Project

General

Profile

release39b26-pm3.txt

laforge, 10/14/2019 08:43 PM

 
1
1999/12/08 (revised 12/10)
2

    
3
		ComOS 3.9b26 Open Beta Release Note
4
			for the PortMaster 3
5

    
6

    
7
________________ Introduction
8

    
9
The new Lucent Technologies ComOS(R) 3.9b26 open beta software release
10
is now available for the PortMaster(R) 3 Integrated Access Server.
11

    
12
This open beta release is provided at no charge to all Lucent
13
customers, but is recommended only for customers who wish to test the
14
new functionality before the general availability (GA) release of 
15
ComOS 3.9.
16

    
17
Command syntax for new commands might change between this open beta
18
release and the general availability release of ComOS 3.9.
19

    
20
This release note documents commands and features added between ComOS
21
3.8.2 and ComOS 3.9b26 on the PortMaster 3.  This release note applies
22
only to the PortMaster 3.
23

    
24
The modem code in ComOS 3.9b26 is the same modem code included in 
25
ComOS 3.9b22 and ComOS 3.9b24 for the PortMaster 3.
26

    
27
Before upgrading, thoroughly read "ComOS 3.9b26 Limitations" and
28
"Upgrade Instructions."
29

    
30
WARNING! Due to the increased size of ComOS, the amount of nonvolatile
31
RAM (NVRAM) available for saving configurations has been reduced from
32
128KB to 64KB. PortMaster products with configurations greater than
33
64KB will lose some of their configuration. For this reason, be sure to
34
back up your PortMaster configuration before upgrading to this
35
release.  You can check the amount of memory used for your
36
configuration with the "show files" command. Ignore any files that also
37
include an uncompressed size.
38

    
39
WARNING! The PortMaster 3 must be running ComOS 3.5 or later to upgrade
40
to ComOS 3.9b26. If you are running an earlier release of ComOS,
41
upgrade to ComOS 3.5 first, reboot, then upgrade to ComOS 3.9b26.
42

    
43
NOTE: Any PortMaster running ComOS 3.9b26 requires 4MB of dynamic RAM
44
(DRAM). Use 16MB if you are running the Border Gateway Protocol (BGP).
45

    
46

    
47
_______________ Export Restrictions
48

    
49
This release of ComOS 3.9b26, available to any Lucent customer
50
worldwide, does not include support for the Data Encryption System
51
(DES) and Triple DES (3DES) encryption methods.
52

    
53
However, the Authentication Header (AH) RSA Data Security, Inc.  MD5
54
Message-Digest Algorithm (MD5) authentication feature of the IPSec
55
encryption ("coprocessor") card is available worldwide and is included
56
in ComOS 3.9b26.
57

    
58
Because of export restrictions, the DES and 3DES features for ComOS
59
3.9b26 will be handled on a case-by-case basis outside of the standard
60
release process. Any US-owned or Canadian-owned company wishing to
61
obtain this feature should call Cary Hayward at 1-925-730-2637. This
62
restricted release of ComOS 3.9b26enc168, which supports DES and 3DES,
63
is available to Lucent customers in the United States and Canada only.
64
To use DES or 3DES for encrypting data payloads, you must install the
65
IPSec encryption card (PM3-VPN).
66

    
67
Versions of ComOS 3.9b26 supporting DES and 3DES on the IPSec 
68
encryption card will be made available to customers in other countries 
69
as export licensing permits. Licensing approval is being sought at this 
70
time.
71

    
72
For more information, see the sections on "Virtual Private Network
73
(VPN) Tunneling" and "IPSec Encryption Card for the PortMaster 3".
74

    
75

    
76
_______________ Contents
77

    
78
Introduction
79
Export Restrictions
80
Bugs Fixed in ComOS 3.9b26
81
Reconfiguring NVRAM
82
New Features in ComOS 3.9b26
83
	RADIUS Authentication Failover
84
	RADIUS Accounting Retry Interval and Count
85
	Non-Facility Associated Signaling (NFAS)
86
	Layer 2 Tunneling Protocol (L2TP)
87
	Virtual Private Network (VPN) Tunneling
88
	IPSec Encryption Card for the PortMaster 3
89
	Network Address Translator (NAT)
90
	Assigned IP for Dial-Out Locations
91
	Port Required for Telnet Device Service
92
	Enhanced PMVision Support
93
Configuring NFAS
94
Configuring L2TP
95
Configuring VPN Tunneling
96
Configuring NAT
97
ComOS 3.9b26 Limitations
98
Troubleshooting Modems
99
Upgrade Instructions
100
Technical Support
101

    
102

    
103
_______________Bugs Fixed in ComOS 3.9b26
104

    
105
* The Point-to-Point Protocol (PPP) counters are now always reset when
106
a port is initialized. Previously, incorrectly set counters sometimes
107
caused the second link of a PPP multilink connection to fail.
108

    
109

    
110
* The PortMaster 3 no longer retains a remote router's Multichassis PPP
111
(MCPPP) master entry after the router disconnects.  Previously, under
112
certain conditions, the master entry remained after disconnection and
113
prevented the PortMaster from routing the packets of this remote router
114
when it dialed in again.
115

    
116
* Simple Network Management Protocol (SNMP) access to the serial table
117
for PortMaster user information now works properly. Earlier versions of
118
this release reported "No Response."
119

    
120
* A sporadic reboot problem has been fixed. The stack trace displayed
121
the message "Assertion failed: nbuf_p->bytes_left, file mdp_os.c, line
122
1586" when this problem occurred.
123

    
124
* Unauthorized Telnet connections are now timed out after 2 minutes.
125

    
126
* The "set maximum pmconsole" command now takes effect immediately.
127
Previously, active connections on port 1643 had to be reset before
128
changes were applied.
129

    
130
* Output for the "set debug ?" command has been enhanced.
131

    
132
* A RADIUS Login-User with the telnet login service no longer generates
133
a Framed-User start record erroneously.
134

    
135
* The AH and Encapsulating Security Payload (ESP) protocols now work
136
together.
137

    
138
* An administrative reset of a Layer 2 Tunneling Protocol (L2TP)
139
session now generates only one stop record instead of two.
140

    
141
* Accounting records for a RADIUS Administrative-User logging in to
142
port S0 now show the correct service type.
143

    
144
* Administrative logins logged to syslog no longer have the password
145
sent in clear text.
146

    
147
* The authentication packet sent for telnet logins now reports the
148
correct user type to the access log. Previously, the authentication
149
packet erroneously reported a user type of Outbound-User.
150

    
151
* Startup and shutdown accounting packets are now resent like other
152
accounting packets.
153

    
154
* When the PortMaster 3 receives an incoming V.110 setup request, it
155
now returns the message "Cause 88 Incompatible Destination."
156
Previously, the message "Release Complete with the Cause 17 User Busy"
157
was erroneously returned.
158

    
159
* The "show sessions" command no longer returns garbage characters at
160
the end of a 12-character location name.
161

    
162
* The "show table location" command now shows the full location name.
163

    
164
* The command "set user protocol ppp" no longer deletes the
165
Point-to-Point Protocol (PPP) asynchronous map.
166

    
167
* The attributes associated with the user are now deleted when the user
168
entry is deleted. For example, if a network user (netuser) named lee
169
configured with NAT is deleted, the old NAT configuration parameters
170
are no longer listed for any new user named lee.
171

    
172
* When the call-check feature has been enabled ("set call-check on"),
173
callback users specified through RADIUS are now authenticated.
174

    
175
* If a RADIUS menu user fails over a Telnet connection, an
176
administrative user is now allowed to telnet in. Previously, the
177
administrative user was rejected until the PortMaster 3 was rebooted.
178

    
179
* RADIUS accounting records for an L2TP access concentrator (LAC) now
180
include the Tunnel-Server-Endpoint information.  This information was
181
not provided in previous releases.
182

    
183
* When routing is disabled on a WAN port, the port status now reflects
184
this condition.
185

    
186
* BGP summarization settings that are configured with the "set bgp
187
summarization" command are now saved after you enter "save all" and
188
"reset bgp." Previously, only settings configured with the "add bgp
189
summarization" command were saved.
190

    
191
* Subnets included as part of an OSPF area range are now advertised as
192
internal OSPF routes. If not included as part of the range, they are
193
advertised as OSPF type 2 external (E2) routes. In previous releases,
194
the PortMaster 3 advertised routes in this way when they were part of
195
an assigned address pool, but not if they were subnets used to assign
196
static IP addresses.
197

    
198
* OSPF configuration information is now saved during an upgrade from
199
ComOS 3.7 to ComOS 3.9b26.
200

    
201
* Modem code fixes:
202

    
203
  - A downward spiraling upstream rate caused by an incorrect Link
204
    Access Procedure for Modems (LAPM) error check is fixed.
205

    
206
  - Rate reduction due to LAPM errors has been made less sensitive.
207

    
208
  - In the presence of LAPM retransmission errors, the modem code
209
    retrains to allow the link to adjust to a lower speed and improve
210
    throughput.
211

    
212
  - The number of disconnections from LAPM retrains within a retrain
213
    has been reduced.
214

    
215
  - The modem code now suspends LAPM transactions during any rate
216
    changes or retrains and thereby eliminates some connection
217
    failures, connections without error control, and some
218
    disconnections.
219

    
220
  - U.S. Robotics (USR) Telepath V.34 modems can now establish
221
    LAPM error correction. Previously under certain conditions, the 
222
    modem was choosing too high a connection rate and was unable 
223
    to establish LAPM error correction. The modem code now detects 
224
    these conditions and forces the connection speed down by one rate 
225
    to allow LAPM to be negotiated. 
226

    
227
  - For all modems, retrain detection has been improved to prevent some 
228
    client disconnections. 
229

    
230
  - For modems with Rockwell Semiconductor Systems (RSS) K56flex
231
    chipsets, fast rate changes now work properly. Previously, a retrain 
232
    was forced after a rate change. (RSS is now Conexant Systems Inc.) 
233

    
234
  - A NO EC (no error control) connection problem with Cirrus Logic 
235
    modems is fixed, and overall performance with Cirrus Logic 
236
    modems is improved. Cirrus Logic modems are now supported by
237
    Ambient Technologies.
238

    
239
  - The number of rate renegotiations with USR/3Com and Cirrus 
240
    Logic modems has been reduced because ComOS now allows 
241
    the client modem to specify spectral shaping. 
242

    
243
  - USR/3Com modem connections are now more reliable. 
244

    
245
  - Rate renegotiation and retrain problems with USR/3Com and Rockwell 
246
    HCF modems are fixed. 
247

    
248
  - Connectability with USR/3Com and Rockwell HCF modems and 
249
    LT Winmodems is improved. 
250

    
251
  - Motorola SM56 modems can now connect with V.90. 
252

    
253
  - A V.90-to-V.34 fallback problem, which can result in a disconnection,
254
    is fixed by earlier V.34 detection. 
255

    
256
  - A-law V.90 connectability is improved. 
257

    
258
  - K56flex connectability is improved by an increase in a K56flex timeout.
259

    
260

    
261
_______________ Reconfiguring NVRAM
262

    
263
After loading the new ComOS 3.9b26 and rebooting, look for messages
264
like the following on the console screen to verify that ComOS has
265
loaded successfully:
266

    
267
Testing System Memory.... 1024K
268
Checking Boot Rom....
269
Calibrating.... 33MHz
270
Starting FLASH Boot.....
271
Loading Image at 0fff0000
272
17110  flash copy complete
273
Verifying Load Module Checksum...
274
Starting Load Module ...
275
Loading kernel... 691260 bytes
276
Testing High Memory ... . 4096K
277
Loading kernel extensions... 125952 bytes
278
Async found in slot 1
279
Found 11 ports....
280
ether0 active ... 16K shared-RAM
281
Reconfiguring FLASH...
282
   Malloc size 65534 at 18a208
283
   Opened modules STD file
284
   Read 64506 bytes at 18a208
285
   read 1 buffers
286
   Call flash format
287
   Call freecntl
288
   Call save
289
   Call f_open
290
   Write 64506 bytes at 18a208
291
done - rebooting
292

    
293

    
294
_______________ New Features in ComOS 3.9b26
295

    
296
The following commands and features have been added in ComOS 3.9b26.
297

    
298

    
299
_______ RADIUS Authentication Failover
300

    
301
Authentication failover allows the PortMaster to dynamically switch 
302
primary and alternate RADIUS authentication servers according to 
303
their response. Use the following commands:
304

    
305
  set authentication interval Seconds
306
  set authentication failover on | off
307

    
308
The first command sets the response interval. The PortMaster sends a
309
RADIUS access-request packet every "interval" number of seconds. If no
310
response is received from the primary RADIUS server, the PortMaster
311
switches or "fails over" to the secondary authentication server. The
312
secondary RADIUS server then is treated as the primary, and is marked
313
with an asterisk (*) in "show global"output.
314

    
315
  set authentication interval Seconds
316

    
317
Seconds		A value between 1 and 255. The number of seconds that
318
		must elapse between RADIUS access-request
319
		retransmissions if the PortMaster receives no response.
320
		The default is 3 seconds, and 0 resets the value to the
321
		default. If the primary server does not respond,
322
		failover occurs after two times the Seconds value. For
323
		example, if "set authentication interval 6" is used,
324
		failover occurs in 12 seconds.
325

    
326
The second command enables the failover feature on the PortMaster 3:
327

    
328
  set authentication failover on | off
329

    
330
on	If the primary server fails to respond three times in a row,
331
	the PortMaster sends the packet to both the primary and
332
	secondary servers for the next seven retransmissions. If the
333
	secondary server replies before the primary server, the
334
	PortMaster switches the primary and secondary servers. 
335
	Then on the next login attempt, the PortMaster tries the 
336
	secondary server first.  If the secondary server fails to 
337
	respond three times in a row, the PortMaster sends the 
338
	packet to both servers and designates the server that replies 
339
	first as the new primary server.
340

    
341
off    	The PortMaster 3 always tries the primary server first, same as
342
	the current behavior. This is the default.
343

    
344

    
345
_____RADIUS Accounting Retry Interval and Count
346

    
347
The PortMaster attempts to send each RADIUS accounting packet every
348
"interval" seconds, and sends it the "count" number of times before
349
giving up. If an acknowledgement is received from the RADIUS 
350
accounting server, the PortMaster no longer tries to resend the 
351
accounting packet. If no acknowledgment is sent from the primary 
352
server in response to the first packet, the PortMaster sends the packet 
353
to both the primary and secondary RADIUS accounting servers.
354

    
355
   set accounting count Number
356
   set accounting interval Seconds
357

    
358
Number 		A decimal number between 1 and 99. The number of  
359
		times the PortMaster sends a RADIUS accounting  
360
		packet without acknowledgement from a RADIUS 
361
		server. 
362

    
363
Seconds		A decimal number between 1 and 255. The number of 
364
		seconds that must elapse between RADIUS accounting
365
		packet retransmissions if not acknowledged by the
366
		accounting server. The default is 30 seconds.
367

    
368
Use the "show global" command to view the Accounting Count and the
369
Accounting Interval settings.
370

    
371
Examples:
372

    
373
Command> set accounting count 45
374
Accounting retry count changed from 23 to 45
375

    
376
Command> set accounting interval 60
377
Accounting retry interval changed from 30 to 60 sec
378

    
379

    
380
_______ Non-Facility Associated Signaling (NFAS)
381

    
382
Non-facility associated signaling (NFAS) is a service offered by
383
telephone companies that permits a single D channel to provide the
384
signaling for a group of ISDN Primary Rate Interfaces PRIs. This 
385
service allows the channel that is normally used for signaling on the 
386
remaining PRIs to be used as a B channel.
387

    
388
Because combining the signaling onto a single D channel increases the
389
consequences if communication with that channel fails, some telephone
390
companies use the D channel backup (DCBU) system. DCBU requires two
391
D channels per NFAS group, one as a primary and one as a secondary.
392

    
393
The Lucent ComOS implementation of NFAS supports both standard NFAS 
394
and NFAS with DCBU across up to 20 PRIs.
395

    
396
See the section titled "Configuring NFAS" for NFAS configuration
397
information. For more information about NFAS commands, see the 
398
PortMaster Command Line Reference. For detailed configuration 
399
information, see the PortMaster Configuration Guide.
400

