UpgradesRelease notice for Ingate Firewall® 4.1.0 and Ingate SIParator® 4.1.0
| Release name: |
Ingate Firewall® 4.1.0
Ingate SIParator® 4.1.0 |
The new version can be found here
Release notice for Ingate Firewall(R) 4.1.0 and Ingate SIParator(R) 4.1.0
+-------------------------------------------+
| Release name: | Ingate Firewall(R) 4.1.0 |
| | Ingate SIParator(R) 4.1.0 |
|---------------+---------------------------|
| Release date: | 2004-07-16 |
+-------------------------------------------+
The new version and the user manual can be found at:
[1]www.ingate.com/upgrades/
Please read the separate upgrade instructions, available from the same
place. You have to log on first to read them.
This release fixes two security problems, adds support for STUN and a DHCP
server, fixes several SIP-related problems, and also fixes a few other
problems. We recommend that everybody upgrades.
Fixed security problems
* VPN packets could be spoofed from interface with default route.
[Tracking ID: 1417]
* VPN rules had precedence in the rule list used by the firewall, thus
the rule order configured in the GUI was not strictly followed as VPN
rules were given precedence. [Tracking ID: 949]
New functionality
* DHCP server. [Tracking ID: 91]
* The log now displays what rule a packet matched. [Tracking ID: 207]
* Support for more flexible ways of NAT. [Tracking ID: 236]
You can select to NAT only traffic from a particular network, or only
traffic to a particular network. You can also select what IP address
should be used for this.
* Support for multiple DNS servers. [Tracking ID: 414]
* The LEDs on the front of the firewall/SIParator now indicate if a unit
is in active or standby mode in a failover team. [Tracking ID: 576]
* Possibility to configure admin port (HTTP and HTTPS). [Tracking ID:
773]
Both the HTTP and HTTPS ports can now be configured. Additionally it
is also possible to run the HTTP and HTTPS servers on different IP
addresses.
* Automatic login to operator for Telia ADSL customers etc. [Tracking
ID: 884]
* Automatic check of the preliminary configuration.[Tracking ID: 1023]
The administrator no longer needs to press the Apply configuration
button to find out if there are any problems with the preliminary
configuration. If errors in the preliminary configuration exist they
are listed on the Save/Load Configuration page.
* Logins on the console are now logged. [Tracking ID: 1377]
New VPN functionality
* VPN tunnel status page. You can check status for all configured IPsec
tunnels and renegotiate them from the GUI. [Tracking ID: 110]
* Uniform certificate management [Tracking ID: 277]
X.509 Certificate management (for HTTPS, TLS and IPsec) is now handled
in one dialogue instead of four. It is also possible to have an
unlimited number of outstanding certificate requests and/or
certificates in the machine.
* Support for import/export of local certificates including private
keys. [Tracking ID: 417]
* The IPsec peer names are now shown in the "IPsec key negotiations"
log. [Tracking ID: 434]
* It is now possible to specify a serial number when creating an X.509
certificate. [Tracking ID: 910]
* Support for runtime IP address/DNS lookups of IPsec peers. [Tracking
ID: 963]
* ISAKMP key lifetime limit extended to 48 hours (previously 8 hours).
[Tracking ID: 1000]
* Invalid certificates now have their expiry date displayed in red when
they are uploaded or viewed. [Tracking ID: 1033]
New SIP functionality
* Global/Local option for Static domain modification added. [Tracking
ID: 271]
It is now possible to select if Static domain modification should
apply to local calls only or to all calls.
* The Static registrations table now allows the user to select protocol
(sip/sips) and transport (UDP/TCP/TLS) on the outgoing call. [Tracking
ID: 491]
* Support for authentication of SIP users from an external RADIUS
database. [Tracking ID: 561]
* Authentication of INVITE's on selective basis. [Tracking ID: 873]
* New option allows RFC2069 Digest authentication. [Tracking ID: 1014]
Default is RFC 2617 Digest authentication.
* More consistent and user-friendly SIP GUI. [Tracking ID: 1111]
* Option to preserve username in SIP-URL. [Tracking ID: 1117]
It is possible to turn the rewriting of the contact header off and
preserve the username in contact headers passing through the
firewall/SIParator. By default this feature is turned off.
* Remote SIP Connectivity
Remote SIP Connectivity is a new set of features that may be purchased
as a module. It includes features that allow SIP clients located
behind a remote NAT firewall/router to communicate using SIP.
