Multi-Tech RouteFinder VPN Family (RF600VPN, RF660VPN and RF760VPN) Contents ======== - Introduction - Hardware Description - How to perform Live Update - Revision History - Support Options - Copyrights and Trademarks Introduction ============ This document provides procedures on how to perform update. It also include information regarding all the changes and fixes within the product. Should there be any further recommendations, please contact with the Local Multi-Tech Systems office listed as below. Hardware Description ==================== RF660VPN and RF600VPN Hardware description : ------------------------------- - Firewall / VPN with 10/100 Mbps LAN, WAN and DMZ ports RF760VPN Hardware description : ------------------------------- - Firewall / VPN with 10/100/1000 Mbps LAN, WAN and DMZ ports How to perform Live Update ========================== - Make sure your RouteFinder is on the internet - Webadmin into the RouteFinder - Click on Tracking - Click on Update Services - Click on Start button for the Update System - Click on Update-Livelog for the status of the update - Make sure the livelog shows "RPM RF660-x-xx installation successful" before perform any other tasks in Webadmin - Click on the Home to make sure the new version is displayed. READ THIS CAREFULLY BEFORE YOU UPDATE FROM VERSION 3.05 TO 3.1X ---------------------------------------------------------------- 1) webadmin into the box 2) save and download a backup configuration file. 3) disable Intrusion detection 4) disable URL filtering. If you have not entered the URL key, enter the URL key now. The URL key should be located on the bottom of your RF6XXVPN chassis 5) disable PPTP 6) enable DNS proxy 7) click on start update System. The update file is very BIG, it is about 120MB in size. It will take about 45 to 60 minutes to download the update on a 512K internet link DO NOT interrupt the update until you receive a email notification. - if the update returns email notification with: "AutoUpdate Started Downloading packages No updates found." - then do the following: - ssh into the box - cd /usr/sbin - rm -f autodld - ln -sf autoupdate autodld - webadmin into the box and start the system update again. 8) after the update is complete, it will restart the box 9) after the upgrade is done and the box is restarted, webadmin into the box and make sure it show version 3.10 10) check all your VPN connections and make sure to set the encryption back to 3DES. You might have to reset and restart all the remote VPN devices in order for VPN tunnels to establish again. 12) enable Intrusion detection and URL filtering if you like. If you are planning to use both features, it is recommend that You upgrade your memory to 256MB. You need to use PC100 168pin DIMM non-ECC memory module when doing memory upgrade. Revisions History ================= NOTE: RF600VPN hardware with serial number lower than 9337635 will NOT able to upgrade to version 3.10 Changes, Bugs Fixed in Version 3.10 (Feb 20, 2004) ================================================== Changes: -------- 1) Ipsec using X.509 Certificate 2) Ipsec DES encryption 3) Ipsec AES encryption 4) IPsec using UID (support VPN behind a NAT device) 5) IPsec using FQDN (support dynamic to dynamic) 6) Netbios broadcast over IPsec 7) Route all traffics through the VPN tunnel (including internet traffics) 8) remote sites can communicate with each other through VPN via the central site. 9) PPTP pass-thru 10) Dynamic DNS client 11) Email spam filtering based on the following: - Real Time Black List Check (RBL) - white list - Sender Black List - Recipient Black List - Check For NULL Sender - Reverse DNS lookup Test - Bad Patterns In Sender/Recipient Address - Filter Attachments (Enter the file extension) - Filter based on Message Expression 12) More configuration options for URL content filter: - Use the new Surfcontrol SDK 4.x - Block and Unblock by creating custom URL list so you do not have to submit URL to surfcontrol for review. - Find out which category a particular URL belongs to 13) history of calls for PPTP 14) Log display for DHCP server 15) Better Log display for SMTP traffics 16) Better Log display for SNORT intrusion detection 17) Ethernet Mac address filtering 18) display virus and spam emails that are Quarantined 19) new linux kernel 2.4.20 20) Accounting based on individual IP address 21) Accounting based on VPN tunnel 22) customize port other than port 22 for SSH access 23) Intrusion detection can be enabled on each interface (LAN, WAN, DMZ) 24) Web UI option to clean HTTP proxy cache 25) Web UI option to clean SMTP proxy queue Fixes: ------ 1) Fixed pop3 email hanging problem when POP3 proxy is enabled. 2) Fixed PPPoE so it does not reconnect everynight during log rotation 3) Allow entering domain name ending with .info in Webadmin Wizard Setup 4) Fixed some web pages access problem when HTTP proxy is enabled Changes, Bugs Fixed in Version 3.05 (July 14, 2003) =================================================== Processes restarted and changes that will be done to the existing configurations: --------------------------------------------------------------------------------- 1. SNORT will be restarted. 