    
401

    
402
_______ Layer 2 Tunneling Protocol (L2TP)
403

    
404
ComOS 3.9b26 on the PortMaster 3 supports Layer 2 Tunneling Protocol
405
(L2TP). You can configure the PortMaster 3 as both an L2TP access
406
concentrator (LAC) and an L2TP network server (LNS).
407

    
408
See the section titled "Configuring L2TP" for L2TP configuration
409
information.
410

    
411
For more information about L2TP commands, see the 
412
PortMaster Command Line Reference. For detailed configuration 
413
information, see the PortMaster Configuration Guide.
414

    
415

    
416
_______ Virtual Private Network (VPN) Tunneling
417

    
418
ComOS 3.9b26 on the PortMaster 3 supports virtual private networks
419
(VPNs) and IP Security (IPSec). A properly configured PortMaster is
420
capable of tunneling using the IP Encapsulation within IP (IPIP) and
421
IPSec protocols and a Lucent proprietary Proxy Tunnel protocol.
422
Tunneling allows you to create custom network topologies that are
423
independent of the underlying physical topology of the network, with or
424
without additional security and authentication.
425

    
426
See the section titled "Configuring VPN Tunneling" for more 
427
information.
428

    
429
For more information about VPN tunneling commands, see the 
430
PortMaster Command Line Reference. For detailed configuration 
431
information, see the PortMaster Configuration Guide.
432

    
433

    
434
_______ IPSec Encryption Card for the PortMaster 3
435

    
436
ComOS 3.9b26 now supports the IPSec encryption ("coprocessor") card 
437
for the PortMaster 3 (PM3-VPN).  To use IPSec, you must install the 
438
IPSec encryption card in the PortMaster 3, into the same interface on 
439
the motherboard used by the Stac compression card (PM3-CMP).  The
440
PortMaster 3 can support either the Stac compression card or the
441
IPSec encryption card, not both.
442

    
443
The PortMaster 3 does not require the IPSec encryption card to run the 
444
IPIP or Proxy Tunnel protocols.
445

    
446
The following message is displayed on the console port at boot time if
447
the IPSec encryption card is installed correctly and operating:
448

    
449
  Found MIPS 4640 daughter board with 512Kb bytes of memory
450

    
451
The IPSec encryption card is booted from the file named "mipsboot" 
452
on the NVRAM file system. You can use the "show files" command to 
453
verify that this file exists. If it does not, you must upgrade your 
454
release of ComOS. To see which encryption algorithms and protocols 
455
are supported, use the "show ipsec modules" command.
456

    
457

    
458
_______ Network Address Translator (NAT)
459

    
460
ComOS 3.9b26 supports the network address translator (NAT) based on 
461
RFC 2663.
462

    
463
The basic network address translator (basic NAT) maps IP addresses from
464
one group to another, transparently to users and applications. The
465
network address port translator (NAPT) is an extension to basic NAT, in
466
which multiple network addresses and their TCP and UDP ports are mapped
467
to a single network address and its ports.
468

    
469
ComOS supports both basic NAT and NAPT for both outbound 
470
and inbound sessions. It also supports an "outsource" mode in 
471
which all NAT processing is done on the server side of the 
472
connection.
473

    
474
See the section titled "Configuring NAT" for more information.
475

    
476
For more information about NAT commands, see the PortMaster 
477
Command Line Reference. For detailed configuration information, 
478
see the PortMaster Configuration Guide.
479

    
480

    
481
_______ Assigned IP for Dial-Out Locations
482

    
483
Use the following command to configure a dial-out location on the
484
PortMaster 3 to receive a dynamically assigned address:
485

    
486
  set location Locname local-ip-address assigned  | Ipaddress
487

    
488
Locname		Name of a location table entry.
489

    
490
In previous releases of ComOS for the PortMaster 3, dial-out locations
491
could not receive a dynamic address.
492

    
493

    
494
_______ Port Required for Telnet Device Service
495

    
496
The "set S0 service_device telnet" command now requires a TCP port number. 
497

    
498
  set S0 service_device telnet Tport
499

    
500
Tport	Specifies the TCP port for the connection. The range is from 
501
	1 to 65535.
502

    
503
Previously, if the port number was omitted, the PortMaster listened on
504
port 23, the default Telnet port. This behavior caused problems for
505
users telnetting to the PortMaster.
506

    
507

    
508
_______ Enhanced PMVision support
509

    
510
Additional support has been added to ComOS 3.9b26 to allow PMVision(TM) 
511
to monitor and configure ComOS 3.9b26 features on the PortMaster. See 
512
the most recent PMVision release note for details.
513

    
514

    
515
_______________ Configuring NFAS
516

    
517
Non-facility associated signaling (NFAS) is a service offered by
518
telephone companies that permits a single D channel to provide the
519
signaling for a group of PRIs. This service allows the channel that is
520
normally used for signaling on the remaining PRIs to be used as a
521
B channel.
522

    
523
Because combining the signaling onto a single D channel increases the
524
consequences if communication with that channel fails, some telephone
525
companies use the D channel backup (DCBU) system. DCBU requires two
526
D channels per NFAS group, one as a primary and one as a secondary.
527

    
528
The Lucent ComOS implementation of NFAS supports both standard NFAS and
529
NFAS with DCBU across up to 20 PRIs.
530

    
531
See the "ComOS 3.9b26 Limitations" section before using NFAS.
532

    
533

    
534
_______ NFAS Configuration
535

    
536
To configure a line for NFAS operation, use the following command:
537

    
538
  set Line0 nfas primary | secondary | slave | disabled Identifier Group
539

    
540
Line0		line0 or line1.
541

    
542
primary		This PRI contains the primary D channel.
543

    
544
secondary	This PRI contains the secondary D channel.
545

    
546
slave		This PRI contains no D channel.
547

    
548
disabled	Clears this PRI's NFAS configuration.
549

    
550
Identifier     	Number between 0 and 19 that is unique among all PRI
551
		interfaces in the same NFAS group.
552

    
553
Group          	Number between 1 and 99 identifying which NFAS group
554
		this PRI belongs to.
555

    
556
Example:
557

    
558
The following example shows how to configure four PortMaster 3s on a
559
common Ethernet with two NFAS groups, one with DCBU and one without.
560
Each group contains two PortMaster 3s.
561

    
562
NFAS bundle #1 (with DCBU)
563
  PM3-1 (Line0 contains the primary D channel. Line1 is a slave line.):
564
    set line0 nfas primary 0 1
565
    set line1 nfas slave 1 1
566
    save all
567
    reboot
568

    
569
  PM3-2 (Line0 is a slave line, and Line1 contains the secondary
570
  D channel):
571
    set line0 nfas slave 2 1
572
    set line1 nfas secondary 3 1
573
    save all
574
    reboot
575

    
576
NFAS bundle #2 (without DCBU)
577
  PM3-3 (Line0 contains the primary D channel, and Line1 is a
578
  slave line):
579
    set line0 nfas primary 0 2
580
    set line1 nfas slave 1 2
581
    save all
582
    reboot
583

    
584
  PM3-4 (Line0 and Line1 are slave lines):
585
    set line0 nfas slave 2 2
586
    set line1 nfas slave 3 2
587
    save all
588
    reboot
589

    
590

    
591
_______ Displaying General NFAS Information
592

    
593
Several commands are available to display statistics and information
594
specific to NFAS operation.
595

    
596
  show nfas
597

    
598
The "show nfas" command displays neighboring PortMaster products 
599
in the same NFAS group as this one and shows in-service D channel 
600
information and slave status.
601

    
602
  show nfas history
603

    
604
The "show nfas history" command displays the last 40 significant
605
messages exchanged between this PortMaster and its neighbors.
606

    
607
  show nfas stat
608

    
609
The "show nfas stat" command displays the status of NFAS calls for
610
PortMaster products in the same group(s) as this one.
611

    
612

    
613
_______ Displaying NFAS Debugging Information
614

    
615
A new debug command has been added to aid in diagnosing problems that
616
might occur in testing.
617

    
618
set debug nfas on | off
619

    
620
This command enables or disables the logging of NFAS events to the
621
console. Remember to use "set console" before using this command, 
622
and "reset console" after turning off the debug process.
623

    
624

    
625
_______________ Configuring L2TP
626

    
627
ComOS 3.9b26 on the PortMaster 3 supports Layer 2 Tunneling Protocol
628
(L2TP). You can configure the PortMaster 3 as both an L2TP access
629
concentrator (LAC) and an L2TP network server (LNS).
630

    
631
The implementation of L2TP in ComOS 3.9b26 is based on the latest IETF
632
L2TP draft (revision 12 and 13 as of this writing). For specific
633
details of operation and protocol implementation of L2TP, refer to the
634
IETF Internet-Drafts.
635

    
636
L2TP allows PPP frames to be tunneled as follows from one PortMaster
637
that answers an incoming call (the LAC) to another PortMaster that
638
processes the PPP frames (the LNS):
639

    
640
End user--->incoming call--->LAC--->LNS--->network access
641

    
642
NOTE: None of the IP addresses or networks used in the examples in 
643
this section are intended to refer to any actual real-world company 
644
or network assignment.
645

    
646

    
647
_______ Description and Applications
648

    
649
The Layer 2 Tunneling Protocol (L2TP) provides tunneling of PPP
650
connections, to separate the functionality normally provided by a
651
single network access server (NAS) into two parts:
652

    
653
 * The L2TP access concentrator (LAC) provides the "physical"
654
   connection point between the telephone network (and therefore the
655
   dial-in user) and the host network.
656

    
657
 * The L2TP network server (LNS) terminates the PPP sessions and
658
   handles the "server-side" of the connection, such as authentication
659
   of the user, routing network traffic to and from the PPP user, and
660
   so forth. The LNS does not have any physical ports, only virtual 
661
   interfaces.
662

    
663
An outsourcer can use L2TP to provide dial-up ports to customers 
664
using a central, "shared" common physical dial-up pool. The pool 
665
resides in a shared access server (the LAC). The outsourcer's 
666
customers maintain a home gateway (the LNS) and some type of 
667
IP connectivity to the outsourcer. L2TP provides virtual dial-up 
668
ports to the outsourcer's customers. This use of L2TP is sometimes 
669
referred to as a virtual private dial-up network (VPDN).
670

    
671
The service is transparent to the customer because users still
672
terminate PPP sessions on the customer network via the LNS.  RADIUS
673
authentication and accounting and IP address assignment are all done by
674
the customer. The LAC does no PPP processing unless it is using partial
675
authentication for determining the tunnel end point. It only accepts
676
the call and establishes a tunnel to the LNS for that PPP session. The
677
tunnel can be established based upon Called-Station-Id or User-Name
678
(where partial authentication occurs on the LAC before tunnel
679
establishment).
680

    
681
For example, if you use Called-Station-Id and call-check with L2TP,
682
the session follows these steps:
683

    
684
1. The end user places a call.
685

    
686
2. The LAC detects the incoming call.
687

    
688
3. The LAC using call-check sends an authentication request to a 
689
   RADIUS server containing the Called-Station-Id and 
690
   Calling-Station-Id check items before answering the call.
691

    
692
4. If the RADIUS server accepts the user, an access-accept message
693
   is returned to the LAC along with information on how to create the
694
   L2TP tunnel for this session: the type of tunnel, IP address of the
695
   LNS, and so on.
696

    
697
5. The LAC then creates a tunnel to the LNS by encapsulating the PPP
698
   frames into IP packets and forwarding those packets to the LNS.
699

    
700
6. The LNS negotiates PPP normally with the end user.
701

    
702

    
703
_______ RADIUS Dictionary Updates for L2TP
704

    
705
Add the following lines to your RADIUS dictionary:
706

    
707
VALUE         Service-Type		Call-Check	10
708
VALUE         NAS-Port-Type		Virtual	5
709

    
710
ATTRIBUTE	Tunnel-Type		64      integer
711
ATTRIBUTE	Tunnel-Medium-Type	65      integer
712
ATTRIBUTE	Tunnel-Server-Endpoint	67      string
713
ATTRIBUTE	Tunnel-Password		69      string
714

    
715
VALUE		Tunnel-Type		L2TP	3
716
VALUE		Tunnel-Medium-Type 	IP	1
717

    
718
The RADIUS daemon must be stopped and restarted to read the new
719
dictionary.
720

    
721

    
722
_______ RADIUS User Profiles for L2TP
723

    
724
The user profiles for the LNS are the same as for your users who do 
725
not use L2TP.
726

    
727
For the LAC, some new user profiles are required. Exactly which 
728
additional user profiles you add depend on whether you are 
729
using call-check or partial username-based tunneling on the LAC. 
730
The following profiles can be used on the RADIUS server serving 
731
the LAC for either approach:
732

    
733
# Using Called-Station-Id with Call-Check to route callers who dial
734
# 555-1313 to the LNS "172.16.1.221".
735
# Note that the LNS address must be enclosed in double quotation 
736
# marks because it is sent as a string, not as a 32-bit integer.
737

    
738
DEFAULT Called-Station-Id = "5551313", Service-Type = Call-Check
739
        Service-Type = Framed-User,
740
        Framed-Protocol = PPP,
741
        Tunnel-Type = L2TP,
742
        Tunnel-Medium-Type = IP,
743
        Tunnel-Server-Endpoint = "172.16.1.221"
744

    
745
# Same as the previous profile, but with a shared secret to 
746
# authenticate the session to the LNS.
747

    
748
DEFAULT Called-Station-Id = "5551313", Service-Type = Call-Check
749
        Service-Type = Framed-User,
750
        Framed-Protocol = PPP,
751
        Tunnel-Type = L2TP,
752
        Tunnel-Medium-Type = IP,
753
        Tunnel-Password = "mrsparkle",
754
        Tunnel-Server-Endpoint = "172.16.1.221"
755

    
756
In both user profiles, the first line contains the RADIUS check item,
757
with the Called-Station-ID being used to match the entry before the
758
call is answered. The L2TP tunnel parameters from the matching entry
759
are then sent in the RADIUS access-accept message.
760

    
761
The Tunnel-Type specifies the tunneling protocol to be used. The
762
Tunnel-Medium-Type specifies the transport medium over which the tunnel
763
is created, IP for now. Tunnel-Server-Endpoint indicates the other end
764
of the tunnel, the LNS in the case of L2TP.
765

    
766
Note that the LNS address must be enclosed in double quotation marks
767
because it is sent as a string, not as a 32-bit integer.
768

    
769
If you are not using call-check and are instead providing partial
770
authentication based on User-Name, the following user profile works.
771
The user "bgerald" dials in to the LAC, which initiates an L2TP tunnel
772
on the user's behalf to LNS 172.16.1.55.
773

    
774
bgerald Password = "wackamole"
775
        Tunnel-Type = L2TP,
776
        Tunnel-Medium-Type = IP,
777
        Tunnel-Server-Endpoint = "172.16.1.55"
778

    
779

    
780
_______ L2TP and RADIUS Accounting
781

    
782
The LAC and LNS both log user sessions to RADIUS accounting, but
783
different accounting data is available from each.
784

    
785
If you are using call-check to establish the tunnel, the LAC's
786
accounting data shows the Calling-Station-Id, but not the user's name,
787
because that information has not yet been passed over the link. The LNS
788
accounting data shows both the Calling-Station-Id and the User-Name
789
along with the assigned IP address.
790

    
791
If partial authentication (instead of call-check) is taking place on
792
the LAC, then the username might be available to it. In that case, the
793
username appears in the RADIUS accounting logs for both the LNS and the
794
LAC.
795

    
796
In both cases, the LNS shows the NAS-Port-Type as "Virtual", while the
797
LAC shows the NAS-Port-Type set to the connection type of the physical
798
interface.
799

    
800
The LNS starts its NAS-Port numbering at 100.
801

    
802

    
803
_______ Redundant Tunnel Server End Points
804

    
805
To increase the robustness of L2TP, a user profile can be configured to
806
contain redundant tunnel server end points. If the primary LNS fails,
807
inbound L2TP tunnels can be redirected to other machines.
808

    
809
Up to three redundant tunnel server end points can be specified.  Any
810
more than three are ignored by the LAC.
811

    
812
The following example shows a RADIUS user profile with multiple
813
redundant tunnel server end points. Each tunnel server end point is
814
preceded by the tunnel medium type for that tunnel.
815

