel. Line1 is a slave line.):
    set line0 nfas primary 0 1
    set line1 nfas slave 1 1
    save all
    reboot

  PM3-2 (Line0 is a slave line, and Line1 contains the secondary
  D channel):
    set line0 nfas slave 2 1
    set line1 nfas secondary 3 1
    save all
    reboot

NFAS bundle #2 (without DCBU)
  PM3-3 (Line0 contains the primary D channel, and Line1 is a
  slave line):
    set line0 nfas primary 0 2
    set line1 nfas slave 1 2
    save all
    reboot

  PM3-4 (Line0 and Line1 are slave lines):
    set line0 nfas slave 2 2
    set line1 nfas slave 3 2
    save all
    reboot


_______ Displaying General NFAS Information

Several commands are available to display statistics and information
specific to NFAS operation.

  show nfas

The "show nfas" command displays neighboring PortMaster products 
in the same NFAS group as this one and shows in-service D channel 
information and slave status.

  show nfas history

The "show nfas history" command displays the last 40 significant
messages exchanged between this PortMaster and its neighbors.

  show nfas stat

The "show nfas stat" command displays the status of NFAS calls for
PortMaster products in the same group(s) as this one.


_______ Displaying NFAS Debugging Information

A new debug command has been added to aid in diagnosing problems that
might occur in testing.

set debug nfas on | off

This command enables or disables the logging of NFAS events to the
console. Remember to use "set console" before using this command, 
and "reset console" after turning off the debug process.


_______________ Configuring L2TP

ComOS 3.9b26 on the PortMaster 3 supports Layer 2 Tunneling Protocol
(L2TP). You can configure the PortMaster 3 as both an L2TP access
concentrator (LAC) and an L2TP network server (LNS).

The implementation of L2TP in ComOS 3.9b26 is based on the latest IETF
L2TP draft (revision 12 and 13 as of this writing). For specific
details of operation and protocol implementation of L2TP, refer to the
IETF Internet-Drafts.

L2TP allows PPP frames to be tunneled as follows from one PortMaster
that answers an incoming call (the LAC) to another PortMaster that
processes the PPP frames (the LNS):

End user--->incoming call--->LAC--->LNS--->network access

NOTE: None of the IP addresses or networks used in the examples in 
this section are intended to refer to any actual real-world company 
or network assignment.


_______ Description and Applications

The Layer 2 Tunneling Protocol (L2TP) provides tunneling of PPP
connections, to separate the functionality normally provided by a
single network access server (NAS) into two parts:

 * The L2TP access concentrator (LAC) provides the "physical"
   connection point between the telephone network (and therefore the
   dial-in user) and the host network.

 * The L2TP network server (LNS) terminates the PPP sessions and
   handles the "server-side" of the connection, such as authentication
   of the user, routing network traffic to and from the PPP user, and
   so forth. The LNS does not have any physical ports, only virtual 
   interfaces.

An outsourcer can use L2TP to provide dial-up ports to customers 
using a central, "shared" common physical dial-up pool. The pool 
resides in a shared access server (the LAC). The outsourcer's 
customers maintain a home gateway (the LNS) and some type of 
IP connectivity to the outsourcer. L2TP provides virtual dial-up 
ports to the outsourcer's customers. This use of L2TP is sometimes 
referred to as a virtual private dial-up network (VPDN).

The service is transparent to the customer because users still
terminate PPP sessions on the customer network via the LNS.  RADIUS
authentication and accounting and IP address assignment are all done by
the customer. The LAC does no PPP processing unless it is using partial
authentication for determining the tunnel end point. It only accepts
the call and establishes a tunnel to the LNS for that PPP session. The
tunnel can be established based upon Called-Station-Id or User-Name
(where partial authentication occurs on the LAC before tunnel
establishment).

For example, if you use Called-Station-Id and call-check with L2TP,
the session follows these steps:

1. The end user places a call.

2. The LAC detects the incoming call.

3. The LAC using call-check sends an authentication request to a 
   RADIUS server containing the Called-Station-Id and 
   Calling-Station-Id check items before answering the call.

4. If the RADIUS server accepts the user, an access-accept message
   is returned to the LAC along with information on how to create the
   L2TP tunnel for this session: the type of tunnel, IP address of the
   LNS, and so on.

5. The LAC then creates a tunnel to the LNS by encapsulating the PPP
   frames into IP packets and forwarding those packets to the LNS.

6. The LNS negotiates PPP normally with the end user.


_______ RADIUS Dictionary Updates for L2TP

Add the following lines to your RADIUS dictionary:

VALUE         Service-Type		Call-Check	10
VALUE         NAS-Port-Type		Virtual	5

ATTRIBUTE	Tunnel-Type		64      integer
ATTRIBUTE	Tunnel-Medium-Type	65      integer
ATTRIBUTE	Tunnel-Server-Endpoint	67      string
ATTRIBUTE	Tunnel-Password		69      string

VALUE		Tunnel-Type		L2TP	3
VALUE		Tunnel-Medium-Type 	IP	1

The RADIUS daemon must be stopped and restarted to read the new
dictionary.


_______ RADIUS User Profiles for L2TP

The user profiles for the LNS are the same as for your users who do 
not use L2TP.

For the LAC, some new user profiles are required. Exactly which 
additional user profiles you add depend on whether you are 
using call-check or partial username-based tunneling on the LAC. 
The following profiles can be used on the RADIUS server serving 
the LAC for either approach:

# Using Called-Station-Id with Call-Check to route callers who dial
# 555-1313 to the LNS "172.16.1.221".
# Note that the LNS address must be enclosed in double quotation 
# marks because it is sent as a string, not as a 32-bit integer.

DEFAULT Called-Station-Id = "5551313", Service-Type = Call-Check
        Service-Type = Framed-User,
        Framed-Protocol = PPP,
        Tunnel-Type = L2TP,
        Tunnel-Medium-Type = IP,
        Tunnel-Server-Endpoint = "172.16.1.221"

# Same as the previous profile, but with a shared secret to 
# authenticate the session to the LNS.

DEFAULT Called-Station-Id = "5551313", Service-Type = Call-Check
        Service-Type = Framed-User,
        Framed-Protocol = PPP,
        Tunnel-Type = L2TP,
        Tunnel-Medium-Type = IP,
        Tunnel-Password = "mrsparkle",
        Tunnel-Server-Endpoint = "172.16.1.221"

In both user profiles, the first line contains the RADIUS check item,
with the Called-Station-ID being used to match the entry before the
call is answered. The L2TP tunnel parameters from the matching entry
are then sent in the RADIUS access-accept message.

The Tunnel-Type specifies the tunneling protocol to be used. The
Tunnel-Medium-Type specifies the transport medium over which the tunnel
is created, IP for now. Tunnel-Server-Endpoint indicates the other end
of the tunnel, the LNS in the case of L2TP.

Note that the LNS address must be enclosed in double quotation marks
because it is sent as a string, not as a 32-bit integer.

If you are not using call-check and are instead providing partial
authentication based on User-Name, the following user profile works.
The user "bgerald" dials in to the LAC, which initiates an L2TP tunnel
on the user's behalf to LNS 172.16.1.55.

bgerald Password = "wackamole"
        Tunnel-Type = L2TP,
        Tunnel-Medium-Type = IP,
        Tunnel-Server-Endpoint = "172.16.1.55"


_______ L2TP and RADIUS Accounting

The LAC and LNS both log user sessions to RADIUS accounting, but
different accounting data is available from each.

If you are using call-check to establish the tunnel, the LAC's
accounting data shows the Calling-Station-Id, but not the user's name,
because that information has not yet been passed over the link. The LNS
accounting data shows both the Calling-Station-Id and the User-Name
along with the assigned IP address.

If partial authentication (instead of call-check) is taking place on
the LAC, then the username might be available to it. In that case, the
username appears in the RADIUS accounting logs for both the LNS and the
LAC.

In both cases, the LNS shows the NAS-Port-Type as "Virtual", while the
LAC shows the NAS-Port-Type set to the connection type of the physical
interface.

The LNS starts its NAS-Port numbering at 100.


_______ Redundant Tunnel Server End Points

To increase the robustness of L2TP, a user profile can be configured to
contain redundant tunnel server end points. If the primary LNS fails,
inbound L2TP tunnels can be redirected to other machines.

Up to three redundant tunnel server end points can be specified.  Any
more than three are ignored by the LAC.

The following example shows a RADIUS user profile with multiple
redundant tunnel server end points. Each tunnel server end point is
preceded by the tunnel medium type for that tunnel.

DEFAULT Service-Type = Call-Check, Called-Station-Id = "5551234"
        Service-Type = Framed-User,
        Framed-Protocol = PPP,
        Tunnel-Type = L2TP,
        Tunnel-Medium-Type = IP,
        Tunnel-Server-Endpoint = "192.168.11.2",
        Tunnel-Medium-Type = IP,
        Tunnel-Server-Endpoint = "192.168.11.17",
        Tunnel-Medium-Type = IP,
        Tunnel-Server-Endpoint = "192.168.230.97"

This feature provides redundant LNS backup, not load balancing.


_______ L2TP Command Summary

set l2tp noconfig | disable | enable lac | enable lns
set l2tp authenticate-remote on | off
set l2tp secret [ Password | none ]
show l2tp global | sessions | stats | tunnels
reset l2tp [ stats | tunnel Number]
create l2tp tunnel udp Ipaddress [ Password | none]
set l2tp choose-random-tunnel-endpoint on | off
set debug l2tp max | packets [Bytes] | setup | stats

Use the following command to have the PortMaster load the L2TP 
feature on startup:

  set l2tp noconfig | disable | enable lac | enable lns

noconfig	Sets the PortMaster to have no L2TP 
		configuration.

disable		Sets L2TP off. L2TP is not used.

enable lac	Sets the PortMaster to be a LAC.

enable lns	Sets the PortMaster to be an LNS.

When the PortMaster is configured to be an LNS, the line ports are
configured for T1 and cannot be used for dial-in. The virtual S0 ports
follow the W1 ports.

Example:

Command 0> set l2tp enable lns
L2TP LNS will be enabled after next reboot

After using the "set l2tp" command, you must use the "save all" command
to save the configuration and the "reboot" command for the L2TP module
to load.


_______ Configuring L2TP to Initiate Authentication

The following command configures L2TP to initiate tunnel authentication:

  set l2tp authenticate-remote on | off

on	The PortMaster initiates authentication with the other end point
	of the tunnel before a tunnel is established. This is the default.

off	The PortMaster does not initiate authentication.

This command determines only whether the PortMaster initiates the
authentication. It does not determine how the PortMaster responds to
an authentication request. The "set l2tp authenticate-remote" command
functions the same on both a LAC and an LNS.


_______ Configuring an L2TP Secret

The "set l2tp secret" global command configures the L2TP password that
the PortMaster uses to respond to all L2TP tunnel authentication
requests. The L2TP secret takes effect only after you issue a 
"reset l2tp command.

  set l2tp secret Password | none

Password	String of up to 15 characters that the PortMaster
		uses to respond to L2TP tunnel authentication 
		requests.

none		Removes the L2TP secret. This is the default.