2. If SNORT rules update is in progress, it will be stopped before the system update. Changes: -------- 1. SNORT binary and rules have been updated to the latest version (Version 2.0) 2. The weekly snort rule update has been removed. 3. The port scan livelog does not show the protocol used for scanning. 4. new /etc/cron.daily/tmpwatch is executed after update to 3.05 version. Fixes: ------ 1) Fix SNORT vulnerability 2) New weekly update rules were not compatiable with Old version of SNORT 3) new /etc/cron.daily/tmpwatch file to clean up /tmp directory Changes, Bugs Fixed in Version 3.03 (May 21, 2003) ================================================== Processes restarted and changes that will be done to the existing configurations: --------------------------------------------------------------------------------- 1. SOCKS proxy will be restarted. 2. PPTP will be restarted. 3. IPSec will be restarted. 4. Kaspersky’s Antivirus daemon will be restarted. 5. DHCP server will be restarted. 6. If DHCP server is enabled and a rule is present for that in ALLOW_PORTS, the rule will get deleted and two rules will get added, one in AUTO_INPUT and one in AUTO_OUTPUT chains. 7. IPSec The AH and ESP keys for manual connections have been changed such that user has to enter ascii values instead of hexadecimal numbers. If there are there are already existing manual connections, the AH and ESP keys will be intact. But, if these connections are edited and saved and if the keys get mapped to ascii characters which do not fall in the <32 – 127> range, it will give problems. However, users can reenter the keys in ascii and save them. Changes: -------- 1. Mail notification is sent when WAN Ethernet is down and dial backup is activated and vice versa. 2. An option to save backup file to local drive has been provided in the Tracking -> Backup page. 3. The AH, ESP (encryption and authentication) keys cannot be entered as hexadecimal numbers any more. They have to be entered as ascii characters. Fixes: ------ 1. Yahoo messenger was not working with SOCKS proxy version 5 and authentication enabled. Fixed the problem. 2. SOCKS log messages include details about the data that is being transferred. Removed printing those log messages. 3. In SMTP Proxy -> SMTP routes, an entry adldata.com cannot be added if there is an entry mail.adldata.com already present. 4. Kaspersky’s configuration files has been included in backup 5. 255 was not allowed in the second and third octets of IP addresses. That has been fixed now. 6. The IP address of pppd shown in ps aux was not matching with pptpuser file 7. pptpd was getting restarted suddenly. Fixed the problem. 8. IPTable rule for DHCP was not present by default even if DHCP server is enabled by default. Added it. Also, if DHCP server is enabled and if the rule is not present, it will be added now. 9. DHCP server was not giving DNS address to clients if DNS proxy is enabled in RF660. 10. PPP dial backup - If the backup link is up, and at that time, factory defaults are restored, the changes are not happening properly. This has been fixed. 11. SMTP proxy stops working after virus key expires. This has been fixed. 12. IPTables was getting wiped out in some machines suddenly. 13. Connecting from a Win XP PPTP client to a SQL database in the PPTP server’s LAN was not working properly because of MTU problems. That has been fixed. 14. IPSec tunnels do not come up properly after IPSec subsystem restarts Pluto – this has been fixed. 15. IPSec “DH secret has leading zero….” Problem – fixed. 16. Restarting gets stuck (problem with removing the ip_conntrack module) – fixed. 17. Virus database update – the last update, execute time was not getting displayed properly. Fixed this. 18. The validation checks for PPPoE user name have been removed. Except for <, >, “, anything can be configured. The length of the user name has been fixed to 50 characters. 19. Changes in factory defaults for the above. Changes and Bug Fixes in Version 3.02 (March 19, 2003) ====================================================== NOTE: After update 3.02 is completed, if you have DNS proxy enable, you must disable and enable DNS Proxy manually. Processes will be restarted and changes that will be done to the existing configurations: ----------------------------------------------------------------------------------------- 1. IPTable ALLOW rules for ports 2049 (NFS), 2401 (CVS), 113 (identd), 139 (NetBIOS), 1812-1813 (RADIUS), 69 (TFTP) will be removed from the chain ALLOW_PORTS. Instead the rules for ports 2401, 139, 1812, 1813 will be added in the AUTO_OUTPUT chain. This is to send CVS, SMB authentication, RADIUS packets from the RF660. 2. If Virus Scanner is enabled, the REDIRECT rule for POP3 Virus Scanner will be moved to the first position in the DNAT chain. Changes: -------- 1. Special characters are allowed in the passwords for Root user, SSH user, Webadmin user, PPP, PPPoE, CVS, other users (in user authentication page), and RADIUS secret. 