    
816
DEFAULT Service-Type = Call-Check, Called-Station-Id = "5551234"
817
        Service-Type = Framed-User,
818
        Framed-Protocol = PPP,
819
        Tunnel-Type = L2TP,
820
        Tunnel-Medium-Type = IP,
821
        Tunnel-Server-Endpoint = "192.168.11.2",
822
        Tunnel-Medium-Type = IP,
823
        Tunnel-Server-Endpoint = "192.168.11.17",
824
        Tunnel-Medium-Type = IP,
825
        Tunnel-Server-Endpoint = "192.168.230.97"
826

    
827
This feature provides redundant LNS backup, not load balancing.
828

    
829

    
830
_______ L2TP Command Summary
831

    
832
set l2tp noconfig | disable | enable lac | enable lns
833
set l2tp authenticate-remote on | off
834
set l2tp secret [ Password | none ]
835
show l2tp global | sessions | stats | tunnels
836
reset l2tp [ stats | tunnel Number]
837
create l2tp tunnel udp Ipaddress [ Password | none]
838
set l2tp choose-random-tunnel-endpoint on | off
839
set debug l2tp max | packets [Bytes] | setup | stats
840

    
841
Use the following command to have the PortMaster load the L2TP 
842
feature on startup:
843

    
844
  set l2tp noconfig | disable | enable lac | enable lns
845

    
846
noconfig	Sets the PortMaster to have no L2TP 
847
		configuration.
848

    
849
disable		Sets L2TP off. L2TP is not used.
850

    
851
enable lac	Sets the PortMaster to be a LAC.
852

    
853
enable lns	Sets the PortMaster to be an LNS.
854

    
855
When the PortMaster is configured to be an LNS, the line ports are
856
configured for T1 and cannot be used for dial-in. The virtual S0 ports
857
follow the W1 ports.
858

    
859
Example:
860

    
861
Command 0> set l2tp enable lns
862
L2TP LNS will be enabled after next reboot
863

    
864
After using the "set l2tp" command, you must use the "save all" command
865
to save the configuration and the "reboot" command for the L2TP module
866
to load.
867

    
868

    
869
_______ Configuring L2TP to Initiate Authentication
870

    
871
The following command configures L2TP to initiate tunnel authentication:
872

    
873
  set l2tp authenticate-remote on | off
874

    
875
on	The PortMaster initiates authentication with the other end point
876
	of the tunnel before a tunnel is established. This is the default.
877

    
878
off	The PortMaster does not initiate authentication.
879

    
880
This command determines only whether the PortMaster initiates the
881
authentication. It does not determine how the PortMaster responds to
882
an authentication request. The "set l2tp authenticate-remote" command
883
functions the same on both a LAC and an LNS.
884

    
885

    
886
_______ Configuring an L2TP Secret
887

    
888
The "set l2tp secret" global command configures the L2TP password that
889
the PortMaster uses to respond to all L2TP tunnel authentication
890
requests. The L2TP secret takes effect only after you issue a 
891
"reset l2tp command.
892

    
893
  set l2tp secret Password | none
894

    
895
Password	String of up to 15 characters that the PortMaster
896
		uses to respond to L2TP tunnel authentication 
897
		requests.
898

    
899
none		Removes the L2TP secret. This is the default.
900

    
901
The "set l2tp secret" command sets the L2TP secret for the entire
902
PortMaster.
903

    
904
If a PortMaster configured as a LAC receives a tunnel authentication
905
request, it uses the Tunnel-Password from the RADIUS access-accept
906
packet, if present, instead of the global L2TP secret.
907

    
908

    
909
_______ Displaying L2TP Information
910

    
911
The following command shows information on how L2TP is functioning:
912

    
913
  show l2tp global | sessions | stats | tunnels
914

    
915
Examples:
916

    
917
Command> show l2tp global
918
debug packets debug stats debug setup
919
Tunnel Authentication Enabled
920
Initiation of Authentication Remote Tunnel Disabled
921
Default Board Configuration
922

    
923
Command> show l2tp sessions
924
Id  Assign-Id	Tunnel-IdPortname	State
925
31  21         	75	S1		ESTABLISHED  fl=8045
926

    
927
Command> show l2tp stats
928
NEW_SESSION 			1
929
NEW_TUNNEL 			4
930
TUNNEL_CLOSED 			3
931
HANDLE_CLOSED 			3
932
L2TP_STATS_MEDIUM_HANDLE 	3
933
INTERNAL_ERROR 			14
934
CTL_SEND    			9
935
CTL_REXMIT  			1
936
CTL_RCV     			10
937
MSG_CHANGE_STATE   		4
938
WRONG_AVP_VALUE 		3
939
EVENT_CHANGE_STATE 		3
940

    
941
Command> show l2tp tunnels
942
Id  Assign-IdHnd State      		#Ses	Server-Endpoint	Client-Endpoint
943
75  65	14 	L2T_ESTABLISH	1	192.168.6.13	192.168.10.28
944

    
945

    
946
_______ Resetting L2TP
947

    
948
Use the "reset l2tp" command to reset an L2TP tunnel or the L2TP
949
statistics counters.
950

    
951
  reset l2tp [ stats | tunnel Number ]
952

    
953
stats		Resets the L2TP counters displayed by "show l2tp 
954
		stats" to zero.
955

    
956
tunnel		If no tunnel ID is specified, all L2TP tunnels are
957
		destroyed and all related PPP sessions are terminated.
958

    
959
Number		A tunnel ID from 1 to 100. If a tunnel ID is specified, 
960
		only that one tunnel is destroyed. The "show l2tp 
961
		tunnels" command displays a list of active tunnel IDs.
962

    
963

    
964
_______ Creating an L2TP Tunnel Manually
965

    
966
The following command manually brings up an L2TP tunnel for testing 
967
and troubleshooting:
968

    
969
  create l2tp tunnel udp Ipaddress [ Password | none ]
970

    
971
Ipaddress	IP address of the L2TP tunnel end point.
972

    
973
Password	Password that the PortMaster uses when 
974
		responding to a tunnel authentication request 
975
		from the tunnel end point. If no password 
976
		is specified, the global L2TP secret is used if
977
		configured.
978

    
979
none		Sets the PortMaster to use the L2TP secret
980
		configured for it with the "set l2tp secret"
981
		command. This is the default.
982

    
983
Example:
984

    
985
Command> create l2tp tunnel udp 149.198.110.19
986
OK
987

    
988

    
989
_______ Selecting a Tunnel End Point
990

    
991
The following command determines in what order to choose an end point
992
when multiple tunnel end points are returned in a RADIUS access-accept
993
packet.
994

    
995
  set l2tp choose-random-tunnel-end point on | off
996

    
997
on	Causes the tunnel end point to be chosen randomly from the list
998
	of tunnel end points returned by RADIUS.
999

    
1000
off	Selects the first tunnel end point that can be reached.
1001

    
1002
Normally, when L2TP is configured with multiple tunnel end points, the
1003
end points are chosen serially, always beginning with the first. If a
1004
tunnel cannot be established with the first, then the second is tried,
1005
and then the third. When this feature is enabled, a random tunnel end
1006
point is selected from those returned in the RADIUS access-accept
1007
packet.
1008

    
1009

    
1010
_______ Debugging L2TP
1011

    
1012
The following command is used to troubleshoot L2TP problems:
1013

    
1014
  set debug l2tp max | packets Bytes | setup | stats
1015

    
1016
max		Provides the same debugging as setup, packets, 
1017
		and stats combined.
1018

    
1019
packets		Shows a representation of the L2TP packets, similar to
1020
		the "ptrace dump" command.
1021

    
1022
Bytes		0 to 1500, number of bytes to display.
1023

    
1024
setup		Shows L2TP control messages and errors.
1025

    
1026
stats		Displays information that appears in "show l2tp stats"
1027
		in more detail.
1028

    
1029
Remember to use "set console" before using this command, and 
1030
"reset console" after turning off the debug process.
1031

    
1032

    
1033
_______________ Configuring VPN Tunneling 
1034

    
1035
ComOS 3.9b26 on the PortMaster 3 supports virtual private networks
1036
(VPNs) and IP Security (IPSec). A properly configured PortMaster is
1037
capable of tunneling using the IP Encapsulation within IP (IPIP) and
1038
IPSec protocols and a Lucent proprietary Proxy Tunnel protocol.
1039
Tunneling allows you to create custom network topologies that are
1040
independent of the underlying physical topology of the network, with or
1041
without additional security and authentication.
1042

    
1043
For example, you can use VPN and IPSec to do the following on a
1044
PortMaster 3:
1045

    
1046
* Encapsulate, encrypt, and/or authenticate IP packets
1047

    
1048
* Outsource tunnels by user, location, or interface
1049

    
1050
* Redirect packets in the clear
1051

    
1052
* Perform UDP packet-forwarding services
1053

    
1054
IPSec tunneling encapsulates, encrypts, and/or authenticates IP
1055
packets.
1056

    
1057
IPIP ("IP within IP") tunneling encapsulates IP packets inside IP
1058
packets, with no encryption or authentication.
1059

    
1060
Proxy Tunnel is a Lucent proprietary tunneling protocol. Proxy 
1061
Tunnel places IP packets into UDP packets with the RSA Data 
1062
Security, Inc. MD5 Message-Digest Algorithm signature for 
1063
authentication.
1064

    
1065

    
1066
_______ Security Associations
1067

    
1068
The security of the communications between two nodes is described
1069
manually by a security association (SA) table entry. This security
1070
association describes the parameters necessary to accomplish the
1071
desired security (security association bundle) between a pair of
1072
gateway nodes. Multiple security associations can be created to match
1073
different security policies for different peers or types of traffic.
1074

    
1075
The following files are created in the PortMaster nonvolatile RAM file
1076
system:
1077

    
1078
vpn		Contains the saved security association table.
1079
random		Contains random seed data for the next reboot.
1080
mipsboot	Encryption card image.
1081

    
1082

    
1083
_______ VPN Command Summary
1084

    
1085
Use the following commands to configure VPN security associations. 
1086
The commands for configuring security profiles are listed in the section 
1087
"Configuring Security Profiles."
1088

    
1089
show sa Saname
1090
show table sa
1091
show ipsec modules
1092

    
1093
add sa Saname
1094
delete sa Saname
1095
reset ipsec  [Ether0 | S0 | W1] 
1096

    
1097
set sa Saname ah-inb-key | ah-inbound-key Key/[Bits] | random 
1098
set sa Saname ah-inb-spi | ah-inbound-spi SPI
1099
set sa Saname ah-outb-key | ah-outbound-key Key/[Bits] | random
1100
set sa Saname ah-outb-spi | ah-outbound-spi SPI
1101
set sa Saname esp-inb-key | esp-inbound-key Key/[Bits] | random
1102
set sa Saname esp-inb-spi | esp-inbound-spi SPI
1103
set sa Saname esp-outb-key | esp-outbound-key Key/[Bits] | random
1104
set sa Saname esp-outb-spi | esp-outbound-spi SPI
1105

    
1106
set sa Saname local-address @ether0 | @ipaddress
1107
set sa Saname mode ipip-tunnel | proxy-tunnel | sec-ipip-tunnel | none
1108
set sa Saname peer-identifier Ipaddress
1109
set sa Saname proxy-destport Uport
1110
set sa Saname proxy-localport Uport
1111
set sa Saname proxy-secret Key/Bits
1112
set sa Saname sec-proposal Method1  [Method2]
1113

    
1114
Saname		Security association name up to 15 characters long.
1115

    
1116
Key		A number in decimal, hexadecimal or binary. 
1117

    
1118
Bits            	The key length in bits optionally follows the key
1119
		value, separated by a slash "/".
1120

    
1121
SPI		Number in decimal, hex or binary---a 32-bit value 256 or
1122
		higher.
1123

    
1124
Ether0		Ethernet interface.
1125

    
1126
Ipaddress	IP address in dotted decimal format, or hostname up to 
1127
		39 characters long.
1128

    
1129
Uport		UDP port between 1 and 65535.
1130

    
1131
Method1	Supported security method.
1132

    
1133
Method2	Supported security method.
1134

    
1135

    
1136
_______ Displaying Security Association Information
1137

    
1138
The "show sa Saname" command shows the entire configuration 
1139
for the security association called Saname. The output varies with 
1140
the protocol used for that security association. The command also 
1141
displays the status of the IPSec encryption card (PM3-VPN) if the 
1142
card is not installed or not operating correctly.
1143

    
1144
The "show table sa" command displays all security associations in a
1145
summary format.
1146

    
1147
The "show ipsec modules" command displays available Layer 3
1148
VPN tunneling methods. See the section titled "IPSec Commands" 
1149
for more information.
1150

    
1151

    
1152
_______ Creating Security Associations
1153

    
1154
Use the following commands to create the security association and
1155
define the mode (protocol) that it uses:
1156

    
1157
  add sa Saname
1158
  set sa Saname mode ipip-tunnel | proxy-tunnel | sec-ipip-tunnel | none
1159

    
1160
The "set sa Saname mode" command can also be used to change 
1161
the mode of an existing security association. Setting the security 
1162
association mode erases any keys that were previously associated 
1163
with this security association.
1164

    
1165
ipip-tunnel     	Encapsulates packets into other IP packets.
1166
		No security is provided. See the "IPIP 
1167
		Commands" section.
1168

    
1169
proxy-tunnel   	This is a Lucent proprietary tunneling protocol.
1170
		Proxy Tunnel places IP packets into UDP packets 
1171
		with an MD5 signature for authentication. See the 
1172
		"Proxy Tunnel Commands" section.
1173

    
1174
sec-ipip-tunnel	Encapsulates packets using the IPSec protocols in
1175
		tunnel mode.  See the "IPSec Commands" section.
1176

    
1177
none           	Null configuration mode. Packets received on
1178
		this security association are dropped.
1179

    
1180

    
1181
_______ Deleting Security Associations
1182

    
1183
The following command deletes a security association:
1184

    
1185
  delete sa Saname
1186

    
1187

    
1188
_______ Common Security Association Configuration Commands
1189

    
1190
Each security association has a few common commands, and a few 
1191
mode-specific commands. The common commands are listed in this 
1192
section.
1193

    
1194
The following command sets the IP address of the peer at the other 
1195
end of this tunnel.
1196

    
1197
  set sa Saname peer-identifier Ipaddress
1198

    
1199
The following command sets the IP address of this end of this tunnel.
1200
The default is to use the address of the Ether0 interface.
1201

    
1202
  set sa local-address @ether0 | @ipaddress
1203

    
1204

    
1205
_______ IPSec Commands
1206

    
1207
To set up a security association using IPSec, you must configure 
1208
the following information. First, create the security association
1209
and set the mode to "sec-ipip-tunnel" as follows:
1210

    
1211
  add sa Saname
1212
  set sa Saname mode sec-ipip-tunnel
1213

    
1214
Security Parameter Index:
1215

    
1216
The security parameter index (SPI) is a 32-bit number. The first 256
1217
values are reserved and cannot be entered by users. The inbound SPI
1218
set on an IPSec gateway must match the outbound SPI set on the peer.
1219
Be careful not to assign the same SPI to two security associations on
1220
the same PortMaster.
1221

    
1222
  set sa Saname ah-inb-spi | ah-inbound-spi SPI
1223
  set sa Saname ah-outb-spi | ah-outbound-spi SPI
1224
  set sa Saname esp-inb-spi | esp-inbound-spi SPI
1225
  set sa Saname esp-outb-spi | esp-outbound-spi SPI
1226

    
1227
Examples:
1228

    
1229
Command> set sa net172 esp-inbound-spi 11111111
1230
Command> set sa net172 esp-outbound-spi 11110000
1231
Command> set sa net172 ah-inbound-spi 11112222
1232
Command> set sa net172 ah-outbound-spi 22220000
1233

    
1234
AH and ESP Protocols:
1235

    
1236
Configure the security association to define the methods used for 
1237
the Authentication Header (AH) and Encapsulating Security Payload 
1238
(ESP) protocols.
1239

    
1240
ESP is the method used to encrypt the actual data (the "payload")
1241
contained in a packet.
1242

    
1243
AH is used to authenticate a packet. Authentication guarantees that
1244
the packet comes from the node with which you share a security
1245
association and was not tampered with during transit.
1246

    
1247
Use the "show ipsec module" command to see which methods are 
1248
available.
1249

    
1250
To use both ESP and AH together, specify two methods. Otherwise, 
1251
just specify one in the following command:
1252

    
1253
  set sa Saname sec-proposal Method [ Method2 ]
1254

    
1255
The following methods are supported in ComOS 3.9b26:
1256

    
1257
esp-des			Sets the ESP protocol for a security 
1258
			association using the US Data Encryption
1259
			Standard-cipher block chaining (DES-CBC)
1260
			encryption algorithm defined in RFC 2405.
1261
			The keys must be exactly 64 bits in length.
1262

