************************************************************ * * * * * Netlock Release Notes * * * * Copyright 1994-2003 * * by * * Apani Networks * * Unpublished work. All rights reserved. * * * * Apani Networks * * 3230 E. Imperial Hwy * * Suite 250 * * Brea, California 92821 U.S.A. * * * * Web: http://www.apani.com/ * * * ************************************************************ ************************************************************ This product contains the following: Contains SSH IPSEC technology (pat. pending). SSH is a registered trademark of SSH Communications Security Ltd. (http://www.ssh.fi) ************************************************************ * * * Linux Release Notes * * * ************************************************************ *==========================================================* * Compatibilities * *==========================================================* 1) Contivity VPN Client products require the Linux-2.2.x kernel or the Linux-2.4.x kernel. Kernel versions 2.4.21 and beyond are not supported. 2) Currently supports TCP/IP protocols only. 3) Only Intel x86 or compatible processors are supported. 4) The kernel must have netfiltering enabled. PACKAGES NEEDED PRIOR TO INSTALLATION OF VPN CLIENT 1) Development packages need to be installed prior to installing the Netlock Contivity VPN Client. These include the following RPM files (make, glibc and egcs) in addition to any dependencies that are required. These packages are usually already installed under normal circumstances for Linux operating systems. 2) The kernel-headers-2.2.x package is needed if installing on a system using the 2.2.x kernel. The kernel-headers-2.4.x package is needed for a 2.4 kernel. If there is no such package, the kernel-source-2.4.x package must be used. 3) If RedHat 7.0 is being used, the kernel-source-2.2.x package needs to be installed. CONTIVITY VPN CLIENT FILES Choose the appropriate installation file for your Linux distribution. cvc_linux-rh-gcc3-[version].tar.gz - RedHat Linux with gcc version 3.x including RedHat version 8 and 9 cvc_linux-suse-gcc3-[version].tar.gz - SuSE Linux with gcc version 3.x (tested up to SuSE 8.2) cvc_linux-gcc2-[version].tar.gz - Standard Linux distribution (older releases with gcc version 2.x) ACCESSING HELP AND THE LOG FILE USING MOZILLA The Mozilla browser prevents access to local files using links in a web-page that was "served" from a web server, a necessary security feature. However, this prevents the user from accessing help and viewing the log file for the Client when the user is using Mozilla as the browser. To view help for the Client: 1) Type the following address in the browser: file:///etc/netlock/help/contents.html 2) Select the file using the File - Open File menu option. a) Select the Open File option from the File Menu. b) Navigate to /etc/netlock/help. c) Select the contents.htm file. d) Click the Open button. To view the log file for the Client: 1) Type the following address in the browser: file:///etc/netlock/agentlog.txt 2) Select the file using the File - Open File menu option. a) Select the Open File option from the File Menu. b) Navigate to /etc/netlock. c) Select the agentlog.txt file. Note: You may have to change the "Files of type" option to "Text Files" in order to see the file. d) Click the Open button. *==========================================================* * Installation * *==========================================================* 1) A web browser must be present on the host computer to use the Contivity VPN Client. The client prefers Netscape, but will also use Mozilla. If a browser is installed after the client, or if Netscape is not installed but some other browser is, make sure that somewhere in the standard command path there exists a file called "netscape" which calls or points to the installed browser. For example, if Netscape is not installed but Mozilla is, and if Mozilla is installed at "/usr/bin/mozilla", then create a symbolic link called "/usr/bin/netscape" using the following commands: cd /usr/bin ln -s mozilla netscape The Contivity VPN Client for Linux is shipped on a multi-platform CD-ROM. Use