2. Before stopping IPSec, the Pluto database is cleared of all connections. 3. Packet Filters - Added a configurable option to enable / disable logging of packets that are destined to the RF660 and are discarded. This will allow packet filter livelog to display all the packets that are being dropped 4. Logon page - The logo and version number in the initial logon page can be displayed / hidden with a configurable option in the Administration -> Web Admin page. Fixes: ------ 1. IPTable ALLOW rules for ports 2049 (NFS), 2401 (CVS), 113 (identd), 139 (NetBIOS), 1812-1813 (RADIUS), 69 (TFTP) will be removed from the chain ALLOW_PORTS. Instead the rules for ports 2401, 139, 1812, 1813 will be added in the AUTO_OUTPUT chain. This is to send CVS, SMB authentication, RADIUS packets from the RF660. 2. 0 was not allowed in the 2nd and 3rd positions of the IP address for Gateway, WINS address, SAM PDC, SAM BDC, SMTP Proxy->SMTP routes. Fixed it. 3. Fixed a validation problem for Accepted Incoming Domains in SMTP Proxy. 4. Services: - In Services page, the source port for DNS and SSH has been changed from 1024:65535 to 1:65535. - While editing a service and changing the protocol, the ports will vanish. Fixed this problem. Now, for TCP, UDP, TCP+UDP is a group and AH, ESP is a group – if the services is edited and the protocol is changed within a group, the source port and destination port fields or the SPI values will remain intact - Changed the alert message displayed if the service name added already exists in the services / service groups lists. 5. After update 3.01, PPTP had to be restarted from web GUI for adding users in the local database. Fixed the problem. 6. If DHCP client is not able to get an IP address, after it finishes trying, the IPSec route for eth1 was getting removed. Fixed it. 7. Virus Scanner - Two separate controls have been added for - SMTP Virus scanner - POP3 Virus scanner in the Proxies->SMTP Proxy->Virus Scanner section. 8. POP3 Virus Scanner’s redirection rule has been made such that it will have high precedence over DNAT rules. (It will always get added in the first position) 9. After update 3.01, the ownership of the ICMP services file was changed. So, while adding ICMP services, error messages were getting displayed. Fixed it. 10. Version Control - Clearing the options was not being allowed. Now it is allowed. 11. PPPoE is enabled and it is not able to get an IP address. Now, restart the box. After coming up, the gateway and IP address for WAN entries in the Network Setup are in non-editable format. Also, while monitor is trying to get an IP address, at those times, the gateway and WAN entries will be in non-editable format. 12. Factory default values changed for the above. The IPTable rule file in factory default did not have entry for the SQUID_DROP chain. Added it. Also, if it is not there already in IPTables, it will get added now. The entry for POP3VSCAN was not there in the factory default process status file. Added it. Changes and Bug Fixes in Version 3.01 (March 3, 2003) ===================================================== Processes will be restarted and changes that will be done to the existing configurations: ----------------------------------------------------------------------------------------- - PPTP daemon will be restarted. All the existing connections will be brought down. - DHCP client will be restarted. - SurfControl server will be restarted. - Existing IPSec connections with Local Subnet as ‘Any’ or ‘none’ Remote Subnet as Any will be removed. - After this update, only one authentication type can be selected for HTTP Proxy and SOCKS Proxy authentication. So if 2 or 3 authentication types have been selected already (before the update), the first authentication type alone will be enabled and the others will be disabled. So, HTTP Proxy and SOCKS proxy will be restarted. - ICMP Packet filter rules with the following codes will be removed Network Unreachable - Protocol Unreachable. - This is because, already if there is any rule added, it would not have got really added in the IPTable rules. - ICMP Packet filter rules with the following codes will be removed - time-stamp-request - time-stamp-reply - network-unreachable -> host-isolated as they are obsolete. - Existing Network Intrusion Detection rules with Destination IP Address as ‘Any’ will be removed. Changes: -------- 1. SARG report generation has been moved from cron.fivemins to cron.hourly 2. PPTP - Static IP address assignment support for users. 3. Networks & Services - Services - The Protocol “ANY” has been removed from the Services page. This is because, already a static service ‘Any’ is there with ports 1-65535. There is no meaning having one more user-defined service with protocol “Any”. If protocol is “Any”, then the port numbers configured will not have any meaning. 