    
1263
esp-des-rfc1827		Uses the DES-CBC encryption protocol 
1264
			defined in RFC 1827 and RFC 1829. The 
1265
			keys must be exactly 64 bits in length.
1266

    
1267
esp-3des		Sets the ESP protocol for a security 
1268
			association using the Triple DES-CBC
1269
			(3DES) encryption algorithm defined in
1270
			RFC 2451. The keys must be exactly 
1271
			192 bits in length.
1272

    
1273
esp-3des-rfc1827		Uses the 3DES encryption protocol.
1274
			The keys must be exactly 192 bits in length.
1275

    
1276
ah-md5			Sets the AH protocol for a security 
1277
			association using MD5 and authentication
1278
			methods defined in RFC 2403. The keys 
1279
			must be exactly 128 bits in length.
1280

    
1281
ah-md5-rfc1826         	Uses the MD5 hashing protocol
1282
			defined in RFC 1826 and 1828. The keys 
1283
			must be exactly 128 bits in length.
1284

    
1285
ah-sha			Sets the AH protocol for a security
1286
			association using the Secure Hash
1287
			Algorithm (SHA-1 defined in RFC 2404.
1288
			The keys must be exactly 160 bits long.
1289

    
1290
Use the following commands to set inbound and outbound keys for the
1291
chosen protocols:
1292

    
1293
  set sa Saname esp-inbound-key Key/[Bits] | random
1294
  set sa Saname esp-outbound-key Key/[Bits] | random
1295
  set sa Saname ah-inbound-key Key/[Bits] | random
1296
  set sa Saname ah-outbound-key Key/[Bits] | random
1297

    
1298
Saname	Security association name up to 15 characters long.
1299

    
1300
Key		Decimal, hexadecimal, or binary key. The secret
1301
		shared between the ends of a security association.
1302

    
1303
/Bits		The key length in bits optionally follows the key 
1304
		value.
1305

    
1306
random		Applies a randomly generated key and key length that 
1307
		match the requirements for the specified encryption
1308
		method.
1309

    
1310
Example:  
1311

    
1312
Command> set sa net172 esp-inbound-key 0x0123456789abcd/64
1313
Command> set sa net172 esp-outbound-key 0x0123456789abcd/64 
1314
Command> set sa net172 ah-inbound-key 0x0123456789abcd/128 
1315
Command> set sa net172 ah-outbound-key 0x0123456789abcd/128 
1316

    
1317
Although these examples use the same key for both inbound and 
1318
outbound, and for both ESP and AH, Lucent recommends that you use 
1319
different keys for each of these.
1320

    
1321

    
1322
_______ Entering Static Keys
1323

    
1324
You can enter keys as the following types of numbers:
1325

    
1326
* Hexadecimal (hex)---base 16, starting with 0x
1327
* Decimal (the default)---base 10
1328
* Binary---base 2, starting with 0b
1329

    
1330
The key value is followed by a slash ("/") and the key length 
1331
in bits.
1332

    
1333
For example:
1334
* 0x12345678/32 is a 32-bit key in hexadecimal.
1335
* 346345/64 is a 64-bit key in decimal.
1336
* 0b1000001/64 is a 64-bit key in binary.
1337

    
1338
Keys must fall on 8-bit boundaries. Some protocols allow only 
1339
specific key lengths, while others allow a range of lengths. ESP 
1340
and AH protocols require specific key lengths. See the section 
1341
"AH and ESP Protocols" for more information. 
1342

    
1343
Keys are displayed in hexadecimal format. High-order bits not 
1344
specified are zero-filled. For example, 0x12/32 is the same as 
1345
0x00000012/32. Once the key is entered, you cannot see it again.
1346

    
1347
The security of your network depends on picking appropriate keys. 
1348
You can have the PortMaster generate a key by using the special key 
1349
value "random".  For example:
1350

    
1351
  set sa Saname esp-inbound-key random
1352

    
1353
This command generates a random key of the correct length for the
1354
protocol. You must then copy this key to the peer in a secure fashion.
1355

    
1356
NOTE: To configure secure keys and avoid unintended typing errors, 
1357
Lucent recommends that you set a random value for each key on one 
1358
node and then copy and paste it on the other node.
1359

    
1360

    
1361
_______ IPIP Commands
1362

    
1363
To use the IPIP protocol, set the security association to IPIP mode
1364
using the following command:
1365

    
1366
  set sa Saname mode ipip-tunnel
1367

    
1368

    
1369
_______ Proxy Tunnel Commands
1370

    
1371
To use the Lucent proprietary Proxy Tunnel protocol, set the 
1372
security association mode using the following command:
1373

    
1374
  set sa Saname mode proxy-tunnel
1375

    
1376
Each end of the tunnel chooses a UDP port between 1 and 65535 for
1377
sending and receiving packets. Lucent strongly recommends using a 
1378
port that does not conflict with well-known services. The same port 
1379
number can be used at both ends, if desired.
1380

    
1381
  set sa Saname proxy-localport Uport
1382
  set sa Saname proxy-destport Uport
1383

    
1384
Each end of the tunnel chooses a shared secret and configures it.
1385
Lucent supports secrets from 32 to 128 bits long, and each secret
1386
must be a multiple of 8 bits long.
1387

    
1388
  set sa Saname proxy-secret Key/Bits
1389

    
1390
Saname	Security association name up to 15 characters long.
1391

    
1392
Key		Number in decimal, hexadecimal, or binary. The secret
1393
		shared between the ends of a security association.
1394

    
1395
/Bits		Key length in bits.
1396

    
1397
Uport		UDP Port between 1 and 65535.
1398

    
1399
Example:
1400

    
1401
Command> add sa lu77
1402
Command> set sa lu77 proxy-tunnel
1403
Command> set sa lu77 proxy-localport 1050
1404
Command> set sa lu77 proxy-destport 1051
1405
Command> set sa lu77 proxy-secret 0x123456789/64
1406

    
1407

    
1408
_______ Configuring Security Profiles
1409

    
1410
A security profile defines the security association and policy 
1411
filter used on a router interface. A profile can be attached directly to 
1412
a network interface, user, or location, or can be assigned to a user  
1413
with RADIUS. Security profiles use the security association and policy  
1414
filters to transfer packets. Profile names can be up to 15 characters 
1415
long.
1416

    
1417
Use the following commands to configure security profiles:
1418

    
1419
  show table sec-profile
1420
  show sec-profile Profile
1421
  show ipsec statistics
1422
  add sec-profile Profile
1423
  delete sec-profile Profile
1424

    
1425
  set Ether0 | S0 | W1 ipsec active-profile Profile
1426
  set user Username ipsec active-profile Profile
1427
  set location Locname ipsec active-profile Profile
1428

    
1429
  set sec-profile Profile blank
1430
  set sec-profile Profile Profilerule pfilter | policy-filter Filtername |
1431
none
1432
  set sec-profile Profile Profilerule static-sa  Saname | none
1433
  
1434
  set Ether0 | S0 | W1 ipsec outsource-profile Profile
1435
  set user Username ipsec outsource-profile Profile
1436
  set location Locname ipsec outsource-profile Profile
1437
  
1438
  set Ether0 | S0 | W1 ipsec pda drop | icmp reject | passthrough
1439
  set user Username ipsec pda drop | icmp reject | passthrough
1440
  set location Locname ipsec pda drop | icmp reject | passthrough
1441

    
1442
Profile		Security profile name up to 15 characters long.
1443

    
1444
Profilerule	Rule number between 1 and 20.
1445

    
1446
Filtername	Policy filter name up to 15 characters long.
1447

    
1448
Saname		Security association name up to 15 characters long.
1449

    
1450

    
1451
________ Displaying Security Profile Information
1452

    
1453
The "show table sec-profile" command displays a summary of 
1454
all the security profiles.
1455

    
1456
The "show sec-profile Profile" command displays information about the
1457
security profile named.
1458

    
1459
The "show ipsec statistics" command displays a summary of all the
1460
security profiles and the traffic generated:
1461

    
1462
Router	Profile	Sec-AssocMode	In-pktsOut-pktsIn-BadOut-Dropped
1463
PortType		Name				Pkts  	Pkts
1464
--- ------------------------------------------------------------------
1465
ether0	Active-pr	local	sec-ip	3678	4534	0	0
1466
ptp0	Active-pr	remote	ipip	2987	3768	0	0
1467

    
1468

    
1469
_______ Adding Security Profiles
1470

    
1471
Use the following command to add a security profile:
1472

    
1473
  add sec-profile Profile
1474

    
1475
Profile	Security profile name up to 15 characters long.
1476

    
1477

    
1478
_______ Deleting Security Profiles
1479

    
1480
Use the following command to delete a security profile:
1481

    
1482
  delete sec-profile Profile
1483

    
1484
Profile	Security profile name.
1485

    
1486

    
1487
_______ Setting Security Profiles
1488

    
1489
Use the following commands to configure a security profile after
1490
adding it:
1491

    
1492
  set sec-profile Profile Profilerule policy-filter Filtername | none
1493
  set sec-profile Profile Profilerule static-sa Saname | none
1494

    
1495
A profile can be an active profile, a passive profile, or an outsource
1496
profile.
1497

    
1498
You assign an active profile to a user, location, or interface that is
1499
configured as an end point of a tunnel. An active profile is applied to
1500
outbound traffic and identifies a set of peers with which the
1501
PortMaster knows how to communicate.
1502

    
1503
Passive profiles are not supported in this release.
1504

    
1505
You assign an outsource profile to a user, location, or interface that
1506
is not configured as an end point of a tunnel. An outsource profile
1507
refers to security associations established from any port of the
1508
PortMaster, based on the inbound traffic on a port. The policies set
1509
are based on the wire traffic, just as with the policies on other
1510
profiles.
1511

    
1512

    
1513
_______ Policy Filters
1514

    
1515
Policy filters determine which data the PortMaster sends through its
1516
security profiles. Policy filtering takes place right before the
1517
PortMaster routes a packet. The packet is compared against all the
1518
defined policy filters in a security profile. If none apply, the packet
1519
is routed as usual, without any VPN processing.
1520

    
1521
NOTE: You must be very careful to not create security filters that
1522
might overlap each other in their coverage. For example, IP address
1523
ranges in two filters might overlap. If two filters overlap, only one
1524
security association is applied to the packet and you cannot determine
1525
which one.
1526

    
1527
Policy filters are created like packet filters. For example, to process
1528
all packets destined for the network 10.200.1.0/24, you can create the
1529
following filter:
1530

    
1531
  add filter internal.sec
1532
  set filter internal.sec 1 permit 0.0.0.0/0 10.200.1.0/24
1533

    
1534
Then you add and configure your security profile "examplespf":
1535

    
1536
  set sec-profile examplespf 1 policy-filter internal.sec
1537

    
1538
You can also selectively process only certain types of traffic and not
1539
others using "deny" statements.  For example, you might use the 
1540
following filter to encrypt all traffic except packets to TCP port 80 
1541
for HTTP:
1542

    
1543
  add filter internal.sec
1544
  set filter internal.sec 1 deny tcp dst eq 80
1545
  set filter internal.sec 2 permit
1546

    
1547
A "deny" keyword in a policy filter does not block packets that meet 
1548
its criteria. Instead, the "deny" keeps the security association from 
1549
being applied to those packets and passes the IP traffic through, 
1550
unprocessed. If you want to block the traffic entirely, you must place 
1551
input or output packet filters on the appropriate interface(s).
1552

    
1553

    
1554
_______ Policy Deny Action
1555

    
1556
Use the following commands to determine what to do with packets 
1557
denied by policy filters.
1558

    
1559
  set Ether0 | S0 | W1 ipsec pda drop | icmp reject | passthrough
1560
  set user Username ipsec pda drop | icmp reject | passthrough
1561
  set location Locname ipsec pda drop | icmp reject | passthrough
1562

    
1563
drop		The PortMaster drops packets that do not fit the
1564
		security profile. This is the default.
1565

    
1566
icmpreject	The PortMaster rejects packets that do not fit the 
1567
		security profile and sends an ICMP reject message to 
1568
		inform the remote end of the tunnel.
1569

    
1570
passthrough	The PortMaster transmits the packets with no VPN
1571
		processing, even if they do not fit the security profile.
1572

    
1573

    
1574
_______ Filter Extensions
1575

    
1576
The IPSec and IPIP protocols use their own protocols on top of IP,
1577
instead of using UDP or TCP. You can filter these protocols in packet
1578
filter rules, as in this example:
1579

    
1580
  add filter eg
1581
  set filter eg 1 permit  esp
1582
  set filter eg 2 permit  ah
1583
  set filter eg 3 permit  ipip
1584

    
1585
You can also specify the protocol number in the filter as in
1586
this example:
1587

    
1588
  set filter eg 4 permit proto 4
1589

    
1590
IPIP is protocol type 4, ESP is protocol type 50, and AH is protocol
1591
type 51.
1592

    
1593

    
1594
_______ Attaching a Security Profile to a Network Interface
1595

    
1596
Use the following command to attach a security profile to a network
1597
interface:
1598

    
1599
  set S0 | W1 | Ether0 ipsec active-profile Profile
1600

    
1601
S0		Serial port.
1602

    
1603
W1		Synchronous serial port.
1604

    
1605
Ether0		Ethernet interface.
1606

    
1607
Profile		Security profile name.
1608

    
1609

    
1610
_______ Attaching a Security Profile to a User
1611

    
1612
Use the following command to attach a security profile to a user so
1613
that when the user logs in, the profile is attached to the user's
1614
interface:
1615

    
1616
  set user Username ipsec outsource-profile Profile
1617

    
1618
Username	Name of a user in the user table.
1619

    
1620
Profile		Security profile name.
1621

    
1622

    
1623
_______ Attaching a Security Profile to a Location
1624

    
1625
Use the following command to attach a security profile to a location so
1626
that when the PortMaster connects to that location, the profile is
1627
attached to the resulting interface.
1628

    
1629
  set location Locname ipsec outsource-profile Profile
1630

    
1631
Locname	Name of a location in the location table.
1632

    
1633
Profile		Security profile name.
1634

    
1635

    
1636
_______ Resetting VPN on a Port
1637

    
1638
The following command resets any VPN settings on the designated port:
1639

    
1640
  reset ipsec S0
1641

    
1642
S0	Port name.
1643

    
1644

    
1645
_______ Debugging and Troubleshooting VPN
1646

    
1647
The profiles keep statistics of their traffic. Use the "show ipsec
1648
statistics" command to show how much traffic was sent or received, 
1649
and any invalid packets.
1650

    
1651
Use the "set console" command, along with the following debug 
1652
commands, to display any errors generated:
1653

    
1654
  set debug ipsec-max | ipsec-packets | ipsec-state [ on | off ]
1655
  show ipsec modules
1656

    
1657
The following command turns on all VPN debugging:
1658

    
1659
  set debug ipsec-max on
1660

    
1661
The following command shows packets processed by the VPN 
1662
subsystem:
1663

    
1664
  set debug ipsec-packets on
1665

    
1666
The following command shows state changes in the processor in the
1667
IPSec encryption card:
1668

    
1669
  set debug ipsec-state on
1670

    
1671
Remember to use "reset console" after turning off the debug process.
1672

    
1673
The following command shows which protocols are in this ComOS, and
1674
provides version information for the "mipsboot" file that is run on the
1675
IPSec encryption card (PM3-VPN):
1676

    
1677
  show ipsec modules
1678

    
1679

    
1680
_______ VPN Logging
1681

    
1682
Use the following commands to enable and disable the logging of 
1683
VPN packet transmissions and rejections at a specified PortMaster
1684
interface, location, or user:
1685

    
1686
  set Ether0 | S0 | W1 ipsec log safail | sasuccess | syslog | console on |
1687
off 
1688
  set location Locname ipsec log safail | sasuccess | syslog | console on |
1689
off 
1690
  set user Username ipsec log safail | sasuccess | syslog | console  on | off 
1691

    
1692
The "safail" and "console" options are on by default.
1693

    
1694
safail		Logs the inbound and outbound packets that are
1695
		rejected by the security association.
1696

    
1697
sasuccess	Logs the inbound and outbound packets that are
1698
		sucessfully transmitted.
1699