The "set l2tp secret" command sets the L2TP secret for the entire
PortMaster.

If a PortMaster configured as a LAC receives a tunnel authentication
request, it uses the Tunnel-Password from the RADIUS access-accept
packet, if present, instead of the global L2TP secret.


_______ Displaying L2TP Information

The following command shows information on how L2TP is functioning:

  show l2tp global | sessions | stats | tunnels

Examples:

Command> show l2tp global
debug packets debug stats debug setup
Tunnel Authentication Enabled
Initiation of Authentication Remote Tunnel Disabled
Default Board Configuration

Command> show l2tp sessions
Id  Assign-Id	Tunnel-IdPortname	State
31  21         	75	S1		ESTABLISHED  fl=8045

Command> show l2tp stats
NEW_SESSION 			1
NEW_TUNNEL 			4
TUNNEL_CLOSED 			3
HANDLE_CLOSED 			3
L2TP_STATS_MEDIUM_HANDLE 	3
INTERNAL_ERROR 			14
CTL_SEND    			9
CTL_REXMIT  			1
CTL_RCV     			10
MSG_CHANGE_STATE   		4
WRONG_AVP_VALUE 		3
EVENT_CHANGE_STATE 		3

Command> show l2tp tunnels
Id  Assign-IdHnd State      		#Ses	Server-Endpoint	Client-Endpoint
75  65	14 	L2T_ESTABLISH	1	192.168.6.13	192.168.10.28


_______ Resetting L2TP

Use the "reset l2tp" command to reset an L2TP tunnel or the L2TP
statistics counters.

  reset l2tp [ stats | tunnel Number ]

stats		Resets the L2TP counters displayed by "show l2tp 
		stats" to zero.

tunnel		If no tunnel ID is specified, all L2TP tunnels are
		destroyed and all related PPP sessions are terminated.

Number		A tunnel ID from 1 to 100. If a tunnel ID is specified, 
		only that one tunnel is destroyed. The "show l2tp 
		tunnels" command displays a list of active tunnel IDs.


_______ Creating an L2TP Tunnel Manually

The following command manually brings up an L2TP tunnel for testing 
and troubleshooting:

  create l2tp tunnel udp Ipaddress [ Password | none ]

Ipaddress	IP address of the L2TP tunnel end point.

Password	Password that the PortMaster uses when 
		responding to a tunnel authentication request 
		from the tunnel end point. If no password 
		is specified, the global L2TP secret is used if
		configured.

none		Sets the PortMaster to use the L2TP secret
		configured for it with the "set l2tp secret"
		command. This is the default.

Example:

Command> create l2tp tunnel udp 149.198.110.19
OK


_______ Selecting a Tunnel End Point

The following command determines in what order to choose an end point
when multiple tunnel end points are returned in a RADIUS access-accept
packet.

  set l2tp choose-random-tunnel-end point on | off

on	Causes the tunnel end point to be chosen randomly from the list
	of tunnel end points returned by RADIUS.

off	Selects the first tunnel end point that can be reached.

Normally, when L2TP is configured with multiple tunnel end points, the
end points are chosen serially, always beginning with the first. If a
tunnel cannot be established with the first, then the second is tried,
and then the third. When this feature is enabled, a random tunnel end
point is selected from those returned in the RADIUS access-accept
packet.


_______ Debugging L2TP

The following command is used to troubleshoot L2TP problems:

  set debug l2tp max | packets Bytes | setup | stats

max		Provides the same debugging as setup, packets, 
		and stats combined.

packets		Shows a representation of the L2TP packets, similar to
		the "ptrace dump" command.

Bytes		0 to 1500, number of bytes to display.

setup		Shows L2TP control messages and errors.

stats		Displays information that appears in "show l2tp stats"
		in more detail.

Remember to use "set console" before using this command, and 
"reset console" after turning off the debug process.


_______________ Configuring VPN Tunneling 

ComOS 3.9b26 on the PortMaster 3 supports virtual private networks
(VPNs) and IP Security (IPSec). A properly configured PortMaster is
capable of tunneling using the IP Encapsulation within IP (IPIP) and
IPSec protocols and a Lucent proprietary Proxy Tunnel protocol.
Tunneling allows you to create custom network topologies that are
independent of the underlying physical topology of the network, with or
without additional security and authentication.

For example, you can use VPN and IPSec to do the following on a
PortMaster 3:

* Encapsulate, encrypt, and/or authenticate IP packets

* Outsource tunnels by user, location, or interface

* Redirect packets in the clear

* Perform UDP packet-forwarding services

IPSec tunneling encapsulates, encrypts, and/or authenticates IP
packets.

IPIP ("IP within IP") tunneling encapsulates IP packets inside IP
packets, with no encryption or authentication.

Proxy Tunnel is a Lucent proprietary tunneling protocol. Proxy 
Tunnel places IP packets into UDP packets with the RSA Data 
Security, Inc. MD5 Message-Digest Algorithm signature for 
authentication.


_______ Security Associations

The security of the communications between two nodes is described
manually by a security association (SA) table entry. This security
association describes the parameters necessary to accomplish the
desired security (security association bundle) between a pair of
gateway nodes. Multiple security associations can be created to match
different security policies for different peers or types of traffic.

The following files are created in the PortMaster nonvolatile RAM file
system:

vpn		Contains the saved security association table.
random		Contains random seed data for the next reboot.
mipsboot	Encryption card image.


_______ VPN Command Summary

Use the following commands to configure VPN security associations. 
The commands for configuring security profiles are listed in the section 
"Configuring Security Profiles."

show sa Saname
show table sa
show ipsec modules

add sa Saname
delete sa Saname
reset ipsec  [Ether0 | S0 | W1] 

set sa Saname ah-inb-key | ah-inbound-key Key/[Bits] | random 
set sa Saname ah-inb-spi | ah-inbound-spi SPI
set sa Saname ah-outb-key | ah-outbound-key Key/[Bits] | random
set sa Saname ah-outb-spi | ah-outbound-spi SPI
set sa Saname esp-inb-key | esp-inbound-key Key/[Bits] | random
set sa Saname esp-inb-spi | esp-inbound-spi SPI
set sa Saname esp-outb-key | esp-outbound-key Key/[Bits] | random
set sa Saname esp-outb-spi | esp-outbound-spi SPI

set sa Saname local-address @ether0 | @ipaddress
set sa Saname mode ipip-tunnel | proxy-tunnel | sec-ipip-tunnel | none
set sa Saname peer-identifier Ipaddress
set sa Saname proxy-destport Uport
set sa Saname proxy-localport Uport
set sa Saname proxy-secret Key/Bits
set sa Saname sec-proposal Method1  [Method2]

Saname		Security association name up to 15 characters long.

Key		A number in decimal, hexadecimal or binary. 

Bits            	The key length in bits optionally follows the key
		value, separated by a slash "/".

SPI		Number in decimal, hex or binary---a 32-bit value 256 or
		higher.

Ether0		Ethernet interface.

Ipaddress	IP address in dotted decimal format, or hostname up to 
		39 characters long.

Uport		UDP port between 1 and 65535.

Method1	Supported security method.

Method2	Supported security method.


_______ Displaying Security Association Information

The "show sa Saname" command shows the entire configuration 
for the security association called Saname. The output varies with 
the protocol used for that security association. The command also 
displays the status of the IPSec encryption card (PM3-VPN) if the 
card is not installed or not operating correctly.

The "show table sa" command displays all security associations in a
summary format.

The "show ipsec modules" command displays available Layer 3
VPN tunneling methods. See the section titled "IPSec Commands" 
for more information.


_______ Creating Security Associations

Use the following commands to create the security association and
define the mode (protocol) that it uses:

  add sa Saname
  set sa Saname mode ipip-tunnel | proxy-tunnel | sec-ipip-tunnel | none

The "set sa Saname mode" command can also be used to change 
the mode of an existing security association. Setting the security 
association mode erases any keys that were previously associated 
with this security association.

ipip-tunnel     	Encapsulates packets into other IP packets.
		No security is provided. See the "IPIP 
		Commands" section.

proxy-tunnel   	This is a Lucent proprietary tunneling protocol.
		Proxy Tunnel places IP packets into UDP packets 
		with an MD5 signature for authentication. See the 
		"Proxy Tunnel Commands" section.

sec-ipip-tunnel	Encapsulates packets using the IPSec protocols in
		tunnel mode.  See the "IPSec Commands" section.

none           	Null configuration mode. Packets received on
		this security association are dropped.


_______ Deleting Security Associations

The following command deletes a security association:

  delete sa Saname


_______ Common Security Association Configuration Commands

Each security association has a few common commands, and a few 
mode-specific commands. The common commands are listed in this 
section.

The following command sets the IP address of the peer at the other 
end of this tunnel.

  set sa Saname peer-identifier Ipaddress

The following command sets the IP address of this end of this tunnel.
The default is to use the address of the Ether0 interface.

  set sa local-address @ether0 | @ipaddress


_______ IPSec Commands

To set up a security association using IPSec, you must configure 
the following information. First, create the security association
and set the mode to "sec-ipip-tunnel" as follows:

  add sa Saname
  set sa Saname mode sec-ipip-tunnel

Security Parameter Index:

The security parameter index (SPI) is a 32-bit number. The first 256
values are reserved and cannot be entered by users. The inbound SPI
set on an IPSec gateway must match the outbound SPI set on the peer.
Be careful not to assign the same SPI to two security associations on
the same PortMaster.

  set sa Saname ah-inb-spi | ah-inbound-spi SPI
  set sa Saname ah-outb-spi | ah-outbound-spi SPI
  set sa Saname esp-inb-spi | esp-inbound-spi SPI
  set sa Saname esp-outb-spi | esp-outbound-spi SPI

Examples:

Command> set sa net172 esp-inbound-spi 11111111
Command> set sa net172 esp-outbound-spi 11110000
Command> set sa net172 ah-inbound-spi 11112222
Command> set sa net172 ah-outbound-spi 22220000

AH and ESP Protocols:

Configure the security association to define the methods used for 
the Authentication Header (AH) and Encapsulating Security Payload 
(ESP) protocols.

ESP is the method used to encrypt the actual data (the "payload")
contained in a packet.

AH is used to authenticate a packet. Authentication guarantees that
the packet comes from the node with which you share a security
association and was not tampered with during transit.

Use the "show ipsec module" command to see which methods are 
available.

