These release notes are for OpenROUTE 5.6 and OpenROUTE 5.6.1 software. They cover the following topics:
New Software Features
Known Deficiencies, Limitations, and/or Clarifications
New Software Features
This section introduces new software features in OpenROUTE 5.6 and OpenROUTE 5.6.1. We identify the features introduced in release 5.6.1. All other information pertains to both 5.6 and 5.6.1.
Added IP Routing Based on Packet Tags (Policy Routing)
Nx Networks routers can route IP traffic based on proprietary Nx Networks packet tags. This feature is called Policy Routing. Routing of IP traffic is normally based on the destination IP address in the packet. Policy routing increases your control by allowing routers to route traffic based on a Nx Networks packet tag. Because these tags are proprietary to our routers, routing protocols that are based on IP addresses (such as RIP, OSPF, BGFP) do not propagate them. The tag is an internal attribute of the packet and it never leaves the router.
The user documentation (Using Policy Routing) provides additional information.
Added IP Filter Parameters
IP filter has three new parameters, which allow you to fine-tune handling of IP traffic. The new parameters are DFbit, issize, and istod. DFbit provides a means of editing the Don't Fragment bit in an IP packet. The other two parameters are recognizers for packet size (issize) and the time of day when the packet was sent (istod).
The user documentation (Using Dynamic IP Filters) provides additional information.
Added PPP over Ethernet Interface
The new PPP over Ethernet Interface (PPPoE) allows a Nx Networks router to connect a network of hosts to a remote access concentrator (AC) on a third-party PPPoE server. Each network host uses its own PPP stack, which permits network administrators to manage access control, accounting, and service functions for individual hosts or groups of hosts rather than for the entire network.
The user documentation (Using PPP over Ethernet (PPPoE)) provides additional information.
Added Ethernet Quality of Service
The new Ethernet Quality of Service (EQOS) feature enhances the ability of Nx Networks routers to tag IP traffic on Ethernet interfaces with priority and virtual LAN information. Based on the DiffServe Code Point (DSCP) field in the header of an IP packet, Ethernet QOS works together with other QOS features (such as IP filtering and BRS) to support interoperability with 802.1-compliant switches.
Ethernet QOS goes a step further than IP level QOS. Using EQOS, the router can send priority information on an Ethernet interface over media access control (MAC) bridges that have no ability to signal priority information at the MAC protocol level. You can define inbound and outbound mappings between MAC user_priority values and IP DSCP or Precedence values on a per interface basis. Ethernet QOS also supports the full range of VLAN IDs for interoperability with existing 802.1 switches.
The user documentation (Using Ethernet Quality of Service (EQOS) Mapping) provides additional information.
Enhancements to IPSec and Certificate Management
In an IPSec policy, it is now possible to specify a logical IP address that represents the router's interface IP address for traffic affected by a policy. The main use of the logical IP address is as a destination address. Although you can use the logical IP address as a source address, for most situations this is not a useful application. The router interface is the interface to which the profile is attached. You can use this logical address to define a policy to ping or telnet from the router. It is the only way to define such a policy when the IPSec interface learns its IP address dynamically via DHCP or PPP and a specific IP address cannot be known in advance.
Also in IPSec and in Certificate Management, several listings have an improved format. These are the listings from the IPSec show sa, show sa policy, and show sa peer commands. In Certificate Management, the results from the list validity command have an improved format.
The user documentation (Using IPSec and Managing Certificates) provides additional information.
New auto_up Option in an IPSec Policy
OpenROUTE 5.6.1 includes a new auto_up option that you can turn on or off in an IPSec policy. The default is off.
Usually IPSec security associations are not created until application data that matches an IPSec policy is being forwarded through the router. With auto_up enabled, the router periodically looks for IPSec policies that do not have a IPSec security association and automatically initiates the creation of the IPSec security association in the same way as if application data had triggered the creation.
Auto_up considers only IPSec policies attached to router interfaces that meet these two conditions:
Configuring auto_up on the IPSec policies on the branch router solves this problem. With auto_up enabled, the branch router automatically brings up the security associations. When the headquarters router application needs to contact the branch, the security associations are up and ready to go.
Auto-up restrictions for roadwarrior_client and roadwarrior_gateway profiles
Enabling auto_up does nothing for policies in profiles of type roadwarrior_client or roadwarrior_gateway since these are not real policies. They are template policies, and are not in the active outbound security policy database (SPD).
Re-establishing security associations after the headquarters router goes down
Even though the branch router has configured auto-up on its policies, IPSec security associations are terminated when the headquarters router goes down. When the headquarters router comes back up, the branch router must detect that the headquarters router went down and re-establish the IPSec security associations to headquarters. This is not a problem if the branch router initiates the application traffic, but if the headquarters router initiates the application traffic, no IPSec security association can be created.
Configure an IP Config>add ping to generate periodic traffic. The destination that is pinged on the headquarters side should be a destination that always responds to ping and that represents the reachability of the headquarters. The ping destination IP Address of the headquarters router usually works well.
Configure the IPSec security associations on the branch to have a short lifetime, such as 5 minutes, so that they will automatically re-key and re-establish new security associations.
Set policy command syntax with auto_up parameter
You configure the auto_up parameter using the set policy command at the IPSec Config> prompt. The auto_up parameter turns the feature on or off. The default setting is off.