mount command to mount the CD, then install the Agent with Redhat Package Manager tool. Assuming the CD was mounted at mount point "/cdrom", the full path to the Linux package would be "/cdrom/linux". If you have the RPM package, use the following command to rebuild the client at the host that you intend to install on: For RedHat with gcc version 3.x (RedHat 8 and 9): # rpmbuild --rebuild /cvc_linux-rh-gcc3-[version]-0.src.rpm For SuSE with gcc 3.x: # rpm --rebuild /cvc_linux-suse-gcc3-[version]-0.src.rpm For RedHat version 7.x and other older Linux distributions with gcc version 2.x: # rpm --rebuild /cvc_linux-gcc2-[version]-0.src.rpm This command will rebuild the Client and typically place the binary package in the /usr/src//RPMS/i386/ directory, where is either RedHat or cvc_linux-3.0.tar.gz Some systems place the binary package in a different directory. To ensure the correct path where the binary package is located, after the package has been rebuild check for the path in the "WROTE:" line that is displayed on the screen. If you have the TAR distribution, use the following command to rebuild the client at the host that you intend to install on: For RedHat with gcc version 3.x (RedHat 8 and 9) use: # tar xvf /cvc_linux-rh-gcc3-[version].tar # cd cvc_linux-rh-gcc3-[version] # make all For SuSE with gcc version 3.x (SuSE 8.2) use: # tar xvf /cvc_linux-suse-gcc3-[version].tar # cd cvc_linux-suse-gcc3-[version] # make all For RedHat version 7.x and other older Linux distributions with gcc version 2.x: # tar xvf /cvc_linux-gcc2-[version].tar # cd cvc_linux-[version] # make all 3a) To install the package, use the following command: 1. For RPM distribution: (The path depends on where the package was placed during the rebuild step above.) For RedHat with gcc version 3.x (RedHat 8 and 9): # rpm -i /usr/src//RPMS/i386/cvc_linux-rh-gcc3-[version]-0.i386.rpm For SuSE with gcc version 3.x (SuSE 8.2): # rpm -i /usr/src//RPMS/i386/cvc_linux-suse-gcc3-[version]-0.i386.rpm For RedHat version 7.x and other older Linux distributions with gcc version 2.x: # rpm -i /usr/src//RPMS/i386/cvc_linux-gcc2-[version]-0.i386.rpm 2. For TAR distribution: # make install 3b) To upgrade the VPN client, use the following command: 1. For RPM distribution: (Note: This command only work for upgrading VPN client version 1.2b3 and up. If you have version 1.2b2 or earlier, you will need to uninstall the current client first, and then install the new version.) (The path depends on where the package has been placed) For RedHat with gcc version 3.x (RedHat 8 and 9): # rpm -U /usr/src//RPMS/i386/cvc_linux-rh-gcc3-[version]-0.i386.rpm For SuSE with gcc version 3.x (SuSE 8.2): # rpm -U /usr/src//RPMS/i386/cvc_linux-suse-gcc3-[version]-0.i386.rpm For RedHat version 7.x and other older Linux distributions with gcc version 2.x: # rpm -U /usr/src//RPMS/i386/cvc_linux-gcc2-[version]-0.i386.rpm 2. For TAR distribution: # make install 4) Log out then log back in the host to complete the installation. 5) To uninstall the package, use the following command: 1. For RPM distribution: with gcc version 2.x For RedHat with gcc version 3.x (RedHat 8 and 9): # rpm -e cvc_linux-rh-gcc3 For SuSE with gcc version 3.x (SuSE 8.2): # rpm -e cvc_linux-suse-gcc3 For RedHat version 7.x and other older Linux distributions with gcc version 2.x: # rpm -e cvc_linux-gcc2 2. For TAR distribution: # make uninstall Then, log out then log back the host to complete the deinstallation. *==========================================================* * Configuration * *==========================================================* RUNNING THE NETLOCK CONTIVITY VPN CLIENT 1. A folder called Netlock will be created in the menu for KDE and GNOME GUIs. The Contivity Client can then be started from this folder. IMPORTANT NOTE: On RedHat 8 and later, there is no Netlock folder on the menus. The menu items for the Client are located in the Extras->Other menu. 2. For GUIs other than KDE and GNOME, the Contivity VPN Client can be manually started from the terminal or console window by typing the following command, "start_cvc". 