To use both ESP and AH together, specify two methods. Otherwise, 
just specify one in the following command:

  set sa Saname sec-proposal Method [ Method2 ]

The following methods are supported in ComOS 3.9b26:

esp-des			Sets the ESP protocol for a security 
			association using the US Data Encryption
			Standard-cipher block chaining (DES-CBC)
			encryption algorithm defined in RFC 2405.
			The keys must be exactly 64 bits in length.

esp-des-rfc1827		Uses the DES-CBC encryption protocol 
			defined in RFC 1827 and RFC 1829. The 
			keys must be exactly 64 bits in length.

esp-3des		Sets the ESP protocol for a security 
			association using the Triple DES-CBC
			(3DES) encryption algorithm defined in
			RFC 2451. The keys must be exactly 
			192 bits in length.

esp-3des-rfc1827		Uses the 3DES encryption protocol.
			The keys must be exactly 192 bits in length.

ah-md5			Sets the AH protocol for a security 
			association using MD5 and authentication
			methods defined in RFC 2403. The keys 
			must be exactly 128 bits in length.

ah-md5-rfc1826         	Uses the MD5 hashing protocol
			defined in RFC 1826 and 1828. The keys 
			must be exactly 128 bits in length.

ah-sha			Sets the AH protocol for a security
			association using the Secure Hash
			Algorithm (SHA-1 defined in RFC 2404.
			The keys must be exactly 160 bits long.

Use the following commands to set inbound and outbound keys for the
chosen protocols:

  set sa Saname esp-inbound-key Key/[Bits] | random
  set sa Saname esp-outbound-key Key/[Bits] | random
  set sa Saname ah-inbound-key Key/[Bits] | random
  set sa Saname ah-outbound-key Key/[Bits] | random

Saname	Security association name up to 15 characters long.

Key		Decimal, hexadecimal, or binary key. The secret
		shared between the ends of a security association.

/Bits		The key length in bits optionally follows the key 
		value.

random		Applies a randomly generated key and key length that 
		match the requirements for the specified encryption
		method.

Example:  

Command> set sa net172 esp-inbound-key 0x0123456789abcd/64
Command> set sa net172 esp-outbound-key 0x0123456789abcd/64 
Command> set sa net172 ah-inbound-key 0x0123456789abcd/128 
Command> set sa net172 ah-outbound-key 0x0123456789abcd/128 

Although these examples use the same key for both inbound and 
outbound, and for both ESP and AH, Lucent recommends that you use 
different keys for each of these.


_______ Entering Static Keys

You can enter keys as the following types of numbers:

* Hexadecimal (hex)---base 16, starting with 0x
* Decimal (the default)---base 10
* Binary---base 2, starting with 0b

The key value is followed by a slash ("/") and the key length 
in bits.

For example:
* 0x12345678/32 is a 32-bit key in hexadecimal.
* 346345/64 is a 64-bit key in decimal.
* 0b1000001/64 is a 64-bit key in binary.

Keys must fall on 8-bit boundaries. Some protocols allow only 
specific key lengths, while others allow a range of lengths. ESP 
and AH protocols require specific key lengths. See the section 
"AH and ESP Protocols" for more information. 

Keys are displayed in hexadecimal format. High-order bits not 
specified are zero-filled. For example, 0x12/32 is the same as 
0x00000012/32. Once the key is entered, you cannot see it again.

The security of your network depends on picking appropriate keys. 
You can have the PortMaster generate a key by using the special key 
value "random".  For example:

  set sa Saname esp-inbound-key random

This command generates a random key of the correct length for the
protocol. You must then copy this key to the peer in a secure fashion.

NOTE: To configure secure keys and avoid unintended typing errors, 
Lucent recommends that you set a random value for each key on one 
node and then copy and paste it on the other node.


_______ IPIP Commands

To use the IPIP protocol, set the security association to IPIP mode
using the following command:

  set sa Saname mode ipip-tunnel


_______ Proxy Tunnel Commands

To use the Lucent proprietary Proxy Tunnel protocol, set the 
security association mode using the following command:

  set sa Saname mode proxy-tunnel

Each end of the tunnel chooses a UDP port between 1 and 65535 for
sending and receiving packets. Lucent strongly recommends using a 
port that does not conflict with well-known services. The same port 
number can be used at both ends, if desired.

  set sa Saname proxy-localport Uport
  set sa Saname proxy-destport Uport

Each end of the tunnel chooses a shared secret and configures it.
Lucent supports secrets from 32 to 128 bits long, and each secret
must be a multiple of 8 bits long.

  set sa Saname proxy-secret Key/Bits

Saname	Security association name up to 15 characters long.

Key		Number in decimal, hexadecimal, or binary. The secret
		shared between the ends of a security association.

/Bits		Key length in bits.

Uport		UDP Port between 1 and 65535.

Example:

Command> add sa lu77
Command> set sa lu77 proxy-tunnel
Command> set sa lu77 proxy-localport 1050
Command> set sa lu77 proxy-destport 1051
Command> set sa lu77 proxy-secret 0x123456789/64


_______ Configuring Security Profiles

A security profile defines the security association and policy 
filter used on a router interface. A profile can be attached directly to 
a network interface, user, or location, or can be assigned to a user  
with RADIUS. Security profiles use the security association and policy  
filters to transfer packets. Profile names can be up to 15 characters 
long.

Use the following commands to configure security profiles:

  show table sec-profile
  show sec-profile Profile
  show ipsec statistics
  add sec-profile Profile
  delete sec-profile Profile

  set Ether0 | S0 | W1 ipsec active-profile Profile
  set user Username ipsec active-profile Profile
  set location Locname ipsec active-profile Profile

  set sec-profile Profile blank
  set sec-profile Profile Profilerule pfilter | policy-filter Filtername |
none
  set sec-profile Profile Profilerule static-sa  Saname | none
  
  set Ether0 | S0 | W1 ipsec outsource-profile Profile
  set user Username ipsec outsource-profile Profile
  set location Locname ipsec outsource-profile Profile
  
  set Ether0 | S0 | W1 ipsec pda drop | icmp reject | passthrough
  set user Username ipsec pda drop | icmp reject | passthrough
  set location Locname ipsec pda drop | icmp reject | passthrough

Profile		Security profile name up to 15 characters long.

Profilerule	Rule number between 1 and 20.

Filtername	Policy filter name up to 15 characters long.

Saname		Security association name up to 15 characters long.


________ Displaying Security Profile Information

The "show table sec-profile" command displays a summary of 
all the security profiles.

The "show sec-profile Profile" command displays information about the
security profile named.

The "show ipsec statistics" command displays a summary of all the
security profiles and the traffic generated:

Router	Profile	Sec-AssocMode	In-pktsOut-pktsIn-BadOut-Dropped
PortType		Name				Pkts  	Pkts
--- ------------------------------------------------------------------
ether0	Active-pr	local	sec-ip	3678	4534	0	0
ptp0	Active-pr	remote	ipip	2987	3768	0	0


_______ Adding Security Profiles

Use the following command to add a security profile:

  add sec-profile Profile

Profile	Security profile name up to 15 characters long.


_______ Deleting Security Profiles

Use the following command to delete a security profile:

  delete sec-profile Profile

Profile	Security profile name.


_______ Setting Security Profiles

Use the following commands to configure a security profile after
adding it:

  set sec-profile Profile Profilerule policy-filter Filtername | none
  set sec-profile Profile Profilerule static-sa Saname | none

A profile can be an active profile, a passive profile, or an outsource
profile.

You assign an active profile to a user, location, or interface that is
configured as an end point of a tunnel. An active profile is applied to
outbound traffic and identifies a set of peers with which the
PortMaster knows how to communicate.

Passive profiles are not supported in this release.

You assign an outsource profile to a user, location, or interface that
is not configured as an end point of a tunnel. An outsource profile
refers to security associations established from any port of the
PortMaster, based on the inbound traffic on a port. The policies set
are based on the wire traffic, just as with the policies on other
profiles.


_______ Policy Filters

Policy filters determine which data the PortMaster sends through its
security profiles. Policy filtering takes place right before the
PortMaster routes a packet. The packet is compared against all the
defined policy filters in a security profile. If none apply, the packet
is routed as usual, without any VPN processing.

NOTE: You must be very careful to not create security filters that
might overlap each other in their coverage. For example, IP address
ranges in two filters might overlap. If two filters overlap, only one
security association is applied to the packet and you cannot determine
which one.

Policy filters are created like packet filters. For example, to process
all packets destined for the network 10.200.1.0/24, you can create the
following filter:

  add filter internal.sec
  set filter internal.sec 1 permit 0.0.0.0/0 10.200.1.0/24

Then you add and configure your security profile "examplespf":

  set sec-profile examplespf 1 policy-filter internal.sec

You can also selectively process only certain types of traffic and not
others using "deny" statements.  For example, you might use the 
following filter to encrypt all traffic except packets to TCP port 80 
for HTTP:

  add filter internal.sec
  set filter internal.sec 1 deny tcp dst eq 80
  set filter internal.sec 2 permit

A "deny" keyword in a policy filter does not block packets that meet 
its criteria. Instead, the "deny" keeps the security association from 
being applied to those packets and passes the IP traffic through, 
unprocessed. If you want to block the traffic entirely, you must place 
input or output packet filters on the appropriate interface(s).


_______ Policy Deny Action

Use the following commands to determine what to do with packets 
denied by policy filters.

  set Ether0 | S0 | W1 ipsec pda drop | icmp reject | passthrough
  set user Username ipsec pda drop | icmp reject | passthrough
  set location Locname ipsec pda drop | icmp reject | passthrough

drop		The PortMaster drops packets that do not fit the
		security profile. This is the default.

icmpreject	The PortMaster rejects packets that do not fit the 
		security profile and sends an ICMP reject message to 
		inform the remote end of the tunnel.

passthrough	The PortMaster transmits the packets with no VPN
		processing, even if they do not fit the security profile.


_______ Filter Extensions

The IPSec and IPIP protocols use their own protocols on top of IP,
instead of using UDP or TCP. You can filter these protocols in packet
filter rules, as in this example:

  add filter eg
  set filter eg 1 permit  esp
  set filter eg 2 permit  ah
  set filter eg 3 permit  ipip

You can also specify the protocol number in the filter as in
this example:

  set filter eg 4 permit proto 4

IPIP is protocol type 4, ESP is protocol type 50, and AH is protocol
type 51.


_______ Attaching a Security Profile to a Network Interface

Use the following command to attach a security profile to a network
interface:

  set S0 | W1 | Ether0 ipsec active-profile Profile

S0		Serial port.

W1		Synchronous serial port.

Ether0		Ethernet interface.

Profile		Security profile name.


_______ Attaching a Security Profile to a User

Use the following command to attach a security profile to a user so
that when the user logs in, the profile is attached to the user's
interface:

  set user Username ipsec outsource-profile Profile

Username	Name of a user in the user table.

Profile		Security profile name.


_______ Attaching a Security Profile to a Location

Use the following command to attach a security profile to a location so
that when the PortMaster connects to that location, the profile is
attached to the resulting interface.

  set location Locname ipsec outsource-profile Profile

Locname	Name of a location in the location table.

Profile		Security profile name.


_______ Resetting VPN on a Port

The following command resets any VPN settings on the designated port:

  reset ipsec S0

S0	Port name.