    
1700
syslog		Sends the log to syslog.
1701

    
1702
console		Displays the log to the console.
1703

    
1704

    
1705
_______ Using RADIUS with VPN
1706

    
1707
VPN parameters can be configured on a per-user basis with RADIUS.
1708
You must be running the Lucent RADIUS 2.1 server or another 
1709
RADIUS server---such as the NavisRadius(TM) product---that 
1710
supports vendor-specific attributes.
1711

    
1712
Add the following lines to your RADIUS dictionary, then stop and
1713
restart your RADIUS server:
1714

    
1715
ATTRIBUTE       Vendor-Specific         	26      string
1716

    
1717
ATTRIBUTE       LE-Terminate-Detail	2   string  Livingston
1718
ATTRIBUTE       LE-Advice-of-Charge	3   string  Livingston
1719
ATTRIBUTE       LE-Connect-Detail	4   string  Livingston
1720
ATTRIBUTE       LE-SA-Id		5   string  Livingston
1721
ATTRIBUTE       LE-IPSec-Log-Options	9   integer Livingston
1722
ATTRIBUTE       LE-IPSec-Policy-Deny	10  integer Livingston
1723
ATTRIBUTE       LE-IPSec-Active-Profile	11  string  Livingston
1724
ATTRIBUTE       LE-IPSec-Outsource-Profile	12  string  Livingston
1725
ATTRIBUTE       LE-IPSec-Passive-Profile	13  string  Livingston
1726

    
1727
#
1728
#       IPSEC PROTOCOL TYPES
1729
#
1730
VALUE           LE-IPSec-Log-Options    SA-Success-On	1
1731
VALUE           LE-IPSec-Log-Options    SA-Failure-On		2
1732
VALUE           LE-IPSec-Log-Options    Console-On		3
1733
VALUE           LE-IPSec-Log-Options    Syslog-On		4
1734

    
1735
VALUE           LE-IPSec-Log-Options    SA-Success-Off 	5
1736
VALUE           LE-IPSec-Log-Options    SA-Failure-Off		6
1737
VALUE           LE-IPSec-Log-Options    Console-Off 		7
1738
VALUE           LE-IPSec-Log-Options    Syslog-Off 		8
1739

    
1740
#
1741
#       IPSEC POLICY DENY ACTION VALUES
1742
#
1743
VALUE           LE-IPSec-Policy-Deny            Drop		1
1744
VALUE           LE-IPSec-Policy-Deny            ICMP-Reject	2
1745
VALUE           LE-IPSec-Policy-Deny            Pass-Through	3
1746

    
1747
Each RADIUS attribute or value corresponds to its command line 
1748
equivalent. Refer to the usage information on a particular VPN 
1749
command in this release note for more information. 
1750

    
1751
Here is a sample RADIUS user profile for a user configured for VPN:
1752

    
1753
pepi    Password = "notpepzi"
1754
        Service-Type = Framed-User,
1755
        Framed-Protocol = PPP,
1756
        Framed-IP-Address = 255.255.255.254,
1757
        Framed-IP-Netmask = 255.255.255.255,
1758
        LE-IPSec-Log-Options = Console-On,
1759
        LE-IPSec-Outsource-Profile = "mypro"
1760

    
1761

    
1762
_______ Example VPN Tunneling Configurations
1763

    
1764
The following are three examples of VPN configuration. In each
1765
example, a remote office is configured to connect back to headquarters
1766
via an ISP. The first example uses an IPSec tunnel, the second uses an
1767
IPIP tunnel, and the third uses a Proxy Tunnel tunnel.
1768

    
1769
The remote office has a Frame Relay connection to a nearby ISP. The
1770
office has been assigned the network 192.168.1.0/24. The corporate
1771
headquarters uses the network 172.16.0.0/16. Headquarters uses the
1772
packet filter rules for the AH and ESP protocols to configure a
1773
firewall that allows VPN traffic from the 192.168.1.0/24 network to
1774
pass through. Each location is using a PortMaster 3.
1775

    
1776
NOTE: These examples use simple keys for readability. For best results
1777
in your configurations, take advantage of the full length of the key.
1778

    
1779
NOTE: None of the IP addresses or networks used in the examples are 
1780
intended to refer to any actual real-world company or network 
1781
assignment.
1782

    
1783
Example 1 -- Using IPSec
1784

    
1785
Both locations are using the PortMaster 3 with the IPSec encryption 
1786
card and need to do both encryption (ESP) and authentication (AH) 
1787
using DES and MD5. The headquarters firewall is configured to allow 
1788
IPSec traffic from the 192.168.1.0/24 network through, using the packet 
1789
filter rules for AH and ESP.
1790

    
1791
* On the remote PortMaster 3, create security association "corp" with
1792
appropriate SPIs, keys, and filter. Then create security profile
1793
"corp-pro" and attach it to a synchronous serial port.
1794

    
1795
* On the PortMaster at headquarters, create security association 
1796
"remote" with appropriate SPIs, keys, and filter. Then create security 
1797
profile "remote-pro" and attach it to a synchronous serial port.
1798

    
1799
pm3-remote (192.168.1.254):
1800
  add sa corp
1801
  set sa corp mode sec-ipip-tunnel
1802
  set sa corp peer-identifier 172.16.1.1
1803
  set sa corp esp-inbound-spi 1001
1804
  set sa corp esp-outbound-spi 1002
1805
  set sa corp ah-inbound-spi 2001
1806
  set sa corp ah-outbound-spi 2002
1807
  set sa corp sec-proposal esp-des-rfc1827 ah-md5-rfc1826
1808
  set sa corp esp-inbound-key 0x9876543210/64
1809
  set sa corp esp-outbound-key 0x1234567890/64
1810
  set sa corp ah-inbound-key 0x98761234/128
1811
  set sa corp ah-outbound-key 0x12349876/128
1812

    
1813
  add filter corp.sec
1814
  set filter corp.sec 1 permit 192.168.1.0/24 172.16.0.0/16
1815

    
1816
  add sec-profile corp_pro
1817
  set sec-profile corp_pro 1 policy-filter corp.sec
1818
  set sec-profile corp_pro 1 static-sa corp
1819

    
1820
  set w0 ipsec active-profile corp_pro
1821
  save all
1822

    
1823
pm3-corp (172.16.1.1):
1824
  add sa remote
1825
  set sa remote mode sec-ipip-tunnel
1826
  set sa remote peer-identifier 192.168.1.254
1827
  set sa remote esp-inbound-spi 1002
1828
  set sa remote esp-outbound-spi  1001
1829
  set sa remote ah-inbound-spi 2002
1830
  set sa remote ah-outbound-spi 2001
1831
  set sa remote sec-proposal esp-des-rfc1827 ah-md5-rfc1826
1832
  set sa remote esp-inbound-key 0x1234567890/64
1833
  set sa remote esp-outbound-key 0x9876543210/64
1834
  set sa remote ah-inbound-key 0x12349876/128
1835
  set sa remote ah-outbound-key 0x98761234/128
1836

    
1837
  add filter remote.sec
1838
  set filter remote.sec 1 permit 172.16.0.0/16 192.168.1.0/24
1839

    
1840
  add sec-profile remote_pro
1841
  set sec-profile remote_pro policy-filter remote.sec
1842
  set sec-profile remote_pro 1 static-sa remote
1843

    
1844
  set w48 ipsec active-profile remote_pro
1845
  save all
1846

    
1847
Example 2 -- Using IPIP
1848

    
1849
For IPIP, create a new security associations "corp-ipip" and
1850
"remote-ipip." Then create an IPIP tunnel and add each new security
1851
association to the appropriate security profile as a static security
1852
association.
1853

    
1854
pm3-remote (192.168.1.254):
1855
  add sa corp_ipip
1856
  set sa corp_ipip mode ipip-tunnel
1857
  set sa corp_ipip peer-identifier 172.16.1.1
1858
  set sec-profile corp_pro 1 static-sa corp_ipip
1859

    
1860
pm3-corp (172.16.1.1):
1861
  add sa remote_ipip
1862
  set sa remote_ipip mode ipip-tunnel
1863
  set sa remote_ipip peer-identifier 192.168.1.254
1864
  set sec-profile remote_pro 1 static-sa remote_ipip
1865

    
1866
Example 3 -- Using Proxy Tunnel Protocol
1867

    
1868
For the Proxy Tunnel protocol, create a new security associations
1869
"corp-prox" and "remote-prox." Then create a proxy tunnel and add each
1870
new security association to the appropriate security profile as a static
1871
security association.
1872

    
1873
pm3-remote (192.168.1.254):
1874
  add sa corp_prox
1875
  set sa corp_prox mode proxy-tunnel
1876
  set sa corp_prox peer-identifier 172.16.1.1
1877
  set sa corp_prox proxy-localport 1050
1878
  set sa corp_prox proxy-destport 1051
1879
  set sa corp_prox proxy-secret 0x123456789/64
1880
  set sec-profile corp_pro 1 static-sa corp_prox
1881

    
1882
pm3-corp (172.16.1.1):
1883
  add sa remote_prox
1884
  set sa remote_prox mode proxy-tunnel
1885
  set sa remote_prox proxy-localport 1051
1886
  set sa remote_prox proxy-destport 1050
1887
  set sa remote_prox proxy-secret 0x123456789/64
1888
  set sec-profile remote_pro 1 static-sa remote-prox
1889

    
1890

    
1891
_______ VPN Security Concerns
1892

    
1893
Be aware of the following security concerns when using VPN:
1894

    
1895
* Denial of Service. If a large amount of random data has a valid SPI,
1896
the IPSec encryption card must decrypt the data and then dump 
1897
it as invalid. The unnecessary decryption degrades performance and 
1898
can cause denial of service for encrypted traffic. However, because  
1899
the CPU on the IPSec encryption card handles only encryption, 
1900
unencrypted traffic is not interrupted. Legitimate, but very heavy, 
1901
traffic can also cause this problem.
1902

    
1903
* No Byte Count. Most security protocols recommend that you do 
1904
not use the same key for more than a certain number of bytes, 
1905
depending on the protocol. Because the keys are manually configured, 
1906
ComOS does not count the bytes sent with each key. As a result, you 
1907
cannot automatically limit key use by byte count.
1908

    
1909

    
1910
_______ VPN References
1911

    
1912
The implementation of VPN in ComOS is based on the information in the
1913
following sources: 
1914

    
1915
* RFC 1321, The MD5 Message-Digest Algorithm
1916

    
1917
* RFC 1825, Security Architecture for the Internet Protocol
1918

    
1919
* RFC 1826, IP Authentication Header (AH)
1920

    
1921
* RFC 1827, IP Encapsulating Security Payload (ESP)
1922

    
1923
* RFC 1828, IP Authentication using Keyed MD5 (AH-MD5)
1924

    
1925
* RFC 1829, The ESP DES-CBC Transform (ESPDES)
1926

    
1927
* RFC 2003, IP Encapsulation within IP (IPIP)
1928

    
1929
* RFC 2403, The Use of HMAC-MD5-96 within ESP and AH
1930

    
1931
* RFC 2404, The Use of HMAC-SHA-1-96 within ESP and AH
1932

    
1933
* RFC 2405, The ESP DES-CBC Cipher Algorithm with Explicit IV
1934

    
1935
* RFC 2451, The ESP CBC-Mode Cipher Algorithms
1936

    
1937
* "Applied Cryptography", Bruce Schneier. New York, NY: John Wiley and
1938
    Sons, Inc., 1994. (ISBN 0-471-59756-2):
1939
   - Diffie-Hellman algorithm
1940
   - DES algorithm and DES-CBC method
1941
   - Triple-DES (3DES)
1942

    
1943

    
1944
_______________ Configuring NAT
1945

    
1946
ComOS 3.9b26 supports the network address translator (NAT) based
1947
on RFC 2663.
1948

    
1949
The basic network address translator (basic NAT) capability maps IP
1950
addresses from one group to another, transparently to users and
1951
applications. The network address port translator (NAPT) capability
1952
is an extension to basic NAT in which multiple network addresses
1953
and their TCP and UDP ports are mapped to a single network
1954
address and its ports.
1955

    
1956
ComOS supports both basic NAT and NAPT for both outbound and 
1957
inbound sessions. It also supports an "outsource" mode in which all 
1958
NAT processing is done on the server-side of the connection.
1959

    
1960
NOTE: While this release note covers only the PortMaster 3, 
1961
other PortMaster products support NAT and might be used in the 
1962
examples in this section. None of the IP addresses or networks used 
1963
in the examples are intended to refer to any actual real-world company 
1964
or network assignment.
1965

    
1966

    
1967
_______ Quick Setup of Outbound NAPT ("Many-to-One")
1968

    
1969
Outbound NAPT is very common in a small office/home office (SOHO)
1970
situation. To configure, use the following command---entered all on one
1971
line:
1972

    
1973
    set Ether0 | S0 | W1 | location Locname | user Username
1974
    nat outmap defaultnapt
1975

    
1976
The port, location, or user is your connection to the outside world.
1977
For example, on a PortMaster dialing out to location "myisp" you enter
1978
the following:
1979

    
1980
    set location myisp nat outmap defaultnapt
1981

    
1982
Then connect normally. You must reset the port if the connection
1983
has already been established. If this is a dial-on-demand location,
1984
then you must also reboot the PortMaster, or follow the instructions 
1985
listed in the section "Handling Changes to On-Demand Locations."
1986

    
1987
With the "defaultnapt" NAT configuration, all the hosts behind the
1988
PortMaster will have their addresses translated to the IP address of
1989
the interface that is assigned to the location.
1990

    
1991

    
1992
_______ NAT Concepts
1993

    
1994
This section explains some of the NAT terminology and provides 
1995
hints to assist you in developing more complex NAT configurations.
1996

    
1997
For example, you might want to allow inbound connections---external
1998
connections into a web server that resides behind the PortMaster
1999
running NAT. Or you might need to renumber your network and want 
2000
to use basic NAT to avoid renumbering the entire network.
2001

    
2002
Private vs. Global IP Addresses:
2003

    
2004
Global IP addresses are accessible from anywhere on the Internet.  
2005
They are  "external" to the PortMaster running NAT---at another 
2006
branch office, for example---because NAT is not limited to the 
2007
Internet. External hosts do not generally recognize any internal 
2008
private IP addresses that you might have assigned to your local 
2009
hosts. Private IP addresses are usually taken from one of the 
2010
following ranges defined in RFC 1918, which are reserved specifically 
2011
for this purpose:
2012

    
2013
    10.0.0.0 - 10.255.255.255 (10.0.0.0/8)
2014
    172.16.0.0 - 172.31.255.255 (172.16.0.0/12)
2015
    192.168.0.0 - 192.168.255.255 (192.168.0.0/16)
2016

    
2017
Lucent strongly recommends numbering your private IP network(s) 
2018
with IP addresses from one of the reserved ranges rather then just 
2019
selecting IP addresses randomly.
2020

    
2021
Inbound vs. Outbound Sessions:
2022

    
2023
A "session" in NAT is considered either inbound or outbound:
2024

    
2025
* An inbound session is initiated to a client behind the NAT router by
2026
a host external to a private IP network.
2027

    
2028
* An outbound session is initiated to an external host by a client
2029
within the NAT-covered private IP network.
2030

    
2031
Basic NAT vs. NAPT:
2032

    
2033
Basic NAT does a one-to-one mapping of a private IP address to a 
2034
global IP address. You still must have a global IP address for every 
2035
host with a private IP address that needs to connect to an external 
2036
host at the same time.
2037

    
2038
With basic NAT, you can configure dynamic IP address pools from 
2039
which IP address allocations are made, allowing a number of private 
2040
hosts to use a (possibly) smaller pool of global IP addresses. Or you 
2041
can configure static IP address pools in which a static mapping exists 
2042
for each host, requiring the size of the pool to match the number of 
2043
hosts being translated.
2044

    
2045
If you configure a dynamic pool and have fewer global IP addresses
2046
available than total private hosts, you will have a shortage of IP
2047
addresses if all the hosts try to access the external network
2048
simultaneously. This possibility needs to be accounted for in your
2049
planning.
2050

    
2051
The network address port translator (NAPT) performs a many-to-one 
2052
"port translation." This capability allows any number of private 
2053
hosts to communicate globally while using only a single global IP 
2054
address.
2055

    
2056
Outsource Mode NAT:
2057

    
2058
Outsource mode NAT allows a PortMaster to handle NAT processing and
2059
management for a connected network interface. If a remote router that
2060
the PortMaster is connected to cannot run NAT locally, the PortMaster
2061
can perform NAT services for that device.
2062