4. IPSec - When adding new or editing existing IPsec connection, connections cannot be added with Local LAN = Any, local LAN = none or Remote LAN = Any anymore. 5. HTTP Proxy - HTTP proxy authentication will now allow only ONE type (local or Radius or SAM) 6. SOCKS Proxy - SOCKS proxy authentication will allow only ONE type (local or Radius or SAM) 7. Network Intrusion Detection - The entry Any from the Destination list box has been removed. This is because, it adds up to logging a lot of messages and the box becomes very slow. 8. DNAT - ‘Any’ has been removed from the pre-destination network. 9. Backup - The length of the comment field in the backup page has been limited to 100 characters Fixes: ------ 1. Statistics & Logs – SMTP Proxy - If you select from left side menu once and click again on same (SMTP proxy) it will give error. Fixed this. 2. URL Categorization filters – a memory leakage problem has been fixed. 3. URL Categorization filters - The check for memory percentage has been removed from the five minutes cron job. 4. PPTP - PPP CPU % was going high if client disconnect is not proper. After that, no other connection will be allowed. Fixed this problem. 5. PPTP – An extra log option has been removed from /var/chroot-pptp/etc/ppp/options file. 6. Networks & Services – Services - Click on edit of one service and then again click on edit of another service to edit the next service. The new edited second service becomes the first service. Fixed this problem. 7. Network Groups / Service Groups - The same service / network was not getting added in two different groups. Now it can be added. 8. System Updates - If no update is to be done, the message shown in the update livelog is wrong. Also, if the signature check for any rpm fails, the update was going on in an infinite loop. Fixed these problems. 9. System Updates - After a system update, File Integrity Check Module was sending a mail, it is not supposed to send. Fixed it. 10. Virus Update - After the update from 2.94a to 3.0, the virus update date and time were not getting displayed in the web GUI. Fixed it. 11. SSH - If there are SSH connections to the box, and if main sshd gets killed, self monitor was not restarting sshd. Fixed it. 12. IPSec - If for some reason Pluto gets killed, monitor should be able to restart IPSec 13. Log rotate – The virus scanner’s log file kavscan.rpt has been included in logrotate. 14. Packet Filters - Packet filter rule with service as "ICMP as Network Unreachable and Protocol Unreachable" was not getting added. Fixed this. 15. Packet Filters – Packet filter rules with ICMP time-stamp-request, time-stamp-reply, network-unreachable -> host-isolated were not getting added as they have become obsolete. Removed those options from the Services page itself. 16. DHCP client - If the IP address is changed during renewal, the configuration files were not getting updated properly. Fixed it. 17. Web Admin Site Certificate – Now, spaces are allowed for State, City, Company, Organization unit. 18. Web GUI - The GUI has been made faster as File Integrity Check calls have been optimized. 19. Backup – The version file has been added in backup. 20. Backup - After importing backup, the folder /home/multiweb was getting deleted. Fixed this problem. 21. Backup - If comment is not given while taking backup (from the web GUI), the importing of that backup file was giving a version error. Fixed it. 22. Backup - After the number of backup files to be kept in the firewall reaches the maximum number configured, and then if the date is changed to past, the subsequent backups were failing. Fixed this. 23. Certain domains were not getting added in the Accepted Incoming Domains field – Fixed the validation problem. 24. 0s were not getting accepted in the 2nd or 3rd fields of the WINS IP address – Fixed the validation problem. 25. DNS Proxy – The admin mail id in the default zone file has been changed to admin@yourdomain.com. 26. POP3 Virus Scanner - Included POP3 Virus scanner in self monitor 27. Packet Filters – ICMP – ICMP on firewall - If ICMP is disabled for LAN or DMZ, DROP rules were getting added for WAN also. Fixed this. 28. Changes in factory default for the above. Also, after restoring factory default, the /home/multiweb directory was getting deleted. Fixed it. Support Options =============== For technical support, you may contact your authorized Multi-Tech Systems distributor, dealer or the following Multi-Tech Systems branch offices. U.S.A. Web Site: www.multitecch.com FTP Site: ftp.multitech.com Tel: +1(763)785-3500 Fax: +1(763)785-9874 U.K. Tel: +44(118)959-7774 Fax: +44(118)959-7775 France Tel: +33(1)6461-0981 Fax: +33(1)6461-0971 India Tel: +91(11)6174-634 Fax: +91(11)410-5968 Copyrights, Trademarks ====================== All documents and software provided herewith are Copyright (c) 2003 Multi-Tech Systems. All rights reserved. MS, Windows, Windows 95, Windows NT are tradenames of Microsoft Corporation. Other trademarks or tradenames used herein are properties of the respective owners.