_______ Debugging and Troubleshooting VPN

The profiles keep statistics of their traffic. Use the "show ipsec
statistics" command to show how much traffic was sent or received, 
and any invalid packets.

Use the "set console" command, along with the following debug 
commands, to display any errors generated:

  set debug ipsec-max | ipsec-packets | ipsec-state [ on | off ]
  show ipsec modules

The following command turns on all VPN debugging:

  set debug ipsec-max on

The following command shows packets processed by the VPN 
subsystem:

  set debug ipsec-packets on

The following command shows state changes in the processor in the
IPSec encryption card:

  set debug ipsec-state on

Remember to use "reset console" after turning off the debug process.

The following command shows which protocols are in this ComOS, and
provides version information for the "mipsboot" file that is run on the
IPSec encryption card (PM3-VPN):

  show ipsec modules


_______ VPN Logging

Use the following commands to enable and disable the logging of 
VPN packet transmissions and rejections at a specified PortMaster
interface, location, or user:

  set Ether0 | S0 | W1 ipsec log safail | sasuccess | syslog | console on |
off 
  set location Locname ipsec log safail | sasuccess | syslog | console on |
off 
  set user Username ipsec log safail | sasuccess | syslog | console  on | off 

The "safail" and "console" options are on by default.

safail		Logs the inbound and outbound packets that are
		rejected by the security association.

sasuccess	Logs the inbound and outbound packets that are
		sucessfully transmitted.

syslog		Sends the log to syslog.

console		Displays the log to the console.


_______ Using RADIUS with VPN

VPN parameters can be configured on a per-user basis with RADIUS.
You must be running the Lucent RADIUS 2.1 server or another 
RADIUS server---such as the NavisRadius(TM) product---that 
supports vendor-specific attributes.

Add the following lines to your RADIUS dictionary, then stop and
restart your RADIUS server:

ATTRIBUTE       Vendor-Specific         	26      string

ATTRIBUTE       LE-Terminate-Detail	2   string  Livingston
ATTRIBUTE       LE-Advice-of-Charge	3   string  Livingston
ATTRIBUTE       LE-Connect-Detail	4   string  Livingston
ATTRIBUTE       LE-SA-Id		5   string  Livingston
ATTRIBUTE       LE-IPSec-Log-Options	9   integer Livingston
ATTRIBUTE       LE-IPSec-Policy-Deny	10  integer Livingston
ATTRIBUTE       LE-IPSec-Active-Profile	11  string  Livingston
ATTRIBUTE       LE-IPSec-Outsource-Profile	12  string  Livingston
ATTRIBUTE       LE-IPSec-Passive-Profile	13  string  Livingston

#
#       IPSEC PROTOCOL TYPES
#
VALUE           LE-IPSec-Log-Options    SA-Success-On	1
VALUE           LE-IPSec-Log-Options    SA-Failure-On		2
VALUE           LE-IPSec-Log-Options    Console-On		3
VALUE           LE-IPSec-Log-Options    Syslog-On		4

VALUE           LE-IPSec-Log-Options    SA-Success-Off 	5
VALUE           LE-IPSec-Log-Options    SA-Failure-Off		6
VALUE           LE-IPSec-Log-Options    Console-Off 		7
VALUE           LE-IPSec-Log-Options    Syslog-Off 		8

#
#       IPSEC POLICY DENY ACTION VALUES
#
VALUE           LE-IPSec-Policy-Deny            Drop		1
VALUE           LE-IPSec-Policy-Deny            ICMP-Reject	2
VALUE           LE-IPSec-Policy-Deny            Pass-Through	3

Each RADIUS attribute or value corresponds to its command line 
equivalent. Refer to the usage information on a particular VPN 
command in this release note for more information. 

Here is a sample RADIUS user profile for a user configured for VPN:

pepi    Password = "notpepzi"
        Service-Type = Framed-User,
        Framed-Protocol = PPP,
        Framed-IP-Address = 255.255.255.254,
        Framed-IP-Netmask = 255.255.255.255,
        LE-IPSec-Log-Options = Console-On,
        LE-IPSec-Outsource-Profile = "mypro"


_______ Example VPN Tunneling Configurations

The following are three examples of VPN configuration. In each
example, a remote office is configured to connect back to headquarters
via an ISP. The first example uses an IPSec tunnel, the second uses an
IPIP tunnel, and the third uses a Proxy Tunnel tunnel.

The remote office has a Frame Relay connection to a nearby ISP. The
office has been assigned the network 192.168.1.0/24. The corporate
headquarters uses the network 172.16.0.0/16. Headquarters uses the
packet filter rules for the AH and ESP protocols to configure a
firewall that allows VPN traffic from the 192.168.1.0/24 network to
pass through. Each location is using a PortMaster 3.

NOTE: These examples use simple keys for readability. For best results
in your configurations, take advantage of the full length of the key.

NOTE: None of the IP addresses or networks used in the examples are 
intended to refer to any actual real-world company or network 
assignment.

Example 1 -- Using IPSec

Both locations are using the PortMaster 3 with the IPSec encryption 
card and need to do both encryption (ESP) and authentication (AH) 
using DES and MD5. The headquarters firewall is configured to allow 
IPSec traffic from the 192.168.1.0/24 network through, using the packet 
filter rules for AH and ESP.

* On the remote PortMaster 3, create security association "corp" with
appropriate SPIs, keys, and filter. Then create security profile
"corp-pro" and attach it to a synchronous serial port.

* On the PortMaster at headquarters, create security association 
"remote" with appropriate SPIs, keys, and filter. Then create security 
profile "remote-pro" and attach it to a synchronous serial port.

pm3-remote (192.168.1.254):
  add sa corp
  set sa corp mode sec-ipip-tunnel
  set sa corp peer-identifier 172.16.1.1
  set sa corp esp-inbound-spi 1001
  set sa corp esp-outbound-spi 1002
  set sa corp ah-inbound-spi 2001
  set sa corp ah-outbound-spi 2002
  set sa corp sec-proposal esp-des-rfc1827 ah-md5-rfc1826
  set sa corp esp-inbound-key 0x9876543210/64
  set sa corp esp-outbound-key 0x1234567890/64
  set sa corp ah-inbound-key 0x98761234/128
  set sa corp ah-outbound-key 0x12349876/128

  add filter corp.sec
  set filter corp.sec 1 permit 192.168.1.0/24 172.16.0.0/16

  add sec-profile corp_pro
  set sec-profile corp_pro 1 policy-filter corp.sec
  set sec-profile corp_pro 1 static-sa corp

  set w0 ipsec active-profile corp_pro
  save all

pm3-corp (172.16.1.1):
  add sa remote
  set sa remote mode sec-ipip-tunnel
  set sa remote peer-identifier 192.168.1.254
  set sa remote esp-inbound-spi 1002
  set sa remote esp-outbound-spi  1001
  set sa remote ah-inbound-spi 2002
  set sa remote ah-outbound-spi 2001
  set sa remote sec-proposal esp-des-rfc1827 ah-md5-rfc1826
  set sa remote esp-inbound-key 0x1234567890/64
  set sa remote esp-outbound-key 0x9876543210/64
  set sa remote ah-inbound-key 0x12349876/128
  set sa remote ah-outbound-key 0x98761234/128

  add filter remote.sec
  set filter remote.sec 1 permit 172.16.0.0/16 192.168.1.0/24

  add sec-profile remote_pro
  set sec-profile remote_pro policy-filter remote.sec
  set sec-profile remote_pro 1 static-sa remote

  set w48 ipsec active-profile remote_pro
  save all

Example 2 -- Using IPIP

For IPIP, create a new security associations "corp-ipip" and
"remote-ipip." Then create an IPIP tunnel and add each new security
association to the appropriate security profile as a static security
association.

pm3-remote (192.168.1.254):
  add sa corp_ipip
  set sa corp_ipip mode ipip-tunnel
  set sa corp_ipip peer-identifier 172.16.1.1
  set sec-profile corp_pro 1 static-sa corp_ipip

pm3-corp (172.16.1.1):
  add sa remote_ipip
  set sa remote_ipip mode ipip-tunnel
  set sa remote_ipip peer-identifier 192.168.1.254
  set sec-profile remote_pro 1 static-sa remote_ipip

Example 3 -- Using Proxy Tunnel Protocol

For the Proxy Tunnel protocol, create a new security associations
"corp-prox" and "remote-prox." Then create a proxy tunnel and add each
new security association to the appropriate security profile as a static
security association.

pm3-remote (192.168.1.254):
  add sa corp_prox
  set sa corp_prox mode proxy-tunnel
  set sa corp_prox peer-identifier 172.16.1.1
  set sa corp_prox proxy-localport 1050
  set sa corp_prox proxy-destport 1051
  set sa corp_prox proxy-secret 0x123456789/64
  set sec-profile corp_pro 1 static-sa corp_prox

pm3-corp (172.16.1.1):
  add sa remote_prox
  set sa remote_prox mode proxy-tunnel
  set sa remote_prox proxy-localport 1051
  set sa remote_prox proxy-destport 1050
  set sa remote_prox proxy-secret 0x123456789/64
  set sec-profile remote_pro 1 static-sa remote-prox


_______ VPN Security Concerns

Be aware of the following security concerns when using VPN:

* Denial of Service. If a large amount of random data has a valid SPI,
the IPSec encryption card must decrypt the data and then dump 
it as invalid. The unnecessary decryption degrades performance and 
can cause denial of service for encrypted traffic. However, because  
the CPU on the IPSec encryption card handles only encryption, 
unencrypted traffic is not interrupted. Legitimate, but very heavy, 
traffic can also cause this problem.

* No Byte Count. Most security protocols recommend that you do 
not use the same key for more than a certain number of bytes, 
depending on the protocol. Because the keys are manually configured, 
ComOS does not count the bytes sent with each key. As a result, you 
cannot automatically limit key use by byte count.


_______ VPN References

The implementation of VPN in ComOS is based on the information in the
following sources: 

* RFC 1321, The MD5 Message-Digest Algorithm

* RFC 1825, Security Architecture for the Internet Protocol

* RFC 1826, IP Authentication Header (AH)

* RFC 1827, IP Encapsulating Security Payload (ESP)

* RFC 1828, IP Authentication using Keyed MD5 (AH-MD5)

* RFC 1829, The ESP DES-CBC Transform (ESPDES)

* RFC 2003, IP Encapsulation within IP (IPIP)

* RFC 2403, The Use of HMAC-MD5-96 within ESP and AH

* RFC 2404, The Use of HMAC-SHA-1-96 within ESP and AH

* RFC 2405, The ESP DES-CBC Cipher Algorithm with Explicit IV

* RFC 2451, The ESP CBC-Mode Cipher Algorithms

* "Applied Cryptography", Bruce Schneier. New York, NY: John Wiley and
    Sons, Inc., 1994. (ISBN 0-471-59756-2):
   - Diffie-Hellman algorithm
   - DES algorithm and DES-CBC method
   - Triple-DES (3DES)


_______________ Configuring NAT

ComOS 3.9b26 supports the network address translator (NAT) based
on RFC 2663.