3. Another way the Contivity Client can be launched is from typing the following address in the browser: "http://127.0.0.1:9161". 4. You can create a "launcher" on your desktop by selecting "New Launcher" from your desktop menu, then enter: mozilla 127.0.0.1:9161 (or the appropriate browser command) SYSTEMS USING IPCHAINS TO FILTER Port 500 (ISAKMP) must be allowed to pass through in order for the Contivity Client to work properly if ipchains is being used as a firewall. To do this, you can edit the /etc/sysconfig/ipchains file. Insert the following 2 lines in the beginning of the section: ipchains -A input -p udp -s 0/0 500 -d 0/0 500 -j ACCEPT ipchains -A output -p udp -s 0/0 500 -d 0/0 500 -j ACCEPT *==========================================================* * Issues & Information * *==========================================================* "Netlock" FOLDER NOT AVAILABLE FOR REDHAT 8.x and above The Netlock folder menu item is not available on RedHat systems version 8.x and above. See "RUNNING THE NETLOCK CONTIVITY VPN CLIENT" in the Configuration section above for alternate ways to launch the client user interface. Remove Other VPN Products before Installing the Contivity VPN Client - Please remove any previously installed VPN products before attempting to use the Contivity VPN Client. Otherwise, a conflict may occur, preventing the Contivity VPN Client from operating properly. Destination Address Format - When you enter a destination address in the Contivity VPN Client Connection window, you must enter it in dotted decimal format (e.g, 2.3.4.5). - If desired, you can use machine (DNS) names instead. Improperly Configured Personal Firewall Products May Block Contivity VPN Client Communications - If you have a personal firewall product installed on your computer and have problems connecting with the Contivity VPN Client, please verify that your firewall product is configured to allow inbound and outbound UDP port 500, IP Protocol 50, and IP Protocol 51 packets to the Destination Address(es) used in your Contivity VPN Client Connection window. If problems persist, your personal firewall product may be in conflict with the Contivity VPN Client; remove the personal firewall product. Using the Contivity VPN Client When a Proxy Server is Enabled for the Browser - The Contivity VPN Client uses a web browser interface. You must configure your web browser to talk directly to the internal Contivity VPN Client, bypassing the proxy. Changing proxy settings on Mac OS X: - The proxy settings are changed in the Mac OS System Preferences -> Network panel. See the Mac OS X ReadMe notes for additional information. Changing proxy settings on other operating systems: - For Internet Explorer: In the Edit menu, choose Preferences... In the left pane of the Preferences window, click Network->Proxies. In the bottom right, under "List the sites you want to connect to directly...", add the value 127.0.0.1 and click the OK button. - For Netscape: In the Edit menu, choose Preferences... In the left pane of the Preferences window, click Advanced -> Proxies. Assuming that you are using Manual Proxies, click the Configure... button. In the "No proxy for:" field, add the value 127.0.0.1 and click the OK button. Click OK in the Preferences window. Traceroute Will Yield Unpredictable Results When Connected - Traceroute utilities will yield unpredictable and/or erroneous results when you have an established connection with the Contivity VPN Client. This is a normal side effect of tunneled communications with a virtual internal address. Traceroute does not make sense in this context. Client Will Not Establish Tunnel Without a Valid Default Route - You must have a valid default route to establish a VPN tunnel using the Contivity VPN Client. The Contivity VPN Client checks for a valid router (gateway), and will not negotiate a tunnel unless a valid default route exists. Because the client checks for a valid default route, you cannot establish tunnels when the client computer is connected directly to the Contivity Extranet Switch using a crossover Ethernet cable, for example. If you are using DHCP, you must ensure that the DHCP server provides a valid default route to your client computer.