    
2063
All NAT configuration is handled on the PortMaster. A central site
2064
administrator can maintain all NAT mappings for all sites on the
2065
PortMaster without having to worry about the capabilities or management
2066
of a number of entirely separate routers.
2067

    
2068

    
2069
_______ Map Management
2070

    
2071
NAT maps define the mappings and translations between global and
2072
private IP address space. The following map table commands are
2073
supported:
2074

    
2075
   show table map		Shows all map files.
2076

    
2077
   show map Mapname	Displays a map's contents.
2078

    
2079
   add map Mapname	Creates a new map.
2080

    
2081
   delete map Mapname	Deletes a map.
2082

    
2083
   save map		Saves map contents into 
2084
			nonvolatile RAM.
2085

    
2086
NOTE: In the this release of NAT, inbound maps are restricted to static
2087
address maps and/or static TCP/UDP port maps only. Outbound maps
2088
do not have this limitation.
2089

    
2090
See the following section for map configuration commands.
2091

    
2092

    
2093
_______ Configuring Map Contents
2094

    
2095
Entering NAT maps is very similar to configuring filters in ComOS.  
2096
The basic command "set map Mapname" has five versions that 
2097
you can use as follows---entered all on one line:
2098

    
2099
1.  To define a single dynamic pool IP address map entry or range or
2100
    list of entries, use the following command:
2101

    
2102
    set map Mapname Rulenumber addressmap 
2103
	Ipaddrxfrom Ipaddrxto | @ipaddr [log]
2104

    
2105
2.  To define a single static pool IP address map entry or range
2106
    or list of entries, use the following command:
2107

    
2108
    set map Mapname Rulenumber staticaddressmap
2109
	Ipaddrxfrom Ipaddrxto | @ipaddr [log]
2110

    
2111
3.  To define a static or dynamic TCP or UDP port range map
2112
    entry or list of entries, use the following command:
2113

    
2114
    set map Mapname Rulenumber static-tcp-udp-portmap
2115
    	Ipaddxfrom:Tport1 | Uport1 | Portname
2116
    	Ipaddxto: Tport2 | Uport2 | Portname [log]
2117

    
2118
4 . To remove rule Rulenumber in a map file, use the following
2119
    command:
2120

    
2121
    set map Mapname Rulenumber
2122

    
2123
5.  To empty the contents of a map file, use the following command:
2124

    
2125
    set map Mapname blank
2126

    
2127
Mapname	Address map name of up to 15 characters.
2128

    
2129
Rulenumber	Integer between 1 and 20.
2130

    
2131
Ipaddxfrom	IP address or range or list of IP addresses to be translated.
2132

    
2133
Ipaddxto	IP address or range or list of IP addresses to translate to.
2134

    
2135
Tport		TCP number or range of numbers---between 1 and 65535.
2136

    
2137
Uport		UDP number or range of numbers---between 1 and 65535.
2138

    
2139
Portname	One of the following services:
2140
		telnet	TCP port 23.
2141
		ftp	TCP ports 20 and 21.
2142
		tftp	UDP port 69.
2143
		http	TCP port 80.
2144
		dns	TCP/UDP port 53.
2145
		smtp	TCP port 25.
2146

    
2147
@ipaddr		IP address of the port being configured as the 
2148
		destination address.
2149

    
2150
log		Selectively logs events for this map entry.
2151

    
2152
The following keywords have abbreviations for ease of entry:
2153

    
2154
    addressmap = am
2155
    staticaddressmap = sam
2156
    static-tcp-udp-portmap = stupm
2157

    
2158
Values for "Ipaddxfrom" and "Ipaddxto" can be one or more of the
2159
following, separated by commas (,):
2160

    
2161
     IP address/mask
2162
     IP address - IP address
2163
     IP address1,Ipaddress2, ...
2164
     IP address
2165

    
2166
The value for "Portnumber" can be a single port number or a range of
2167
ports such as "6000-6010" (for an inbound X Server) that you want
2168
statically mapped. This capability prevents your needing multiple map
2169
rules to accomplish the same mapping.
2170

    
2171
Although you have NAT configured for a specified port, user, or
2172
location, you are not required to translate the addresses of all the
2173
hosts behind the PortMaster running NAT. You can choose the hosts for
2174
which NAT processing is done by designing your maps around them.
2175

    
2176
Example 1 --  Basic NAT:
2177

    
2178
When an outbound NAT map is defined for a port, the translation 
2179
succeeds when the source IP address matches the "Ipaddrxfrom" 
2180
address in the outbound map.  
2181

    
2182
Here is an outbound map that maps a single host with the private 
2183
IP address 10.5.3.6 to the global IP address 192.168.5.3. This is a 
2184
basic NAT configuration. 
2185

    
2186
1. Configure a map for outbound NAT named myisp.outmap:
2187

    
2188
    set map myisp.out 1 addressmap 10.5.3.6 192.168.5.3
2189

    
2190
2. Configure location myisp:
2191

    
2192
     set location myisp nat outmap myisp.out
2193

    
2194
BEFORE Outbound NAT:
2195
    Src: 10.5.3.6:12023  Dest: 192.168.2.4:80 
2196

    
2197
AFTER NAT translation using the example outbound map:
2198
    Src: 192.168.5.3:12023  Dest: 192.168.2.4:80 
2199

    
2200
Example 2 --  @ipaddr Keyword:
2201

    
2202
As a special case, the "Ipaddrxto" value for an address map can be set
2203
to "@ipaddr" when the address map is being used for outbound or
2204
outbound outsource connections. The special macro "@ipaddr" uses the IP
2205
address assigned to the port on which the address map is being used.
2206

    
2207
  set map myisp.outmap 1 addressmap 10.2.3.0/0 @ipaddr
2208

    
2209
Example 3 -- defaultnapt Map:
2210

    
2211
The reserved map "defaultnapt," described in the section 
2212
"Using the Default NAPT Map," is equivalent to the following 
2213
map:
2214

    
2215
  set map myisp.outmap  1 addressmap 0.0.0.0/0 @ipaddr
2216

    
2217
Example 4 -- Basic NAT Pools:
2218

    
2219
Using the "Ipaddrxfrom" and "Ipaddrxto" values for an address map
2220
allows you to configure one-to-one mappings of private IP addresses to
2221
global IP addresses. Using lists of addresses for these values allows
2222
the configuration of IP address allocation pools, from which global IP
2223
addresses can be allocated for outbound sessions as they are required.
2224

    
2225
Here is a configuration using a global IP address pool range of
2226
192.168.9.1 through 192.168.9.10 for hosts in the private network
2227
10.9.9.0/24 for outbound NAT. This configuration allows only 10
2228
concurrent outbound NAT sessions from the 10.9.9.0 subnet.
2229

    
2230
1. Configure rule 1 for outbound NAT map myisp.outmap:
2231

    
2232
    set map myisp.out 1 addressmap 10.9.9.0/24 192.168.9.1-192.168.9.10
2233

    
2234
2. Configure location myisp:
2235

    
2236
     set location myisp nat outmap myisp.out
2237

    
2238
Example 5 -- Basic NAT Static Maps:
2239

    
2240
If you require that private addresses always be mapped to the same
2241
global addresses, use a static address map instead of a dynamic address
2242
map. The following example creates a NAT mapping in which the private
2243
IP address range 10.1.1.0/24 is translated to the global IP address
2244
range 192.168.65.0/24 on the outbound transmission.  Because this is a
2245
static address map, it always translates 10.1.1.1 to 192.168.65.1,
2246
10.1.1.55 to 192.168.65.55, and so on.
2247

    
2248
Configure a map for outbound NAT named myisp.out, and apply it 
2249
as an outmap to the location:
2250

    
2251
    set map myisp.out 1 staticaddressmap 10.1.1.0/24 192.168.65.0/24
2252
    set location myisp nat outmap myisp.out
2253

    
2254
Alternatively, to allow inbound sessions to the same set of hosts, 
2255
create an inbound map named myisp.in and apply it as an
2256
inmap to the location:
2257

    
2258
    set map myisp.in 1 staticaddressmap 192.168.65.0/24 10.1.1.0/24
2259
    set location myisp nat inmap myisp.in
2260

    
2261
For a static address map, the total ranges on both sides must have 
2262
the same number of IP addresses; otherwise, a one-to-one static 
2263
mapping is not possible. 
2264

    
2265
If you do not have sufficient global addresses to do one-to-one 
2266
mapping, use NAPT for all or part of the private hosts (see 
2267
Example 6), or reduce the number of  IP addresses being translated.
2268

    
2269
Example 6 -- Mixing Static and Dynamic Address Maps:
2270

    
2271
This example uses a combination of static address maps for 
2272
specific hosts and NAPT for the remainder of the private hosts.  
2273

    
2274
    set map myisp.out 1 staticaddressmap 192.168.65.1-192.168.65.10 
2275
	10.1.1.1-10.1.1.10
2276
    set map myisp.out 2 staticaddressmap 192.168.65.73 10.1.1.73
2277
    set map myisp.out 3 addressmap 192.168.65.0/24 10.1.1.11
2278
    set location myisp nat inmap myisp.out
2279

    
2280
The order of the rules in a NAT map is important. In this 
2281
example, a private host with an address of 192.168.65.73 
2282
attempting outbound access via the myisp location uses rule 2 
2283
and is translated to address 10.1.1.73. A private host with an 
2284
address of 192.168.65.74 uses rule 3 and is translated to 10.1.1.11.
2285

    
2286
Example 7 -- Fully Specified Inbound Map:
2287

    
2288
When an inbound NAT map is defined for a port, the translation 
2289
succeeds when the destination IP address matches the "Ipaddrxfrom" 
2290
address in the inbound map.  
2291

    
2292
Suppose you want to allow an Internet access to your internal HTTP
2293
server running on 10.4.2.9. To do so, configure the following as an 
2294
inbound map. You also have a global IP address 192.168.2.4 assigned 
2295
to your PortMaster as the global address for all hosts residing behind 
2296
NAT:
2297

    
2298
1. Configure inbound NAT map myisp.inmap:
2299

    
2300
    set map myisp.in 1 static-tcp-udp-portmap 192.168.2.4:http 10.4.2.9
2301

    
2302
2. Configure the location:
2303

    
2304
    set location myisp nat inmap myisp.in
2305

    
2306
BEFORE Inbound NAT:
2307
    Src: 130.65.2.3:12023  Dest: 192.168.2.4:80 (80 is http)
2308

    
2309
AFTER NAT translation using the example inbound map:
2310
    Src: 130.65.2.3:12023  Dest: 10.4.2.9:80
2311

    
2312

    
2313
_______Configuring Interfaces, Locations, and Users
2314

    
2315
The basic command "set Ether0 | S0 | W1 | location Locname | user
2316
Username" has five NAT commands that you can use as follows---entered
2317
all on one line---to configure NAT on a PortMaster. 
2318

    
2319
You must reset an active port for changes in its NAT configuration 
2320
to take effect. For more information, see the section "Resetting NAT
2321
Sessions."
2322

    
2323
1.  To configure a NAT map for outbound sessions and optionally
2324
    enable the outsource function, use this command:
2325

    
2326
    set Ether0 | S0 | W1 | location Locname | user Username
2327
    	nat outmap Mapname [outsource]
2328

    
2329
2.  To configure a NAT map for inbound sessions and optionally 
2330
    enable the outsource function, use this command:
2331

    
2332
    set Ether0 | S0 | W1 | location Locname | user Username
2333
    	nat inmap Mapname  [outsource]
2334

    
2335
To remove the map entry from the specified interface, user, or 
2336
location, re-enter the command, minus the "outsource" keyword, with 
2337
a space after the Mapname value.
2338

    
2339
3.  To set logging options for a NAT session on an interface, use this
2340
    command:
2341

    
2342
    set Ether0 | S0 | W1 | location Locname | user Username
2343
	nat log sessionfail | sessionsuccess | syslog | console
2344
	on | off
2345

    
2346
4.  To set the default action that the PortMaster takes if a request for
2347
    a NAT session is refused because the mapping configuration is invalid
2348
    or does not exist, use this command:
2349

    
2350
    set Ether0 | S0 | W1 | location Locname | user Username
2351
    	nat session-direction-fail-action drop | icmpeject | passthrough
2352

    
2353
5.  To set the maximum idle time for a NAT session, use this command:
2354

    
2355
    set Ether0 | S0 | W1 | location Locname | user Username
2356
    	nat sessiontimeout  tcp | other Number [minutes | seconds]
2357

    
2358

    
2359
_______ Using the Default NAPT Map
2360

    
2361
You can assign the reserved map name "defaultnapt" to an
2362
outbound-only NAPT configuration, with the following results:
2363

    
2364
* When "defaultnapt" is assigned as an outbound map, without the
2365
"outsource" option, all outbound IP sessions through the given port are
2366
subject to NAPT and use the IP address assigned to the port.
2367

    
2368
* When "defaultnapt" is assigned as an outbound map for the 
2369
port---using "outsource" in the command line---all inbound IP 
2370
sessions (with respect to the calling device) through the given 
2371
port are subject to outsource NAPT and use the IP address 
2372
assigned to the port.
2373

    
2374
NOTE: In the this release of NAT, inbound maps are restricted to static
2375
address maps and/or static TCP/UDP port maps only. Outbound maps
2376
do not have this limitation.
2377

    
2378

    
2379
_______ Using RADIUS for NAT
2380

    
2381
Many NAT configuration parameters can also be configured via 
2382
RADIUS on a per-user basis. For RADIUS to support the new 
2383
vendor-specific attributes, you must be running the Lucent 
2384
RADIUS 2.1 server or another RADIUS server---such as the 
2385
NavisRadius product---that supports vendor-specific attributes. 
2386

    
2387
Add the following attributes and values to your RADIUS dictionary
2388
if they are not already there. Then stop and restart your RADIUS server.
2389

    
2390
RADIUS Dictionary Updates:
2391

    
2392
ATTRIBUTE	LE-NAT-TCP-Session-Timeout	14	integer	Livingston
2393
ATTRIBUTE	LE-NAT-Other-Session-Timeout	15	integer	Livingston
2394
ATTRIBUTE	LE-NAT-Log-Options		16	integer	Livingston
2395
ATTRIBUTE	LE-NAT-Sess-Dir-Fail-Action	17	integer	Livingston
2396
ATTRIBUTE	LE-NAT-Inmap			18	string	Livingston
2397
ATTRIBUTE	LE-NAT-Outmap			19	string	Livingston
2398
ATTRIBUTE	LE-NAT-Outsource-Inmap		20	string	Livingston
2399
ATTRIBUTE	LE-NAT-Outsource-Outmap	21	string	Livingston
2400

    
2401
VALUE	LE-NAT-Sess-Dir-Fail-Action	Drop			1
2402
VALUE	LE-NAT-Sess-Dir-Fail-Action	ICMP-Reject		2
2403
VALUE	LE-NAT-Sess-Dir-Fail-Action	Pass-Through		3
2404

    
2405
VALUE	LE-NAT-Log-Options	Session-Success-On	1
2406
VALUE	LE-NAT-Log-Options	Session-Failure-On	2
2407
VALUE	LE-NAT-Log-Options	Console-On		3
2408
VALUE	LE-NAT-Log-Options	Syslog-On		4
2409
VALUE	LE-NAT-Log-Options	Success-Off		5
2410
VALUE	LE-NAT-Log-Options	Failure-Off		6
2411
VALUE	LE-NAT-Log-Options	Console-Off		7
2412
VALUE	LE-NAT-Log-Options	Syslog-Off		8
2413

    
2414
Each RADIUS parameter corresponds to its command line equivalent. Refer
2415
to the usage information on a particular NAT command in this release
2416
note for more information.
2417

    
2418
When configuring a user profile, be sure to list any multiple occurrences
2419
of the LE-NAT-Log-Options attribute, which sometimes requires multiple
2420
values, in the order in which the values are listed in the dictionary---the 
2421
order shown above. For example:
2422

    
2423
joe	Auth-Type = System, Framed-Protocol = PPP
2424
	Service-Type = Framed-User,
2425
	Framed-Protocol = PPP,
2426
	Framed-IP-Address = 255.255.255.254,
2427
	LE-NAT-Outsource-Outmap = "defaultnapt",
2428
	LE-NAT-Sess-Dir-Fail-Action = Drop,
2429
	LE-NAT-Log-Options = Session-Failure-On,
2430
	LE-NAT-Log-Options = Console-On
2431