The basic network address translator (basic NAT) capability maps IP
addresses from one group to another, transparently to users and
applications. The network address port translator (NAPT) capability
is an extension to basic NAT in which multiple network addresses
and their TCP and UDP ports are mapped to a single network
address and its ports.

ComOS supports both basic NAT and NAPT for both outbound and 
inbound sessions. It also supports an "outsource" mode in which all 
NAT processing is done on the server-side of the connection.

NOTE: While this release note covers only the PortMaster 3, 
other PortMaster products support NAT and might be used in the 
examples in this section. None of the IP addresses or networks used 
in the examples are intended to refer to any actual real-world company 
or network assignment.


_______ Quick Setup of Outbound NAPT ("Many-to-One")

Outbound NAPT is very common in a small office/home office (SOHO)
situation. To configure, use the following command---entered all on one
line:

    set Ether0 | S0 | W1 | location Locname | user Username
    nat outmap defaultnapt

The port, location, or user is your connection to the outside world.
For example, on a PortMaster dialing out to location "myisp" you enter
the following:

    set location myisp nat outmap defaultnapt

Then connect normally. You must reset the port if the connection
has already been established. If this is a dial-on-demand location,
then you must also reboot the PortMaster, or follow the instructions 
listed in the section "Handling Changes to On-Demand Locations."

With the "defaultnapt" NAT configuration, all the hosts behind the
PortMaster will have their addresses translated to the IP address of
the interface that is assigned to the location.


_______ NAT Concepts

This section explains some of the NAT terminology and provides 
hints to assist you in developing more complex NAT configurations.

For example, you might want to allow inbound connections---external
connections into a web server that resides behind the PortMaster
running NAT. Or you might need to renumber your network and want 
to use basic NAT to avoid renumbering the entire network.

Private vs. Global IP Addresses:

Global IP addresses are accessible from anywhere on the Internet.  
They are  "external" to the PortMaster running NAT---at another 
branch office, for example---because NAT is not limited to the 
Internet. External hosts do not generally recognize any internal 
private IP addresses that you might have assigned to your local 
hosts. Private IP addresses are usually taken from one of the 
following ranges defined in RFC 1918, which are reserved specifically 
for this purpose:

    10.0.0.0 - 10.255.255.255 (10.0.0.0/8)
    172.16.0.0 - 172.31.255.255 (172.16.0.0/12)
    192.168.0.0 - 192.168.255.255 (192.168.0.0/16)

Lucent strongly recommends numbering your private IP network(s) 
with IP addresses from one of the reserved ranges rather then just 
selecting IP addresses randomly.

Inbound vs. Outbound Sessions:

A "session" in NAT is considered either inbound or outbound:

* An inbound session is initiated to a client behind the NAT router by
a host external to a private IP network.

* An outbound session is initiated to an external host by a client
within the NAT-covered private IP network.

Basic NAT vs. NAPT:

Basic NAT does a one-to-one mapping of a private IP address to a 
global IP address. You still must have a global IP address for every 
host with a private IP address that needs to connect to an external 
host at the same time.

With basic NAT, you can configure dynamic IP address pools from 
which IP address allocations are made, allowing a number of private 
hosts to use a (possibly) smaller pool of global IP addresses. Or you 
can configure static IP address pools in which a static mapping exists 
for each host, requiring the size of the pool to match the number of 
hosts being translated.

If you configure a dynamic pool and have fewer global IP addresses
available than total private hosts, you will have a shortage of IP
addresses if all the hosts try to access the external network
simultaneously. This possibility needs to be accounted for in your
planning.

The network address port translator (NAPT) performs a many-to-one 
"port translation." This capability allows any number of private 
hosts to communicate globally while using only a single global IP 
address.

Outsource Mode NAT:

Outsource mode NAT allows a PortMaster to handle NAT processing and
management for a connected network interface. If a remote router that
the PortMaster is connected to cannot run NAT locally, the PortMaster
can perform NAT services for that device.

All NAT configuration is handled on the PortMaster. A central site
administrator can maintain all NAT mappings for all sites on the
PortMaster without having to worry about the capabilities or management
of a number of entirely separate routers.


_______ Map Management

NAT maps define the mappings and translations between global and
private IP address space. The following map table commands are
supported:

   show table map		Shows all map files.

   show map Mapname	Displays a map's contents.

   add map Mapname	Creates a new map.

   delete map Mapname	Deletes a map.

   save map		Saves map contents into 
			nonvolatile RAM.

NOTE: In the this release of NAT, inbound maps are restricted to static
address maps and/or static TCP/UDP port maps only. Outbound maps
do not have this limitation.

See the following section for map configuration commands.


_______ Configuring Map Contents

Entering NAT maps is very similar to configuring filters in ComOS.  
The basic command "set map Mapname" has five versions that 
you can use as follows---entered all on one line:

1.  To define a single dynamic pool IP address map entry or range or
    list of entries, use the following command:

    set map Mapname Rulenumber addressmap 
	Ipaddrxfrom Ipaddrxto | @ipaddr [log]

2.  To define a single static pool IP address map entry or range
    or list of entries, use the following command:

    set map Mapname Rulenumber staticaddressmap
	Ipaddrxfrom Ipaddrxto | @ipaddr [log]

3.  To define a static or dynamic TCP or UDP port range map
    entry or list of entries, use the following command:

    set map Mapname Rulenumber static-tcp-udp-portmap
    	Ipaddxfrom:Tport1 | Uport1 | Portname
    	Ipaddxto: Tport2 | Uport2 | Portname [log]

4 . To remove rule Rulenumber in a map file, use the following
    command:

    set map Mapname Rulenumber

5.  To empty the contents of a map file, use the following command:

    set map Mapname blank

Mapname	Address map name of up to 15 characters.

Rulenumber	Integer between 1 and 20.

Ipaddxfrom	IP address or range or list of IP addresses to be translated.

Ipaddxto	IP address or range or list of IP addresses to translate to.

Tport		TCP number or range of numbers---between 1 and 65535.

Uport		UDP number or range of numbers---between 1 and 65535.

Portname	One of the following services:
		telnet	TCP port 23.
		ftp	TCP ports 20 and 21.
		tftp	UDP port 69.
		http	TCP port 80.
		dns	TCP/UDP port 53.
		smtp	TCP port 25.

@ipaddr		IP address of the port being configured as the 
		destination address.

log		Selectively logs events for this map entry.

The following keywords have abbreviations for ease of entry:

    addressmap = am
    staticaddressmap = sam
    static-tcp-udp-portmap = stupm

Values for "Ipaddxfrom" and "Ipaddxto" can be one or more of the
following, separated by commas (,):

     IP address/mask
     IP address - IP address
     IP address1,Ipaddress2, ...
     IP address

The value for "Portnumber" can be a single port number or a range of
ports such as "6000-6010" (for an inbound X Server) that you want
statically mapped. This capability prevents your needing multiple map
rules to accomplish the same mapping.

Although you have NAT configured for a specified port, user, or
location, you are not required to translate the addresses of all the
hosts behind the PortMaster running NAT. You can choose the hosts for
which NAT processing is done by designing your maps around them.

Example 1 --  Basic NAT:

When an outbound NAT map is defined for a port, the translation 
succeeds when the source IP address matches the "Ipaddrxfrom" 
address in the outbound map.  

Here is an outbound map that maps a single host with the private 
IP address 10.5.3.6 to the global IP address 192.168.5.3. This is a 
basic NAT configuration. 

1. Configure a map for outbound NAT named myisp.outmap:

    set map myisp.out 1 addressmap 10.5.3.6 192.168.5.3

2. Configure location myisp:

     set location myisp nat outmap myisp.out

BEFORE Outbound NAT:
    Src: 10.5.3.6:12023  Dest: 192.168.2.4:80 

AFTER NAT translation using the example outbound map:
    Src: 192.168.5.3:12023  Dest: 192.168.2.4:80 

Example 2 --  @ipaddr Keyword:

As a special case, the "Ipaddrxto" value for an address map can be set
to "@ipaddr" when the address map is being used for outbound or
outbound outsource connections. The special macro "@ipaddr" uses the IP
address assigned to the port on which the address map is being used.

  set map myisp.outmap 1 addressmap 10.2.3.0/0 @ipaddr

Example 3 -- defaultnapt Map:

The reserved map "defaultnapt," described in the section 
"Using the Default NAPT Map," is equivalent to the following 
map:

  set map myisp.outmap  1 addressmap 0.0.0.0/0 @ipaddr

Example 4 -- Basic NAT Pools:

Using the "Ipaddrxfrom" and "Ipaddrxto" values for an address map
allows you to configure one-to-one mappings of private IP addresses to
global IP addresses. Using lists of addresses for these values allows
the configuration of IP address allocation pools, from which global IP
addresses can be allocated for outbound sessions as they are required.

Here is a configuration using a global IP address pool range of
192.168.9.1 through 192.168.9.10 for hosts in the private network
10.9.9.0/24 for outbound NAT. This configuration allows only 10
concurrent outbound NAT sessions from the 10.9.9.0 subnet.

1. Configure rule 1 for outbound NAT map myisp.outmap:

    set map myisp.out 1 addressmap 10.9.9.0/24 192.168.9.1-192.168.9.10

2. Configure location myisp:

     set location myisp nat outmap myisp.out

Example 5 -- Basic NAT Static Maps:

If you require that private addresses always be mapped to the same
global addresses, use a static address map instead of a dynamic address
map. The following example creates a NAT mapping in which the private
IP address range 10.1.1.0/24 is translated to the global IP address
range 192.168.65.0/24 on the outbound transmission.  Because this is a
static address map, it always translates 10.1.1.1 to 192.168.65.1,
10.1.1.55 to 192.168.65.55, and so on.

Configure a map for outbound NAT named myisp.out, and apply it 
as an outmap to the location:

    set map myisp.out 1 staticaddressmap 10.1.1.0/24 192.168.65.0/24
    set location myisp nat outmap myisp.out

Alternatively, to allow inbound sessions to the same set of hosts, 
create an inbound map named myisp.in and apply it as an
inmap to the location:

    set map myisp.in 1 staticaddressmap 192.168.65.0/24 10.1.1.0/24
    set location myisp nat inmap myisp.in

For a static address map, the total ranges on both sides must have 
the same number of IP addresses; otherwise, a one-to-one static 
mapping is not possible. 

If you do not have sufficient global addresses to do one-to-one 
mapping, use NAPT for all or part of the private hosts (see 
Example 6), or reduce the number of  IP addresses being translated.

