************************************************************ * * * * * Netlock Release Notes * * * * Copyright 1994-2002 * * by * * Netlock Technologies, Inc. * * Unpublished work. All rights reserved. * * * * Netlock Technologies, Inc. * * 3230 E. Imperial Hwy * * Suite 250 * * Brea, California 92821 U.S.A. * * * * Web: http://www.netlock.com/ * * * ************************************************************ ************************************************************ This product contains the following: Contains SSH IPSEC technology (pat. pending). SSH is a registered trademark of SSH Communications Security Ltd. (http://www.ssh.fi) ************************************************************ * * * AIX 4.2 / 4.3 Release Notes * * * ************************************************************ *==========================================================* * Compatibilities * *==========================================================* 1) Contivity VPN Client products require AIX 4.2 (minimum version of 4.2.1.0.06 is required)* or 4.3. * The minimum version for AIX is 4.2.1.0.06. The Client will not work on version 4.2.1. To upgrade from version 4.2.1 to version 4.2.1.0.06, download and install the 15 required patches from IBM's website located at http://techsupport.services.ibm.com/rs6k/ml.fixes.html 2) Currently supports TCP/IP protocols only. *==========================================================* * Installation * *==========================================================* 1) INSTALLATION: A web browser must be present on the host computer to access the online help facility. The Netlock Contivity VPN Client prefers Netscape. If a browser is installed after the Netlock Contivity VPN Client, then make sure that somewhere in the standard command path there exists a file called "netscape" which calls or points to the installed browser. For example, if Netscape is intalled at "/opt/NSCPcom/netscape", then create a symbolic link called "/usr/bin/netscape", or change your command path to include "/opt/NSCPcom". Netlock is shipped on a multi-platform CD-ROM. Use SMIT to mount the CD, then install the Agent by providing the full pathname to the AIX package on the CD. Assuming the CD was mounted at mount point "/cdrom", the full path to the AIX package would be "/cdrom/aix/nleac". The Contivity VPN package is called "nleac". *==========================================================* * Configuration * *==========================================================* 1) For the Netlock Contivity VPN Client to run properely, AIX systems need to have the "udp_pmtu_discover" and "tcp_pmtu_discover" options set to 0. - To set the changes at boot time, edit the file /etc/rc.net. - Locate the section beginning with "if [ -f /usr/sbin/no ]" and ending with "fi". - Add the following 2 lines to this section: /usr/sbin/no -o tcp_pmtu_discover=0 /usr/sbin/no -o udp_pmtu_discover=0 - This section should now look something like the following: if [ -f /usr/sbin/no ] ; then ... ... /usr/sbin/no -o tcp_pmtu_discover=0 /usr/sbin/no -o udp_pmtu_discover=0 ... ... fi - Reboot the system for the settings to take effect. - The command "no -a" will allow you to check the settings on the system to see if the tcp_pmtu_discover and udp_pmtu_discover options have been properly set. 2) For users of AIX version 4.2, please ensure that your system is up to the following software version levels: bos 4.2.1.18 Base TTY Support and Commands 4.2.1.7 Error Log Service Aids 4.2.1.8 LPP Install Commands 4.2.1.20 libc Library bos.adt 4.2.1.22 Base Application Development Include Files 4.2.1.15 Base Profiling Support 4.2.1.5 System Calls Application Development Toolkit bos.mp 4.2.1.28 Base Operating System Multiprocessor Runtime bos.net 4.2.1.4 Network Information Service Client 4.2.1.4 Network Information Service Server 4.2.1.26 TCP/IP Client Support bos.sysmgt 4.2.1.9 Software Error Logging and Dump Service Aids 4.2.1.3 Software Trace Service Aids bos.up 4.2.1.28 Base Operating System Uniprocessor Runtime devices.common.IBM.atm 4.2.1.16 Common ATM Software devices.common.IBM.ethernet 4.2.1.4 Common Ethernet Software devices.common.IBM.fcs 4.2.1.6 Common FCS Software devices.common.IBM.fddi 4.2.1.3 Common FDDI Software devices.mca.8fc8 4.2.1.4 Common Token Ring Software perfagent 2.2.1.4 Local Performance Analysis & Control Commands *==========================================================* * Known Problems * *==========================================================* None. Remove Other VPN Products before Installing the Contivity VPN Client - Please remove any previously installed VPN products before attempting to use the Contivity VPN Client. Otherwise, a conflict may occur, preventing the Contivity VPN Client from operating properly. Destination Address Format - When you enter a destination address in the Contivity VPN Client Connection window, you must enter it in dotted decimal format (e.g, 2.3.4.5). Do not use machine names. Improperly Configured Personal Firewall Products May Block Contivity VPN Client Communications - If you have a personal firewall product installed on your computer and have problems connecting with the Contivity VPN Client, please verify that your firewall product is configured to allow inbound and outbound UDP port 500, IP Protocol 50, and IP Protocol 51 packets to the Destination Address(es) used in your Contivity VPN Client Connection window. If problems persist, your personal firewall product may be in conflict with the Contivity VPN Client; remove the personal firewall product. Using the Contivity VPN Client When a Proxy Server is Enabled for the Browser - The Contivity VPN Client uses a web browser interface. You must configure your web browser to talk directly to the internal Contivity VPN Client, bypassing the proxy. Changing proxy settings on Mac OS X: - The proxy settings are changed in the Mac OS System Preferences -> Network panel. See the Mac OS X ReadMe notes for additional information. Changing proxy settings on other operating systems: - For Internet Explorer: In the Edit menu, choose Preferences... In the left pane of the Preferences window, click Network->Proxies. In the bottom right, under "List the sites you want to connect to directly...", add the value 127.0.0.1 and click the OK button. - For Netscape: In the Edit menu, choose Preferences... In the left pane of the Preferences window, click Advanced -> Proxies. Assuming that you are using Manual Proxies, click the Configure... button. In the "No proxy for:" field, add the value 127.0.0.1 and click the OK button. Click OK in the Preferences window. Traceroute Will Yield Unpredictable Results When Connected - Traceroute utilities will yield unpredictable and/or erroneous results when you have an established connection with the Contivity VPN Client. This is a normal side effect of tunneled communications with a virtual internal address. Traceroute does not make sense in this context. Client Will Not Establish Tunnel Without a Valid Default Route - You must have a valid default route to establish a VPN tunnel using the Contivity VPN Client. The Contivity VPN Client checks for a valid router (gateway), and will not negotiate a tunnel unless a valid default route exists. Because the client checks for a valid default route, you cannot establish tunnels when the client computer is connected directly to the Contivity Extranet Switch using a crossover Ethernet cable, for example. If you are using DHCP, you must ensure that the DHCP server provides a valid default route to your client computer.