* STUN server.[Tracking ID: 1189]
The STUN server supports RFC3489 and provides means for a
STUN-enabled client to connect to other SIP devices from behind a
remote NAT firewall/router.
* Support for Remote NAT Traversal. [Tracking ID: 1183]
Using this feature remote clients located behind a remote NAT
firewall/router may communicate with other clients using SIP.
* Option for loose username check. [Tracking ID: 1343]
Enables authentication using merely "name" in authentication user name
"name@domain".
Fixed SIP-related problems
* Static forwarding did not follow "Default policy for requests"; event
though the policy was set to "reject all", the SIP module forwarded
messages. [Tracking ID: 1047]
* Specifying networks with disabled interfaces on a DMZ SIParator
[Tracking ID: 1128]
DMZ SIParators had a problem with specifying networks with disabled
interfaces on the surroundings page. Doing so should normally cause
the SIParator to ignore that network, but due to a bug it ignored the
specified interface instead. This only affected uses of networks on
the surroundings page.
* Compilot initiated calls could cause the SIP module to crash.
[Tracking ID: 1344]
Fixed VPN-related problems
* Traceback when removing a non-existing blacklisting. [Tracking ID:
982]
* Removing a CRL file no longer requires a reboot. [Tracking ID: 1024]
* Enabling IPsec no longer allocates the IKE ports on all interfaces.
[Tracking ID: 1029]
This makes it possible to have UDP relays forwarding IPsec NAT-T
traffic even when IPsec is used.
* Changing preshared secret for an IPsec peer having several tunneled
networks would cause all tunnels to be brought down but only one of
them to be brought up again. [Tracking ID: 1266]
* The maximum number of IKE payloads extended to 800 (previously 20).
[Tracking ID: 1288]
Other fixed problems
* The information in the NAT tables on the interface pages are no longer
lost when a new NIC is added/installed. [Tracking ID: 17]
* SNMP authentication no longer accepts an empty community field.
[Tracking ID: 739]
* Only the selected configuration ports are allocated. Previously, ports
80 and 443 were both allocated for the configuration IP address.
[Tracking ID: 829]
* PPPoE can now use LCP echo requests to detect peer presence. [Tracking
ID: 1182]
Known problems
Known VPN-related problems
These problems are only relevant if the optional VPN module is installed.
* Packets with a destination address that belongs to either end of a
tunnel will appear to be encrypted in the log, even when they should
not be encrypted. This is a problem with the log only. [Tracking ID:
46]
* The local endpoint must be chosen so that it is the address closest to
the next-hop router for that peer. This means that mobile clients must
always connect via the same interface (typically the interface
connected to the Internet). [Tracking ID: 508]
* Running PPTP inside an IPsec tunnel where both tunnels share an Ingate
Firewall(R) as endpoint may fail when a PPTP client leases an IP
address of the IPsec tunnel. Always activate or configure the IPsec
tunnel prior to the PPTP server. [Tracking ID: 984]
Known SIP-related problems
These problems are only relevant if the SIP module is enabled.
* If you change the maximum number of users or registrations, the new
settings won't be active until the SIP module has been restarted.
[Tracking ID: 53]
* If SIP over TLS is used, the SIP module may under some circumstances
block while it waits for a response from the remote SIP client or SIP
server. Until this is fixed, there is a risk that enabling TLS for SIP
opens up the SIP module for a denial-of-service attack. [Tracking ID:
665]
* Instant Messaging using Microsoft Windows Messenger 5.0 when
registered on an Ingate Firewall/SIParator does not work using UDP or
TCP. If TLS is used it does work. [Tracking ID: 924]
* The SIP module may block while it waits for RADIUS authentication.
This effectively means that only RADIUS servers located on a LAN
should be used. Additionally the RADIUS server should not enable any
brute force attack prevention mechanism that delays the response in
case of a faulty username-password combination. [Tracking ID: 1425]
Known Failover-related problems
This problem is only relevant if failover is used.
* Upgrading a failover team is a complex operation. To upgrade it, you
must break the team and upgrade each machine in turn. This will
require a number of reboots and network outages. See the separate
failover upgrade document which is available on the upgrade web.
[Tracking ID: 499]
References
Visible links
1. http://www.ingate.com/upgrades.php
|