Example 6 -- Mixing Static and Dynamic Address Maps:

This example uses a combination of static address maps for 
specific hosts and NAPT for the remainder of the private hosts.  

    set map myisp.out 1 staticaddressmap 192.168.65.1-192.168.65.10 
	10.1.1.1-10.1.1.10
    set map myisp.out 2 staticaddressmap 192.168.65.73 10.1.1.73
    set map myisp.out 3 addressmap 192.168.65.0/24 10.1.1.11
    set location myisp nat inmap myisp.out

The order of the rules in a NAT map is important. In this 
example, a private host with an address of 192.168.65.73 
attempting outbound access via the myisp location uses rule 2 
and is translated to address 10.1.1.73. A private host with an 
address of 192.168.65.74 uses rule 3 and is translated to 10.1.1.11.

Example 7 -- Fully Specified Inbound Map:

When an inbound NAT map is defined for a port, the translation 
succeeds when the destination IP address matches the "Ipaddrxfrom" 
address in the inbound map.  

Suppose you want to allow an Internet access to your internal HTTP
server running on 10.4.2.9. To do so, configure the following as an 
inbound map. You also have a global IP address 192.168.2.4 assigned 
to your PortMaster as the global address for all hosts residing behind 
NAT:

1. Configure inbound NAT map myisp.inmap:

    set map myisp.in 1 static-tcp-udp-portmap 192.168.2.4:http 10.4.2.9

2. Configure the location:

    set location myisp nat inmap myisp.in

BEFORE Inbound NAT:
    Src: 130.65.2.3:12023  Dest: 192.168.2.4:80 (80 is http)

AFTER NAT translation using the example inbound map:
    Src: 130.65.2.3:12023  Dest: 10.4.2.9:80


_______Configuring Interfaces, Locations, and Users

The basic command "set Ether0 | S0 | W1 | location Locname | user
Username" has five NAT commands that you can use as follows---entered
all on one line---to configure NAT on a PortMaster. 

You must reset an active port for changes in its NAT configuration 
to take effect. For more information, see the section "Resetting NAT
Sessions."

1.  To configure a NAT map for outbound sessions and optionally
    enable the outsource function, use this command:

    set Ether0 | S0 | W1 | location Locname | user Username
    	nat outmap Mapname [outsource]

2.  To configure a NAT map for inbound sessions and optionally 
    enable the outsource function, use this command:

    set Ether0 | S0 | W1 | location Locname | user Username
    	nat inmap Mapname  [outsource]

To remove the map entry from the specified interface, user, or 
location, re-enter the command, minus the "outsource" keyword, with 
a space after the Mapname value.

3.  To set logging options for a NAT session on an interface, use this
    command:

    set Ether0 | S0 | W1 | location Locname | user Username
	nat log sessionfail | sessionsuccess | syslog | console
	on | off

4.  To set the default action that the PortMaster takes if a request for
    a NAT session is refused because the mapping configuration is invalid
    or does not exist, use this command:

    set Ether0 | S0 | W1 | location Locname | user Username
    	nat session-direction-fail-action drop | icmpeject | passthrough

5.  To set the maximum idle time for a NAT session, use this command:

    set Ether0 | S0 | W1 | location Locname | user Username
    	nat sessiontimeout  tcp | other Number [minutes | seconds]


_______ Using the Default NAPT Map

You can assign the reserved map name "defaultnapt" to an
outbound-only NAPT configuration, with the following results:

* When "defaultnapt" is assigned as an outbound map, without the
"outsource" option, all outbound IP sessions through the given port are
subject to NAPT and use the IP address assigned to the port.

* When "defaultnapt" is assigned as an outbound map for the 
port---using "outsource" in the command line---all inbound IP 
sessions (with respect to the calling device) through the given 
port are subject to outsource NAPT and use the IP address 
assigned to the port.

NOTE: In the this release of NAT, inbound maps are restricted to static
address maps and/or static TCP/UDP port maps only. Outbound maps
do not have this limitation.


_______ Using RADIUS for NAT

Many NAT configuration parameters can also be configured via 
RADIUS on a per-user basis. For RADIUS to support the new 
vendor-specific attributes, you must be running the Lucent 
RADIUS 2.1 server or another RADIUS server---such as the 
NavisRadius product---that supports vendor-specific attributes. 

Add the following attributes and values to your RADIUS dictionary
if they are not already there. Then stop and restart your RADIUS server.

RADIUS Dictionary Updates:

ATTRIBUTE	LE-NAT-TCP-Session-Timeout	14	integer	Livingston
ATTRIBUTE	LE-NAT-Other-Session-Timeout	15	integer	Livingston
ATTRIBUTE	LE-NAT-Log-Options		16	integer	Livingston
ATTRIBUTE	LE-NAT-Sess-Dir-Fail-Action	17	integer	Livingston
ATTRIBUTE	LE-NAT-Inmap			18	string	Livingston
ATTRIBUTE	LE-NAT-Outmap			19	string	Livingston
ATTRIBUTE	LE-NAT-Outsource-Inmap		20	string	Livingston
ATTRIBUTE	LE-NAT-Outsource-Outmap	21	string	Livingston

VALUE	LE-NAT-Sess-Dir-Fail-Action	Drop			1
VALUE	LE-NAT-Sess-Dir-Fail-Action	ICMP-Reject		2
VALUE	LE-NAT-Sess-Dir-Fail-Action	Pass-Through		3

VALUE	LE-NAT-Log-Options	Session-Success-On	1
VALUE	LE-NAT-Log-Options	Session-Failure-On	2
VALUE	LE-NAT-Log-Options	Console-On		3
VALUE	LE-NAT-Log-Options	Syslog-On		4
VALUE	LE-NAT-Log-Options	Success-Off		5
VALUE	LE-NAT-Log-Options	Failure-Off		6
VALUE	LE-NAT-Log-Options	Console-Off		7
VALUE	LE-NAT-Log-Options	Syslog-Off		8

Each RADIUS parameter corresponds to its command line equivalent. Refer
to the usage information on a particular NAT command in this release
note for more information.

When configuring a user profile, be sure to list any multiple occurrences
of the LE-NAT-Log-Options attribute, which sometimes requires multiple
values, in the order in which the values are listed in the dictionary---the 
order shown above. For example:

joe	Auth-Type = System, Framed-Protocol = PPP
	Service-Type = Framed-User,
	Framed-Protocol = PPP,
	Framed-IP-Address = 255.255.255.254,
	LE-NAT-Outsource-Outmap = "defaultnapt",
	LE-NAT-Sess-Dir-Fail-Action = Drop,
	LE-NAT-Log-Options = Session-Failure-On,
	LE-NAT-Log-Options = Console-On


_______ NAT Session Management

NAT sessions can be managed, viewed, and reset in several ways.

You can display the currently active NAT sessions using the following
command:

  show nat sessions  [tcp | udp | ftp | Sessionid] 

Enter "show nat sessions" to display NAT session identification
numbers.

You can also limit the display to the sessions for a single port, user,
or location by appending a regular expression at the end of the command
line, as you can do with the "show routes" command.

You can view real-time statistics on NAT:

  show nat statistics

This command displays statistics on a per-port basis, including
successful translations, failures, address shortages when you are
using IP pools, and unsuccessful translations and/or lookups due
to timeouts.

Use the following command for debugging and to see resource usage:

  show nat mapusage

This command displays a list of active IP address and port bindings,
including a list of the remaining resources---TCP/UDP ports or IP
addresses---available for use.


_______ Resetting NAT Sessions

CAUTION! Resetting any or all interfaces while sessions are active
might cause active connections on clients and servers to be left open
or terminated abruptly. Lucent recommends NOT entering this command
while the interface is being used because doing so can leave connections 
in an unknown state between the two communicating hosts.

You can reset the entire NAT subsystem with the following command:

    reset nat [Ether0 | S0 | W1]

The default resets all existing NAT sessions on the PortMaster---like
the "reset all" command. Specifying the name of an interface resets all
NAT sessions associated with the specified interface. Use the "ifconfig" 
command to see a list of interfaces.

Resetting NAT affects active NAT sessions only. If you modify the 
NAT configuration on an active port, you must reset the port directly 
and also reset NAT on that interface.


_______ Deleting Individual NAT Sessions

You can delete individual NAT sessions by using the session ID. This
value is displayed in the first column of a "show nat sessions"
output.  Determine the session ID and then enter the following
command:

  delete nat sessions [Sessionid]


_______ NAT Administrative Concerns

Be aware that you might need to do the following when configuring your
network in the presence of a NAT.

Stopping the Advertisement of Routing Information:

NAT creates a private network that cannot be advertised outside the
private boundary delimited by the NAT router. As a result, you must be
sure to disable network advertisements on the NAT router's global
interface.

For example if you are running NAT on a PortMaster IRX(TM) Router 
model IRX-211, with Ether0 as your private interface and Ether1 as your 
global interface with NAT enabled on it, you must disable RIP broadcasts:

    set ether1 rip listen

Or use the "off" option if you do not need to listen to RIP routing 
updates at all.

If you are using OSPF, you must specify the private IP address range as
"quiet":

  set ospf area 0.0.0.0 range 10.0.0.0/8 quiet

If you are using BGP, you must not advertise any private IP address
blocks to the outside world.

Rerouting Global IP Addresses Used by NAT to Static Routing:

Because NAT is not equipped to advertise routing, the global IP
addresses (or networks) used by NAT, might require the addition of
static routes on the routers that are external peers of the PortMaster.

Particularly, if you are using basic NAT to manage a pool of global
addresses, you must configure a static route for the pool of addresses
on the next-hop router of the PortMaster.

Avoiding Ethernet LANs:

NAT does not provide Ethernet ARP services for the global IP addresses
it uses. For this reason, Lucent recommends that NAT be configured on
WAN interfaces instead of Ethernet interfaces.  If you choose to
configure basic NAT on a LAN interface, be sure to select for use with
NAT a global IP address block that does not fall within the same
network prefix of the LAN interface itself.

Determining If Additional Security, Privacy, and/or Firewalls Are Needed:

Security is viewed differently in different environments. Many people
view NAT as a one-way (session) traffic filter, restricting sessions
from external hosts into their network. In that context, NAT provides a
certain degree of security that might not be acceptable for your
situation.

In addition, address assignment in NAT is often done dynamically.
Dynamically assigned addresses can often hinder an attacker from
pointing to any specific host in the NAT domain as a potential target
of attack. Partial privacy is gained because tracing an individual
connection to a particular user is more difficult. You can use
firewalls with NAT maps to provide other ways to filter unwanted
traffic.

However, NAT maps cannot by themselves transparently support all
applications and often must co-exist with application-level gateways
(ALGs)---for example, SOCKS. If you use NAT, you must determine the
application requirements first so that you can assess the extensions to
NAT and the security they provide.

NAT routers have a security limitation that allows NAT and/or its
application-level gateway extensions to read the packet data in the end
user traffic that passes through them. This limitation is a security
problem if the NAT routers are not in a trusted boundary.

Although you can encrypt NAT traffic, NAT must usually be the end point
to such an encryption-decryption setup. For example, you cannot
configure an end-to-end VPN tunnel with NAT routers in between. The end
point(s) must be a router running NAT.