    
2432

    
2433
_______ NAT Session Management
2434

    
2435
NAT sessions can be managed, viewed, and reset in several ways.
2436

    
2437
You can display the currently active NAT sessions using the following
2438
command:
2439

    
2440
  show nat sessions  [tcp | udp | ftp | Sessionid] 
2441

    
2442
Enter "show nat sessions" to display NAT session identification
2443
numbers.
2444

    
2445
You can also limit the display to the sessions for a single port, user,
2446
or location by appending a regular expression at the end of the command
2447
line, as you can do with the "show routes" command.
2448

    
2449
You can view real-time statistics on NAT:
2450

    
2451
  show nat statistics
2452

    
2453
This command displays statistics on a per-port basis, including
2454
successful translations, failures, address shortages when you are
2455
using IP pools, and unsuccessful translations and/or lookups due
2456
to timeouts.
2457

    
2458
Use the following command for debugging and to see resource usage:
2459

    
2460
  show nat mapusage
2461

    
2462
This command displays a list of active IP address and port bindings,
2463
including a list of the remaining resources---TCP/UDP ports or IP
2464
addresses---available for use.
2465

    
2466

    
2467
_______ Resetting NAT Sessions
2468

    
2469
CAUTION! Resetting any or all interfaces while sessions are active
2470
might cause active connections on clients and servers to be left open
2471
or terminated abruptly. Lucent recommends NOT entering this command
2472
while the interface is being used because doing so can leave connections 
2473
in an unknown state between the two communicating hosts.
2474

    
2475
You can reset the entire NAT subsystem with the following command:
2476

    
2477
    reset nat [Ether0 | S0 | W1]
2478

    
2479
The default resets all existing NAT sessions on the PortMaster---like
2480
the "reset all" command. Specifying the name of an interface resets all
2481
NAT sessions associated with the specified interface. Use the "ifconfig" 
2482
command to see a list of interfaces.
2483

    
2484
Resetting NAT affects active NAT sessions only. If you modify the 
2485
NAT configuration on an active port, you must reset the port directly 
2486
and also reset NAT on that interface.
2487

    
2488

    
2489
_______ Deleting Individual NAT Sessions
2490

    
2491
You can delete individual NAT sessions by using the session ID. This
2492
value is displayed in the first column of a "show nat sessions"
2493
output.  Determine the session ID and then enter the following
2494
command:
2495

    
2496
  delete nat sessions [Sessionid]
2497

    
2498

    
2499
_______ NAT Administrative Concerns
2500

    
2501
Be aware that you might need to do the following when configuring your
2502
network in the presence of a NAT.
2503

    
2504
Stopping the Advertisement of Routing Information:
2505

    
2506
NAT creates a private network that cannot be advertised outside the
2507
private boundary delimited by the NAT router. As a result, you must be
2508
sure to disable network advertisements on the NAT router's global
2509
interface.
2510

    
2511
For example if you are running NAT on a PortMaster IRX(TM) Router 
2512
model IRX-211, with Ether0 as your private interface and Ether1 as your 
2513
global interface with NAT enabled on it, you must disable RIP broadcasts:
2514

    
2515
    set ether1 rip listen
2516

    
2517
Or use the "off" option if you do not need to listen to RIP routing 
2518
updates at all.
2519

    
2520
If you are using OSPF, you must specify the private IP address range as
2521
"quiet":
2522

    
2523
  set ospf area 0.0.0.0 range 10.0.0.0/8 quiet
2524

    
2525
If you are using BGP, you must not advertise any private IP address
2526
blocks to the outside world.
2527

    
2528
Rerouting Global IP Addresses Used by NAT to Static Routing:
2529

    
2530
Because NAT is not equipped to advertise routing, the global IP
2531
addresses (or networks) used by NAT, might require the addition of
2532
static routes on the routers that are external peers of the PortMaster.
2533

    
2534
Particularly, if you are using basic NAT to manage a pool of global
2535
addresses, you must configure a static route for the pool of addresses
2536
on the next-hop router of the PortMaster.
2537

    
2538
Avoiding Ethernet LANs:
2539

    
2540
NAT does not provide Ethernet ARP services for the global IP addresses
2541
it uses. For this reason, Lucent recommends that NAT be configured on
2542
WAN interfaces instead of Ethernet interfaces.  If you choose to
2543
configure basic NAT on a LAN interface, be sure to select for use with
2544
NAT a global IP address block that does not fall within the same
2545
network prefix of the LAN interface itself.
2546

    
2547
Determining If Additional Security, Privacy, and/or Firewalls Are Needed:
2548

    
2549
Security is viewed differently in different environments. Many people
2550
view NAT as a one-way (session) traffic filter, restricting sessions
2551
from external hosts into their network. In that context, NAT provides a
2552
certain degree of security that might not be acceptable for your
2553
situation.
2554

    
2555
In addition, address assignment in NAT is often done dynamically.
2556
Dynamically assigned addresses can often hinder an attacker from
2557
pointing to any specific host in the NAT domain as a potential target
2558
of attack. Partial privacy is gained because tracing an individual
2559
connection to a particular user is more difficult. You can use
2560
firewalls with NAT maps to provide other ways to filter unwanted
2561
traffic.
2562

    
2563
However, NAT maps cannot by themselves transparently support all
2564
applications and often must co-exist with application-level gateways
2565
(ALGs)---for example, SOCKS. If you use NAT, you must determine the
2566
application requirements first so that you can assess the extensions to
2567
NAT and the security they provide.
2568

    
2569
NAT routers have a security limitation that allows NAT and/or its
2570
application-level gateway extensions to read the packet data in the end
2571
user traffic that passes through them. This limitation is a security
2572
problem if the NAT routers are not in a trusted boundary.
2573

    
2574
Although you can encrypt NAT traffic, NAT must usually be the end point
2575
to such an encryption-decryption setup. For example, you cannot
2576
configure an end-to-end VPN tunnel with NAT routers in between. The end
2577
point(s) must be a router running NAT.
2578

    
2579
Lucent does not guarantee NAT as an complete security solution.
2580
Although placing your private network behind NAT might make it seem
2581
inaccessible to the outside, this is not the intention of NAT.  You
2582
must evaluate the particular configuration, network topology, and
2583
security requirement of your organization to determine whether simply
2584
installing NAT eliminates the need for further security measures such
2585
as a firewall.
2586

    
2587
Mapping for DNS:
2588

    
2589
When configuring DNS on the hosts behind NAT, if you add a map similar
2590
to the following on the internal interface---usually Ether0 on an
2591
Office Router---you can enter the IP address of your Office Router as
2592
the DNS server. This is a useful feature if you do not always have the
2593
same DNS server, because of multiple providers, but do not want to
2594
reconfigure all your private hosts. Use the following commands,
2595
entering each command all on one line:
2596

    
2597
    set map dns.inmap 1 static-tcp-udp-portmap
2598
    	@ipaddr:dns <Primary DNS IP address>
2599
    set ether0 nat inmap dns.inmap
2600
    set location Locname nat outmap defaultnapt
2601

    
2602
Handling Changes to On-Demand Locations:
2603

    
2604
Because of the way that on-demand locations and their corresponding
2605
interfaces are traditionally handled within ComOS, NAT configuration
2606
changes might not take effect in the way you expect. To get around this
2607
problem, you can either reboot immediately after changing the settings
2608
for a location that is currently set to on-demand, or do the
2609
following:
2610

    
2611
1. Enter "set location Locname maxports 0".
2612

    
2613
2. Enter "reset dialer".
2614

    
2615
3. Change whatever settings you need to.
2616

    
2617
4. Enter the following:
2618

    
2619
   set location Locname maxports <Original_maxports_value>
2620

    
2621
Manually dialed locations are unaffected.
2622

    
2623

    
2624
_______ NAT Examples
2625

    
2626
1.  Dial-Out Location Using defaultnapt with a Dynamically Assigned 
2627
    PPP IP Address:
2628

    
2629
Your Office Router OR-U is dialing in to a corporate network's
2630
PortMaster 3 (192.168.2.5). The PortMaster 3 has one dynamically
2631
assigned IP address for the Office Router in a NAPT configuration.
2632
Everything behind the Office Router is subject to NAPT. You configure
2633
the Office Router as follows:
2634

    
2635
    add location corporate
2636
    set location corporate phone 5558583
2637
    set location corporate username joeuser
2638
    set location corporate password secrets
2639
    set location corporate destination 192.168.2.5
2640
    set location corporate max 2
2641
    set location corporate idle 15 minutes
2642
    set location corporate on-demand
2643
    set location corporate local-ip-address assigned
2644
    set location corporate nat outmap defaultnapt
2645

    
2646
2. Preventing Address Renumbering with Basic NAT on 
2647
   an Office Router:
2648

    
2649
Company ABC, Inc. (198.34.4.0/24) has just merged with Big Company
2650
(25.0.0.0/8) and must renumber its hosts to access Big Company's
2651
network. ABC has an ISDN connection from its Office Router to Big
2652
Company's network. Big Company has just assigned ABC the IP range
2653
25.9.1.0/24 to use. ABC configures its Office Router as follows:
2654

    
2655
    add map abc.outmap
2656
    set map abc.outmap 1 addressmap 198.34.4.0/24 25.9.1.0/24
2657
    add location bigcomp
2658
    set location bigcomp phone 5558583
2659
    set location bigcomp username abc
2660
    set location bigcomp password bigsecret
2661
    set location bigcomp destination 25.1.1.7
2662
    set location bigcomp idle 15 minutes
2663
    set location bigcomp on-demand
2664
    set location bigcomp local-ip-address 25.9.1.254
2665
    set location bigcomp nat outmap abc.outmap
2666

    
2667
The abc.outmap NAT map assigns IP addresses dynamically
2668
as needed. If ABC wants to have static translations, abc.outmap
2669
on the Office Router must be changed as follows:
2670

    
2671
    set map abc.outmap 1 staticaddressmap 198.34.4.0/24 25.9.1.0/24
2672

    
2673
3. Address Redirection to a Backup IRX-211 to Perform Server 
2674
   Maintenance:
2675

    
2676
The following two servers on your Ether1 provide inbound FTP and Web
2677
service:
2678

    
2679
* primary.web.com at 129.65.2.1
2680

    
2681
* backup.web.com at 129.65.2.2
2682

    
2683
The IP addresses of primary and backup are global IP addresses.
2684
However, you need to take primary off-line to perform some maintenance
2685
work. Just before shutting down primary, you configure an inbound map
2686
on Ether0 that statically maps primary's address to backup. You use a
2687
basic NAT setup as follows:
2688

    
2689
    add map ether0.inmap
2690
    set map ether0.inmap 1 addressmap 129.65.2.1 129.65.2.2
2691
    set ether0 nat inmap ether0.inmap
2692
    reset nat
2693

    
2694
As part of this configuration, you might also want to set the NAT
2695
session-direction-fail-action (SDFA) to passthrough:
2696

    
2697
    set ether0 nat sdfa passthrough
2698

    
2699
This setting prevents NAT from intercepting outbound packets from the
2700
remapped host when primary returns to service and you want to run a
2701
Telnet or FTP session from it.
2702

    
2703
4. T1 or Fractional T1 WAN Link Using defaultnapt for Outbound and
2704
   Providing Inbound HTTP Service:
2705

    
2706
Line1 on your PortMaster 3 is a T1 WAN link with a private network
2707
10.0.0.0/8 behind it. The T1 point-to-point interfaces are numbered
2708
with global addresses (local: 192.168.44.99, dest: 192.168.44.254). The
2709
HTTP server in the private network resides at 10.1.1.10. You configure
2710
the PortMaster 3 as follows:
2711

    
2712
    set w24 address 192.168.44.99
2713
    set w24 destination 192.168.44.254
2714
    set w24 nat outmap defaultnapt
2715
    add map w24.inmap
2716
    set map w24.inmap 1 static-tcp-udp-portmap 192.168.44.99:http 
2717
      10.1.1.10:http
2718
    set w24 nat inmap w24.inmap
2719
    reset w24
2720

    
2721
5. Dial-In User Using defaultnapt in Outsource Mode:
2722

    
2723
You want to provide NAT service to a user (or incoming network) 
2724
by connecting the user (or network) in an outsource-mode NAPT 
2725
configuration using the defaultnapt map on a PortMaster. The global 
2726
IP address 192.168.129.130 is assigned to the dial-up router and will be 
2727
used as the global address by NAT. Because this configuration uses 
2728
the defaultnapt map, the IP addresses that the client's network is using
2729
are not needed in the NAPT configuration. Configure the PortMaster 
2730
as follows:
2731

    
2732
    add netuser joeuser
2733
    set user joeuser password mysecret
2734
    set user joeuser destination 192.168.129.130
2735
    set user joeuser nat outmap defaultnapt outsource
2736

    
2737
No NAT configuration is required on the dial-up router (client) side.
2738
If the client also wants to run an FTP server with a private IP address
2739
of 192.168.5.1 on his network and have it accessible globally, 
2740
you can configure further as follows:
2741

    
2742
    add map joeuser.in
2743
    set map joeuser.in 1 stupm 192.168.129.130:ftp 192.168.5.1:ftp
2744
    set user joeuser nat inmap joeuser.in outsource
2745

    
2746
When you configure the NAT map for a user with outsource NAT, 
2747
you can consider the map as being on the calling router's 
2748
outbound interface.
2749

    
2750
6.  Dial-Out Location Using a Dynamic IP Address Basic NAT Map:
2751

    
2752
Your ISP gives you a small address block (192.168.129.129/29), but you
2753
have more hosts then global IP addresses available. You do not want to
2754
request more global IP addresses because of the added expense. In
2755
addition, because not all workstations use the connection at the same
2756
time, additional addresses will be wasteful. You want to use a dynamic
2757
IP address pool map instead. You configure your PortMaster as follows:
2758

    
2759
    add map isp.outmap
2760
    set map isp.outmap 1 addressmap 10.1.1.0/24 192.168.129.129/29
2761
    add location isp
2762
    set location isp phone 5558583
2763
    set location isp username mycompany
2764
    set location isp password bigsecret
2765
    set location isp destination negotiated
2766
    set location bigcomp max 2
2767
    set location bigcomp continuous
2768
    set location bigcomp local-ip-address assigned
2769
    set location bigcomp nat outmap isp.outmap
2770

    
2771
7.  Dial-Out Location Using a Static IP Address Basic NAT Map:
2772

    
2773
Your ISP gives you an address block (192.168.130.0/24). You can use a
2774
dynamic IP address pool for your workstation IP addresses because they
2775
do not need Internet access at the same time. However, you must give
2776
two of your trusted systems static IP addresses for security
2777
reasons---to perform packet filtering, for example. You configure your
2778
PortMaster as follows:
2779

    
2780
    add map isp.outmap
2781
    set map isp.outmap 1 addressmap 10.1.1.1 192.168.130.1
2782
    set map isp.outmap 2 addressmap 10.1.1.2 192.168.130.2
2783
    set map isp.outmap 3 addressmap 10.1.0.0/16 192.168.130.3-192.168.130.254
2784
    add location isp
2785
    set location isp phone 5558583
2786
    set location isp username mycompany
2787
    set location isp password bigsecret
2788
    set location isp destination negotiated
2789
    set location bigcomp max 2
2790
    set location bigcomp continuous
2791
    set location bigcomp local-ip-address assigned
2792
    set location bigcomp nat outmap isp.outmap
2793

    
2794

    
2795
_______ NAT-Unfriendly Applications:
2796

    
2797
The following applications are considered unfriendly to NAT 
2798
because they embed the IP source and/or destination addresses 
2799
in the packet data, are multicast based or broadcast based, or 
2800
rely on end-to-end node security:
2801

    
2802
* Multicast-based applications
2803
* Routing protocols RIP and OSPF
2804
* DNS zone transfers
2805
* End-to-end VPN tunnels
2806
* Anything that embeds the IP source and/or destination address(es)
2807
  into the packet data.
2808

    
2809

    
2810
_______ NAT Debugging and Troubleshooting Tips
2811

    
2812
* Verify obvious values like correct IP addresses in map entries.
2813

    
2814
* Make sure your maps match the flow of the session (inbound or
2815
outbound). Check "show nat sessions" output to make sure the correct
2816
translations are taking place.
2817