Lucent does not guarantee NAT as an complete security solution.
Although placing your private network behind NAT might make it seem
inaccessible to the outside, this is not the intention of NAT.  You
must evaluate the particular configuration, network topology, and
security requirement of your organization to determine whether simply
installing NAT eliminates the need for further security measures such
as a firewall.

Mapping for DNS:

When configuring DNS on the hosts behind NAT, if you add a map similar
to the following on the internal interface---usually Ether0 on an
Office Router---you can enter the IP address of your Office Router as
the DNS server. This is a useful feature if you do not always have the
same DNS server, because of multiple providers, but do not want to
reconfigure all your private hosts. Use the following commands,
entering each command all on one line:

    set map dns.inmap 1 static-tcp-udp-portmap
    	@ipaddr:dns <Primary DNS IP address>
    set ether0 nat inmap dns.inmap
    set location Locname nat outmap defaultnapt

Handling Changes to On-Demand Locations:

Because of the way that on-demand locations and their corresponding
interfaces are traditionally handled within ComOS, NAT configuration
changes might not take effect in the way you expect. To get around this
problem, you can either reboot immediately after changing the settings
for a location that is currently set to on-demand, or do the
following:

1. Enter "set location Locname maxports 0".

2. Enter "reset dialer".

3. Change whatever settings you need to.

4. Enter the following:

   set location Locname maxports <Original_maxports_value>

Manually dialed locations are unaffected.


_______ NAT Examples

1.  Dial-Out Location Using defaultnapt with a Dynamically Assigned 
    PPP IP Address:

Your Office Router OR-U is dialing in to a corporate network's
PortMaster 3 (192.168.2.5). The PortMaster 3 has one dynamically
assigned IP address for the Office Router in a NAPT configuration.
Everything behind the Office Router is subject to NAPT. You configure
the Office Router as follows:

    add location corporate
    set location corporate phone 5558583
    set location corporate username joeuser
    set location corporate password secrets
    set location corporate destination 192.168.2.5
    set location corporate max 2
    set location corporate idle 15 minutes
    set location corporate on-demand
    set location corporate local-ip-address assigned
    set location corporate nat outmap defaultnapt

2. Preventing Address Renumbering with Basic NAT on 
   an Office Router:

Company ABC, Inc. (198.34.4.0/24) has just merged with Big Company
(25.0.0.0/8) and must renumber its hosts to access Big Company's
network. ABC has an ISDN connection from its Office Router to Big
Company's network. Big Company has just assigned ABC the IP range
25.9.1.0/24 to use. ABC configures its Office Router as follows:

    add map abc.outmap
    set map abc.outmap 1 addressmap 198.34.4.0/24 25.9.1.0/24
    add location bigcomp
    set location bigcomp phone 5558583
    set location bigcomp username abc
    set location bigcomp password bigsecret
    set location bigcomp destination 25.1.1.7
    set location bigcomp idle 15 minutes
    set location bigcomp on-demand
    set location bigcomp local-ip-address 25.9.1.254
    set location bigcomp nat outmap abc.outmap

The abc.outmap NAT map assigns IP addresses dynamically
as needed. If ABC wants to have static translations, abc.outmap
on the Office Router must be changed as follows:

    set map abc.outmap 1 staticaddressmap 198.34.4.0/24 25.9.1.0/24

3. Address Redirection to a Backup IRX-211 to Perform Server 
   Maintenance:

The following two servers on your Ether1 provide inbound FTP and Web
service:

* primary.web.com at 129.65.2.1

* backup.web.com at 129.65.2.2

The IP addresses of primary and backup are global IP addresses.
However, you need to take primary off-line to perform some maintenance
work. Just before shutting down primary, you configure an inbound map
on Ether0 that statically maps primary's address to backup. You use a
basic NAT setup as follows:

    add map ether0.inmap
    set map ether0.inmap 1 addressmap 129.65.2.1 129.65.2.2
    set ether0 nat inmap ether0.inmap
    reset nat

As part of this configuration, you might also want to set the NAT
session-direction-fail-action (SDFA) to passthrough:

    set ether0 nat sdfa passthrough

This setting prevents NAT from intercepting outbound packets from the
remapped host when primary returns to service and you want to run a
Telnet or FTP session from it.

4. T1 or Fractional T1 WAN Link Using defaultnapt for Outbound and
   Providing Inbound HTTP Service:

Line1 on your PortMaster 3 is a T1 WAN link with a private network
10.0.0.0/8 behind it. The T1 point-to-point interfaces are numbered
with global addresses (local: 192.168.44.99, dest: 192.168.44.254). The
HTTP server in the private network resides at 10.1.1.10. You configure
the PortMaster 3 as follows:

    set w24 address 192.168.44.99
    set w24 destination 192.168.44.254
    set w24 nat outmap defaultnapt
    add map w24.inmap
    set map w24.inmap 1 static-tcp-udp-portmap 192.168.44.99:http 
      10.1.1.10:http
    set w24 nat inmap w24.inmap
    reset w24

5. Dial-In User Using defaultnapt in Outsource Mode:

You want to provide NAT service to a user (or incoming network) 
by connecting the user (or network) in an outsource-mode NAPT 
configuration using the defaultnapt map on a PortMaster. The global 
IP address 192.168.129.130 is assigned to the dial-up router and will be 
used as the global address by NAT. Because this configuration uses 
the defaultnapt map, the IP addresses that the client's network is using
are not needed in the NAPT configuration. Configure the PortMaster 
as follows:

    add netuser joeuser
    set user joeuser password mysecret
    set user joeuser destination 192.168.129.130
    set user joeuser nat outmap defaultnapt outsource

No NAT configuration is required on the dial-up router (client) side.
If the client also wants to run an FTP server with a private IP address
of 192.168.5.1 on his network and have it accessible globally, 
you can configure further as follows:

    add map joeuser.in
    set map joeuser.in 1 stupm 192.168.129.130:ftp 192.168.5.1:ftp
    set user joeuser nat inmap joeuser.in outsource

When you configure the NAT map for a user with outsource NAT, 
you can consider the map as being on the calling router's 
outbound interface.

6.  Dial-Out Location Using a Dynamic IP Address Basic NAT Map:

Your ISP gives you a small address block (192.168.129.129/29), but you
have more hosts then global IP addresses available. You do not want to
request more global IP addresses because of the added expense. In
addition, because not all workstations use the connection at the same
time, additional addresses will be wasteful. You want to use a dynamic
IP address pool map instead. You configure your PortMaster as follows:

    add map isp.outmap
    set map isp.outmap 1 addressmap 10.1.1.0/24 192.168.129.129/29
    add location isp
    set location isp phone 5558583
    set location isp username mycompany
    set location isp password bigsecret
    set location isp destination negotiated
    set location bigcomp max 2
    set location bigcomp continuous
    set location bigcomp local-ip-address assigned
    set location bigcomp nat outmap isp.outmap

7.  Dial-Out Location Using a Static IP Address Basic NAT Map:

Your ISP gives you an address block (192.168.130.0/24). You can use a
dynamic IP address pool for your workstation IP addresses because they
do not need Internet access at the same time. However, you must give
two of your trusted systems static IP addresses for security
reasons---to perform packet filtering, for example. You configure your
PortMaster as follows:

    add map isp.outmap
    set map isp.outmap 1 addressmap 10.1.1.1 192.168.130.1
    set map isp.outmap 2 addressmap 10.1.1.2 192.168.130.2
    set map isp.outmap 3 addressmap 10.1.0.0/16 192.168.130.3-192.168.130.254
    add location isp
    set location isp phone 5558583
    set location isp username mycompany
    set location isp password bigsecret
    set location isp destination negotiated
    set location bigcomp max 2
    set location bigcomp continuous
    set location bigcomp local-ip-address assigned
    set location bigcomp nat outmap isp.outmap


_______ NAT-Unfriendly Applications:

The following applications are considered unfriendly to NAT 
because they embed the IP source and/or destination addresses 
in the packet data, are multicast based or broadcast based, or 
rely on end-to-end node security:

* Multicast-based applications
* Routing protocols RIP and OSPF
* DNS zone transfers
* End-to-end VPN tunnels
* Anything that embeds the IP source and/or destination address(es)
  into the packet data.


_______ NAT Debugging and Troubleshooting Tips

* Verify obvious values like correct IP addresses in map entries.

* Make sure your maps match the flow of the session (inbound or
outbound). Check "show nat sessions" output to make sure the correct
translations are taking place.

* Watch "show nat statistics" output for failed translations that can
indicate incorrect session flow direction and possibly incomplete
maps.

* Watch the source and destination IP addresses of packets going
through the PortMaster. You can find a simple ptrace debug filter for
this purpose in the PortMaster Troubleshooting Guide. If you are
running NAT on your WAN link, look for private IP addresses that are
exiting the ptp0 interface untranslated. If translation is not taking
place, either your NAT maps are not translated properly or NAT is not
active on the port.

* Make sure that you reset the active network interface to make its NAT
configuration take effect. In the case of an Ethernet interface, enter
"reset nat ether0".

* If a location is set to dial-on-demand, you might need to reboot the
PortMaster for configuration changes to take effect.

* If a port loses its network connectivity---for example, if the modem
drops carrier---NAT maintains the state of any existing sessions ONLY
if the IP address assigned to the port remains the same.

* Because of the nature of NAT operation, some applications that work
under basic NAT might not work with NAPT. If you are using a particular
application under NAPT and it is not working, try using basic NAT and
see if the situation improves.


_______ NAT Logging Control

You can activate syslog and console logging on a per-port basis to
identify configuration errors and for auditing purposes. Enter the
following commands---all on one line---to configure logging to the 
PortMaster console of all NAT sessions that fail for any reason:

set Ether0 | S0 | W1 | location Locname | user Username
    	nat log sessionfail on

set Ether0 | S0 | W1 | location Locname | user Username
    	nat log console on

To log to syslog instead, enter "syslog" instead of "console".

Syslog logging is logged at the priority level shown in "show syslog"
output. If you have not set the PortMaster global option for logging
NAT information to syslog, then no logging takes place, regardless of
the logging options configured on any particular port. Lucent
recommends that you log NAT activity at the same priority as packet
filters:

    set syslog nat auth.notice

You can also log more selectively for only certain map entries by 
appending the "log" keyword at the end of a particular map entry you
want logged. For example:

    set map abc.outmap 1 addressmap 192.168.1.1 172.16.1.1 log

Whenever a session from 192.168.1.1 is successfully translated to the
global IP address 172.16.1.1 via this outbound map, a syslog message
is sent to your loghost.

Here is some sample syslog output:

Mar 24 17:28:11 nat-or NAT: ptp3: Out TCP (192.168.3.1:34172)->
 (192.168.247.6:80) Xlation failed: Session may have prematurely timed out.

Mar 24 17:28:40 nat-or NAT: ptp3: Out TCP (192.168.3.1:34172)->
 (192.168.247.6:80) Xlation failed: Session may have prematurely timed out.

Mar 24 17:28:57 nat-or NAT: ptp3: Out TCP (192.168.3.1:34177)->
 (192.168.247.6:80) translated to (192.168.129.129:20001)->(192.168.247.6:80)

Mar 24 17:29:23 nat-or NAT: ptp3: Out TCP (192.168.3.1:34178)->
 (192.168.247.6:80) translated to (192.168.129.129:20002)->(192.168.247.6:80)

Mar 24 17:29:36 nat-or NAT: ptp3: Out TCP (192.168.3.1:34172)->
 (192.168.247.6:80) Xlation failed: Session may have prematurely timed out.

Mar 24 17:30:22 nat-or NAT: ptp3: Out TCP (192.168.3.1:34179)->
 (192.168.247.6:80) translated to (192.168.129.129:20003)->(192.168.247.6:80)

Mar 24 17:34:18 nat-or NAT: ptp3: Out TCP (192.168.3.1:34172)->
 (192.168.247.6:80) Xlation failed: Session may have prematurely timed out.

Mar 25 11:02:03 nat-or NAT: ptp3: Out TCP (192.168.3.1:34185)->
 (192.168.65.50:23) translated to (255.255.255.254:20001)->(192.168.65.50:23)

Mar 25 11:02:40 nat-or NAT: ptp3: Out TCP (192.168.3.1:34185)->
 (192.168.65.50:23) translated to (192.168.129.129:20001)->(192.168.65.50:23)


_______ Debugging NAT

The following commands set ComOS debugging options for NAT:

  set debug nat-ftp on | off		Displays FTP payload processing.

  set debug nat-icmp-err on | off	Displays ICMP error payload 
					processing.

  set debug nat-rt-interface on | off	Displays NAT parameters changes
					during interface binding.

  set debug nat-max on | off		Enables full NAT debugging.

Remember to use "set console" before using these commands, and 
"reset console" after turning off the debug process.


_______ Network Diagnostic Tools for NAT

Because NAT includes ICMP and UDP translation, the two most common
network diagnostic tools, ping and traceroute, can still be used---with
the following restrictions:

* When using NAPT, you will not be able to run traceroute or ping
inbound to the private hosts because you cannot reach them directly
from the outside.  But you can use the tools in an outbound direction
without any problems.

*  When using basic NAT, you can run traceroute and ping inbound but
only if you have an inbound map active. You still must include an entry
for the actual host you are trying to ping or trace routes to. As with
NAPT, you can do all network diagnostics in outbound mode.


_______ NAT References

* draft-ietf-nat-traditional-03.txt, Traditional IP Network Address 
Translator (Traditional NAT)

* RFC 1918, Address Allocation for Private Internets

* RFC 2663, IP Network Address Translator (NAT) Terminology and 
Considerations


_______________ ComOS 3.9b26 Limitations

* Limitations on Upgrading and Downgrading:

  - The PortMaster must be running ComOS 3.5 or later to upgrade to 
    ComOS 3.9b26. If you are running an earlier release of ComOS,
    upgrade to ComOS 3.5 first, reboot, then upgrade to ComOS 3.9b26.

  - Downgrading a PortMaster 3 from ComOS 3.9b26 to a previous 
    release requires two successful downgrades. After the first
    successful downgrade the PortMaster is operational, but without
    system messages. The second downgrade applies the system messages.

  - Downgrading from ComOS 3.9b26 to ComOS 3.5 might change the 
    Ether0 IP address.

* A ComOS online help file is not included in this release; therefore, 
the "help" command is not supported.

* Modem Limitations:

  - Support for the obsolete "True Digital V.34 Card" (MDM-PM3-8 and
    MDM-PM3-10) has been removed from this release, except for support 
    of the V.110 protocol. The "True Digital 56K Card" (MDM-56K-8 and
    MDM-56K-10) is still supported.

  - Lucent is still fixing some problems with Rockwell HCF and Cirrus
    Logic modems. If you experience any difficulties with modems, verify
    that the client modem is running the latest firmware. Then refer to
    http://www.livingston.com/tech/bulletin/comos-modem.html. If these
    instructions do not help, contact Lucent NetCare(R) technical support

  - The extended Link Access Procedure for Modems (LAPM) (V.42) 
    timeout in the ComOS 3.9b26 modem code keeps the Sega Dreamcast 
    modem from connecting.

* You cannot use Inverse Address Resolution Protocol (ARP) on a Frame
Relay interface with subinterfaces. The primary Frame Relay interface
does not automatically map IP addresses to data link connection
identifiers (DLCIs). When you enter a "show arp frm1" command, no ARP
tables appear, and the PortMaster cannot ping across the Frame Relay
cloud.

* The PortMaster 3 can support either the Stac compression card or 
the IPSec encryption ("coprocessor") card, but not both. Both cards 
use the same interface on the PortMaster 3 motherboard.

* Neither the Internet Key Exchange (IKE) protocol nor the Internet
Security Association Key Management Protocol (ISAKMP) is supported 
in this release.

*Passive security profiles for VPN tunnels are not supported in this 
release.

* NAT Limitations:

 - NAT and VPN tunneling cannot be configured to work together on the 
    same port in this release.

 - Inbound NAT maps are restricted to static address maps and/or static
    TCP/UDP port maps only. Outbound NAT maps do not have this limitation.

 - NAT translates only TCP, UDP, and ICMP packets. Point-to-Point 
    Tunneling Protocol (PPTP) traffic is not translated.

* A Layer 2 Tunneling Protocol (L2TP) network server (LNS) can support 
only 94 L2TP sessions in this release.

* NFAS Limitations:

 - This release does not support mixing NFAS and non-NFAS ISDN 
    PRIs in the same chassis. If one line is used for NFAS, the other
    line must be used for NFAS or left empty.

 - NFAS operates only on National ISDN (NI-2) switch types.

 - Configuring NFAS settings on a line that is not configured for ISDN
    or unable to perform ISDN functions makes the line behave strangely.

 - When you are using NFAS and a problem occurs on the physical PRI 
    line with the D channel, the line sometimes does not return to service 
    until you reset the D channel.

 - When a PortMaster running NFAS is rebooted, you must sometimes 
    reset the D channel to return the PRI to service.

* To advertise your address pools allocated for static users as
internal OSPF routes, you must add them to the OSPF area range as full
class C addresses. If these addresses are instead added as subnets of a
class C address, they are incorrectly advertised as OSPF type 2
external (E2) routes.

An address pool on a PortMaster 3 is most commonly made up of 48
contiguous addresses, the first of which is a network address.  For
example, suppose you configure an address pool using subnets
192.168.110.16/28 and 192.168.110.32/27, with 192.168.110.16 as the
first address.

If you add the address pool to the OSPF area range as
*192.168.110.0/24, the address pool is correctly advertised as "ospf."
However, if you add the address pool to the OSPF area range as
*192.168.110.16/28 and *192.168.110.32/27, it is advertised as
"ospf/E2."


_______________ Troubleshooting Modems

As part of modem troubleshooting, confirm that the client modem is
running the latest firmware before submitting a modem trouble report.

When making a report of a new modem problem, send the following
information to Lucent NetCare technical support:

* ComOS version
* Client modem manufacturer
* Client modem model
* Results on the client modem of commands ATI0 through ATI11
* Whether the problem is reproducible

Lucent might want to monitor your PortMaster while the client modem
reproduces the problem.


_______________ Upgrade Instructions

You can upgrade your PortMaster 3 using PMVision 1.7 or later, or
pmupgrade 4.3 or later from PMTools. Alternatively, you can upgrade
using the older programs pminstall 3.5.3, PMconsole 3.5.3, or PMconsole
for Windows 3.5.1.4.  You can also upgrade using TFTP with the "tftp
get comos" command from the PortMaster command line interface.

See ftp://ftp.livingston.com/pub/le/software/java/pmvision17.txt for
installation instructions for PMVision 1.7.

*** CAUTION!  If the upgrade fails, do NOT reboot!  Contact 
*** Lucent NetCare Technical Support without rebooting.

The upgrade process on the PortMaster 3 erases the configuration area
from nonvolatile memory and saves the current configuration into
nonvolatile memory. Never interrupt the upgrade process, or loss of
configuration information can result.

WARNING! Due to the increased size of ComOS, the amount of 
NVRAM available for saving configurations has been reduced from 
128KB to 64KB. PortMaster products with configurations greater 
than 64KB will lose some of their configuration. For this reason, be 
sure to back up your PortMaster configuration before upgrading to 
this release. You can check the amount of memory used for your 
configuration with the "show files" command. Ignore any files that 
also include an uncompressed size.

WARNING! The PortMaster must be running ComOS 3.5 or later to 
upgrade to ComOS 3.9b26. If you are running an earlier release of ComOS,
upgrade to ComOS 3.5 first, reboot, then upgrade to ComOS 3.9b26.

IMPORTANT: Any PortMaster running ComOS 3.9b26 requires 4MB of 
DRAM. If you are running BGP, 16MB of DRAM is required.

The installation software can be retrieved by FTP from
ftp://ftp.livingston.com/pub/le/software/, and the upgrade image
can be found at ftp://ftp.livingston.com/pub/le/upgrades:

ComOS		Upgrade Image	Product
_________	_____________   _____________________________________
3.9b26		pm3_3.9b26	PortMaster 3

________________________________________________________________________

        Copyright and Trademarks

Copyright 1999 Lucent Technologies. All rights reserved.

PortMaster, ComOS, ChoiceNet, and NetCare are registered trademarks of
Lucent Technologies. PMVision, IRX, PortAuthority, and NavisRadius are
trademarks of Lucent Technologies. All other marks are the property of
their respective owners.

	Notices

Lucent Technologies makes no representations or warranties with respect
to the contents or use of this publication, and specifically disclaims
any express or implied warranties of merchantability or fitness for any
particular purpose. Further, Lucent Technologies reserves the right to
revise this publication and to make changes to its content, any time,
without obligation to notify any person or entity of such revisions or
changes.

	Contacting Lucent NetCare Technical Support

Lucent NetCare Professional Services provides PortMaster technical
support via voice or electronic mail, or through the World Wide Web at
http://www.livingston.com/. Specify that you are running ComOS 3.9b26
when reporting problems with this release.

Internet service providers (ISPs) and other end users in Europe, the
Middle East, Africa, India, and Pakistan should contact their authorized
Lucent NetCare sales channel partner for technical support; see
http://www.livingston.com/International/EMEA/distributors.html.

For North America, the Caribbean and Latin America (CALA), and Asia
Pacific customers, technical support is available Monday through Friday
from 7 a.m. to 5 p.m. U.S. Pacific Time (GMT -8). Dial 1-800-458-9966
within the United States (including Alaska and Hawaii), Canada, and
CALA, or 1-925-737-2100 from elsewhere, for voice support. For email
support, send to support@livingston.com (asia-support@livingston.com 
for Asia Pacific customers).