    
2818
* Watch "show nat statistics" output for failed translations that can
2819
indicate incorrect session flow direction and possibly incomplete
2820
maps.
2821

    
2822
* Watch the source and destination IP addresses of packets going
2823
through the PortMaster. You can find a simple ptrace debug filter for
2824
this purpose in the PortMaster Troubleshooting Guide. If you are
2825
running NAT on your WAN link, look for private IP addresses that are
2826
exiting the ptp0 interface untranslated. If translation is not taking
2827
place, either your NAT maps are not translated properly or NAT is not
2828
active on the port.
2829

    
2830
* Make sure that you reset the active network interface to make its NAT
2831
configuration take effect. In the case of an Ethernet interface, enter
2832
"reset nat ether0".
2833

    
2834
* If a location is set to dial-on-demand, you might need to reboot the
2835
PortMaster for configuration changes to take effect.
2836

    
2837
* If a port loses its network connectivity---for example, if the modem
2838
drops carrier---NAT maintains the state of any existing sessions ONLY
2839
if the IP address assigned to the port remains the same.
2840

    
2841
* Because of the nature of NAT operation, some applications that work
2842
under basic NAT might not work with NAPT. If you are using a particular
2843
application under NAPT and it is not working, try using basic NAT and
2844
see if the situation improves.
2845

    
2846

    
2847
_______ NAT Logging Control
2848

    
2849
You can activate syslog and console logging on a per-port basis to
2850
identify configuration errors and for auditing purposes. Enter the
2851
following commands---all on one line---to configure logging to the 
2852
PortMaster console of all NAT sessions that fail for any reason:
2853

    
2854
set Ether0 | S0 | W1 | location Locname | user Username
2855
    	nat log sessionfail on
2856

    
2857
set Ether0 | S0 | W1 | location Locname | user Username
2858
    	nat log console on
2859

    
2860
To log to syslog instead, enter "syslog" instead of "console".
2861

    
2862
Syslog logging is logged at the priority level shown in "show syslog"
2863
output. If you have not set the PortMaster global option for logging
2864
NAT information to syslog, then no logging takes place, regardless of
2865
the logging options configured on any particular port. Lucent
2866
recommends that you log NAT activity at the same priority as packet
2867
filters:
2868

    
2869
    set syslog nat auth.notice
2870

    
2871
You can also log more selectively for only certain map entries by 
2872
appending the "log" keyword at the end of a particular map entry you
2873
want logged. For example:
2874

    
2875
    set map abc.outmap 1 addressmap 192.168.1.1 172.16.1.1 log
2876

    
2877
Whenever a session from 192.168.1.1 is successfully translated to the
2878
global IP address 172.16.1.1 via this outbound map, a syslog message
2879
is sent to your loghost.
2880

    
2881
Here is some sample syslog output:
2882

    
2883
Mar 24 17:28:11 nat-or NAT: ptp3: Out TCP (192.168.3.1:34172)->
2884
 (192.168.247.6:80) Xlation failed: Session may have prematurely timed out.
2885

    
2886
Mar 24 17:28:40 nat-or NAT: ptp3: Out TCP (192.168.3.1:34172)->
2887
 (192.168.247.6:80) Xlation failed: Session may have prematurely timed out.
2888

    
2889
Mar 24 17:28:57 nat-or NAT: ptp3: Out TCP (192.168.3.1:34177)->
2890
 (192.168.247.6:80) translated to (192.168.129.129:20001)->(192.168.247.6:80)
2891

    
2892
Mar 24 17:29:23 nat-or NAT: ptp3: Out TCP (192.168.3.1:34178)->
2893
 (192.168.247.6:80) translated to (192.168.129.129:20002)->(192.168.247.6:80)
2894

    
2895
Mar 24 17:29:36 nat-or NAT: ptp3: Out TCP (192.168.3.1:34172)->
2896
 (192.168.247.6:80) Xlation failed: Session may have prematurely timed out.
2897

    
2898
Mar 24 17:30:22 nat-or NAT: ptp3: Out TCP (192.168.3.1:34179)->
2899
 (192.168.247.6:80) translated to (192.168.129.129:20003)->(192.168.247.6:80)
2900

    
2901
Mar 24 17:34:18 nat-or NAT: ptp3: Out TCP (192.168.3.1:34172)->
2902
 (192.168.247.6:80) Xlation failed: Session may have prematurely timed out.
2903

    
2904
Mar 25 11:02:03 nat-or NAT: ptp3: Out TCP (192.168.3.1:34185)->
2905
 (192.168.65.50:23) translated to (255.255.255.254:20001)->(192.168.65.50:23)
2906

    
2907
Mar 25 11:02:40 nat-or NAT: ptp3: Out TCP (192.168.3.1:34185)->
2908
 (192.168.65.50:23) translated to (192.168.129.129:20001)->(192.168.65.50:23)
2909

    
2910

    
2911
_______ Debugging NAT
2912

    
2913
The following commands set ComOS debugging options for NAT:
2914

    
2915
  set debug nat-ftp on | off		Displays FTP payload processing.
2916

    
2917
  set debug nat-icmp-err on | off	Displays ICMP error payload 
2918
					processing.
2919

    
2920
  set debug nat-rt-interface on | off	Displays NAT parameters changes
2921
					during interface binding.
2922

    
2923
  set debug nat-max on | off		Enables full NAT debugging.
2924

    
2925
Remember to use "set console" before using these commands, and 
2926
"reset console" after turning off the debug process.
2927

    
2928

    
2929
_______ Network Diagnostic Tools for NAT
2930

    
2931
Because NAT includes ICMP and UDP translation, the two most common
2932
network diagnostic tools, ping and traceroute, can still be used---with
2933
the following restrictions:
2934

    
2935
* When using NAPT, you will not be able to run traceroute or ping
2936
inbound to the private hosts because you cannot reach them directly
2937
from the outside.  But you can use the tools in an outbound direction
2938
without any problems.
2939

    
2940
*  When using basic NAT, you can run traceroute and ping inbound but
2941
only if you have an inbound map active. You still must include an entry
2942
for the actual host you are trying to ping or trace routes to. As with
2943
NAPT, you can do all network diagnostics in outbound mode.
2944

    
2945

    
2946
_______ NAT References
2947

    
2948
* draft-ietf-nat-traditional-03.txt, Traditional IP Network Address 
2949
Translator (Traditional NAT)
2950

    
2951
* RFC 1918, Address Allocation for Private Internets
2952

    
2953
* RFC 2663, IP Network Address Translator (NAT) Terminology and 
2954
Considerations
2955

    
2956

    
2957
_______________ ComOS 3.9b26 Limitations
2958

    
2959
* Limitations on Upgrading and Downgrading:
2960

    
2961
  - The PortMaster must be running ComOS 3.5 or later to upgrade to 
2962
    ComOS 3.9b26. If you are running an earlier release of ComOS,
2963
    upgrade to ComOS 3.5 first, reboot, then upgrade to ComOS 3.9b26.
2964

    
2965
  - Downgrading a PortMaster 3 from ComOS 3.9b26 to a previous 
2966
    release requires two successful downgrades. After the first
2967
    successful downgrade the PortMaster is operational, but without
2968
    system messages. The second downgrade applies the system messages.
2969

    
2970
  - Downgrading from ComOS 3.9b26 to ComOS 3.5 might change the 
2971
    Ether0 IP address.
2972

    
2973
* A ComOS online help file is not included in this release; therefore, 
2974
the "help" command is not supported.
2975

    
2976
* Modem Limitations:
2977

    
2978
  - Support for the obsolete "True Digital V.34 Card" (MDM-PM3-8 and
2979
    MDM-PM3-10) has been removed from this release, except for support 
2980
    of the V.110 protocol. The "True Digital 56K Card" (MDM-56K-8 and
2981
    MDM-56K-10) is still supported.
2982

    
2983
  - Lucent is still fixing some problems with Rockwell HCF and Cirrus
2984
    Logic modems. If you experience any difficulties with modems, verify
2985
    that the client modem is running the latest firmware. Then refer to
2986
    http://www.livingston.com/tech/bulletin/comos-modem.html. If these
2987
    instructions do not help, contact Lucent NetCare(R) technical support
2988

    
2989
  - The extended Link Access Procedure for Modems (LAPM) (V.42) 
2990
    timeout in the ComOS 3.9b26 modem code keeps the Sega Dreamcast 
2991
    modem from connecting.
2992

    
2993
* You cannot use Inverse Address Resolution Protocol (ARP) on a Frame
2994
Relay interface with subinterfaces. The primary Frame Relay interface
2995
does not automatically map IP addresses to data link connection
2996
identifiers (DLCIs). When you enter a "show arp frm1" command, no ARP
2997
tables appear, and the PortMaster cannot ping across the Frame Relay
2998
cloud.
2999

    
3000
* The PortMaster 3 can support either the Stac compression card or 
3001
the IPSec encryption ("coprocessor") card, but not both. Both cards 
3002
use the same interface on the PortMaster 3 motherboard.
3003

    
3004
* Neither the Internet Key Exchange (IKE) protocol nor the Internet
3005
Security Association Key Management Protocol (ISAKMP) is supported 
3006
in this release.
3007

    
3008
*Passive security profiles for VPN tunnels are not supported in this 
3009
release.
3010

    
3011
* NAT Limitations:
3012

    
3013
 - NAT and VPN tunneling cannot be configured to work together on the 
3014
    same port in this release.
3015

    
3016
 - Inbound NAT maps are restricted to static address maps and/or static
3017
    TCP/UDP port maps only. Outbound NAT maps do not have this limitation.
3018

    
3019
 - NAT translates only TCP, UDP, and ICMP packets. Point-to-Point 
3020
    Tunneling Protocol (PPTP) traffic is not translated.
3021

    
3022
* A Layer 2 Tunneling Protocol (L2TP) network server (LNS) can support 
3023
only 94 L2TP sessions in this release.
3024

    
3025
* NFAS Limitations:
3026

    
3027
 - This release does not support mixing NFAS and non-NFAS ISDN 
3028
    PRIs in the same chassis. If one line is used for NFAS, the other
3029
    line must be used for NFAS or left empty.
3030

    
3031
 - NFAS operates only on National ISDN (NI-2) switch types.
3032

    
3033
 - Configuring NFAS settings on a line that is not configured for ISDN
3034
    or unable to perform ISDN functions makes the line behave strangely.
3035

    
3036
 - When you are using NFAS and a problem occurs on the physical PRI 
3037
    line with the D channel, the line sometimes does not return to service 
3038
    until you reset the D channel.
3039

    
3040
 - When a PortMaster running NFAS is rebooted, you must sometimes 
3041
    reset the D channel to return the PRI to service.
3042

    
3043
* To advertise your address pools allocated for static users as
3044
internal OSPF routes, you must add them to the OSPF area range as full
3045
class C addresses. If these addresses are instead added as subnets of a
3046
class C address, they are incorrectly advertised as OSPF type 2
3047
external (E2) routes.
3048

    
3049
An address pool on a PortMaster 3 is most commonly made up of 48
3050
contiguous addresses, the first of which is a network address.  For
3051
example, suppose you configure an address pool using subnets
3052
192.168.110.16/28 and 192.168.110.32/27, with 192.168.110.16 as the
3053
first address.
3054

    
3055
If you add the address pool to the OSPF area range as
3056
*192.168.110.0/24, the address pool is correctly advertised as "ospf."
3057
However, if you add the address pool to the OSPF area range as
3058
*192.168.110.16/28 and *192.168.110.32/27, it is advertised as
3059
"ospf/E2."
3060

    
3061

    
3062
_______________ Troubleshooting Modems
3063

    
3064
As part of modem troubleshooting, confirm that the client modem is
3065
running the latest firmware before submitting a modem trouble report.
3066

    
3067
When making a report of a new modem problem, send the following
3068
information to Lucent NetCare technical support:
3069

    
3070
* ComOS version
3071
* Client modem manufacturer
3072
* Client modem model
3073
* Results on the client modem of commands ATI0 through ATI11
3074
* Whether the problem is reproducible
3075

    
3076
Lucent might want to monitor your PortMaster while the client modem
3077
reproduces the problem.
3078

    
3079

    
3080
_______________ Upgrade Instructions
3081

    
3082
You can upgrade your PortMaster 3 using PMVision 1.7 or later, or
3083
pmupgrade 4.3 or later from PMTools. Alternatively, you can upgrade
3084
using the older programs pminstall 3.5.3, PMconsole 3.5.3, or PMconsole
3085
for Windows 3.5.1.4.  You can also upgrade using TFTP with the "tftp
3086
get comos" command from the PortMaster command line interface.
3087

    
3088
See ftp://ftp.livingston.com/pub/le/software/java/pmvision17.txt for
3089
installation instructions for PMVision 1.7.
3090

    
3091
*** CAUTION!  If the upgrade fails, do NOT reboot!  Contact 
3092
*** Lucent NetCare Technical Support without rebooting.
3093

    
3094
The upgrade process on the PortMaster 3 erases the configuration area
3095
from nonvolatile memory and saves the current configuration into
3096
nonvolatile memory. Never interrupt the upgrade process, or loss of
3097
configuration information can result.
3098

    
3099
WARNING! Due to the increased size of ComOS, the amount of 
3100
NVRAM available for saving configurations has been reduced from 
3101
128KB to 64KB. PortMaster products with configurations greater 
3102
than 64KB will lose some of their configuration. For this reason, be 
3103
sure to back up your PortMaster configuration before upgrading to 
3104
this release. You can check the amount of memory used for your 
3105
configuration with the "show files" command. Ignore any files that 
3106
also include an uncompressed size.
3107

    
3108
WARNING! The PortMaster must be running ComOS 3.5 or later to 
3109
upgrade to ComOS 3.9b26. If you are running an earlier release of ComOS,
3110
upgrade to ComOS 3.5 first, reboot, then upgrade to ComOS 3.9b26.
3111

    
3112
IMPORTANT: Any PortMaster running ComOS 3.9b26 requires 4MB of 
3113
DRAM. If you are running BGP, 16MB of DRAM is required.
3114

    
3115
The installation software can be retrieved by FTP from
3116
ftp://ftp.livingston.com/pub/le/software/, and the upgrade image
3117
can be found at ftp://ftp.livingston.com/pub/le/upgrades:
3118

    
3119
ComOS		Upgrade Image	Product
3120
_________	_____________   _____________________________________
3121
3.9b26		pm3_3.9b26	PortMaster 3
3122

    
3123
________________________________________________________________________
3124

    
3125
        Copyright and Trademarks
3126

    
3127
Copyright 1999 Lucent Technologies. All rights reserved.
3128

    
3129
PortMaster, ComOS, ChoiceNet, and NetCare are registered trademarks of
3130
Lucent Technologies. PMVision, IRX, PortAuthority, and NavisRadius are
3131
trademarks of Lucent Technologies. All other marks are the property of
3132
their respective owners.
3133

    
3134
	Notices
3135

    
3136
Lucent Technologies makes no representations or warranties with respect
3137
to the contents or use of this publication, and specifically disclaims
3138
any express or implied warranties of merchantability or fitness for any
3139
particular purpose. Further, Lucent Technologies reserves the right to
3140
revise this publication and to make changes to its content, any time,
3141
without obligation to notify any person or entity of such revisions or
3142
changes.
3143

    
3144
	Contacting Lucent NetCare Technical Support
3145

    
3146
Lucent NetCare Professional Services provides PortMaster technical
3147
support via voice or electronic mail, or through the World Wide Web at
3148
http://www.livingston.com/. Specify that you are running ComOS 3.9b26
3149
when reporting problems with this release.
3150

    
3151
Internet service providers (ISPs) and other end users in Europe, the
3152
Middle East, Africa, India, and Pakistan should contact their authorized
3153
Lucent NetCare sales channel partner for technical support; see
3154
http://www.livingston.com/International/EMEA/distributors.html.
3155

    
3156
For North America, the Caribbean and Latin America (CALA), and Asia
3157
Pacific customers, technical support is available Monday through Friday
3158
from 7 a.m. to 5 p.m. U.S. Pacific Time (GMT -8). Dial 1-800-458-9966
3159
within the United States (including Alaska and Hawaii), Canada, and
3160
CALA, or 1-925-737-2100 from elsewhere, for voice support. For email
3161
support, send to support@livingston.com (asia-support@livingston.com 
3162
for Asia Pacific customers).
3163

    
Add picture from clipboard (Maximum size: 48.8 MB)