Syntax: set policy profilename.policyname
Example: set policy branch.finance auto_up = On
New information in list policy results
You can determine whether or not the auto_up parameter is set using the list policy command at the IPSec Config> and IPSec> prompt. If auto_up is on, it lists with the policy; otherwise it does not list.
IPSec Config>LIST Policy
Policy -- *=opaque allowed --
Name Dir Address Port Protocol Action
------------------------------------------------------------------------------
branch.routerapps both sa=192.168.3.2 Any protect
da=myipaddr
sa_proposal=default, peer=default, auto_up
Inbound_SPD Policies on Interface 0:
-- *=opaque allowed --
Name Dir Address Port Protocol Action
------------------------------------------------------------------------------
ipsec.bull in sa=192.168.3.2 Protect
da=192.168.3.3
sa_proposal=default, peer=hot, auto_up
Ping commands
add ping
You configure the ping parameters using the add ping command at the IP Config> prompt. You specify the ping's source and destination address and the interval between pings. The ping starts immediately. The ping is not sent if the source address is dynamic and the dynamic IP address of the interface is not available.
Syntax: add ping source destination interval
| source |
The source address is an IP address on the router or an IP address behind the router so that the generated ping represents traffic that would normally be forwarded through the router. You can use 0.0.0.interfacenumber as the source address if you want the ping utility to use that interface's IP address. This is useful if the IP address of the interface is dynamically assigned. |
| destination | The destination IP address of the ping. |
| interval | The number of seconds between pings. The default value is 10 seconds. You can change the interval by re-adding the ping with the same source and destination address, but with a different interval. The new entry then replaces the existing entry that has the same source and destination address. |
Source address, or use 0.0.0.<ifc-number> notation
to dynamically get an interface's IP Address)? 0.0.0.1
Destination address? 128.185.4.5
PING Interval in seconds (1-300) [10]?
Syntax: delete ping source destination
The parameters for delete ping are the same as those for add ping. If you wish to delete a ping that has a dynamic source address, you specify the source address exactly as it was specified in the add ping command (0.0.0.interfacenumber). Do not use the dynamically assigned source address that appears in a listing.
list ping
You can list configured ping definitions using the list ping command at the IP Config> prompt. The list all command at the IP Config> prompt also includes this information.
PING Dynamic
Source Address Ifc Dest Address Interval --Pkts Sent--
192.168.3.3 0 192.168.3.2 10 6296
128.185.5.7 No 128.185.4.5 10 77
| Source Address |
If the source address is dynamic, this is the actual source address, or src-not-avail when the interface is not up for IP routing and the source address is not available. If the source address is not dynamic, then this is the IP source address as entered in the add ping command. |
| Dynamic Ifc | If the source address is dynamic, this is the interface number. No indicates that the source address is not dynamic. |
| Dest Address | The destination IP address of the ping as entered in the add ping command. |
| Interval | The number of seconds between pings as entered in the add ping command. |
| Pkts Sent | The number of pings sent. |
Router release 5.6.1 includes a new feature that allows you to configure exceptions to NAT. When you configure a NAT exception on an interface, NAT does not translate packets from the specified remote IP address, instead passing them through unchanged. You can configure one or more exceptions per interface. Use the add exceptions command at the NAT Config> prompt to specify the interface, the remote IP address, and a subnet mask.
Operation and impact on performance
The router checks each configured NAT exception on each packet, in or out, through NAT. If more than one exception is configured, the router checks exceptions in ascending order by remote IP address.
If exceptions are configured, every packet is checked against all exception definitions. Therefore, we recommend that you use the subnet mask to group the exception IP addresses into large subnets, and reduce the number of exception definitions required.
NAT Config commands
add exceptions
You configure NAT exceptions using the add exceptions command at the NAT Config> prompt.
Syntax: add exceptions interface# remote_address subnet_mask
| interface# | The number of the interface on which you are configuring a NAT exception. |
| remote_address | The remote address is an IP address outside of the NAT interface that generates the traffic to be treated as an exception. |
| subnet_mask | The subnet mask for the remote IP address. |
Interface number [1]?
Remote IP Address [0.0.0.0]? 10.5.5.0
Mask [255.255.255.0]?
Syntax: delete exceptions interface# remote_address subnet_mask
Example:delete exceptions
Interface number [1]?
Remote IP Address [0.0.0.0]? 10.5.5.0
Mask [255.255.255.0]?
Interface number [0]?
Exceptions on interface 0:
Remote Address Mask
10.5.5.0 255.255.255.0
list all
The list all command at the NAT Config> prompt includes the list exceptions display described above.
clear exceptions
To delete all exceptions for an interface, use the clear exceptions command at the NAT Config> prompt.
Interface number [1]?
NAT> prompt. When you enter these commands at the NAT Config> prompt, they affect the permanent configuration. When you enter these commands at the NAT> prompt, they affect the run-time configuration rather than the permanent configuration.
add/delete exceptions
These two commands are the same as those described in add exceptions and delete exceptions for the NAT Config> prompt.
list exceptions
This command is similar to list exceptions at the NAT Config> prompt, except that the listing includes additional information on the usage counters. The router increments the usage counter for an exception each time the exception causes a packet to go untranslated through NAT. Check the usage counters to determine if exceptions are working properly. Use the zero command to set the usage counters back to zero.
Interface number [1]?
Exceptions on interface 1: ----Usage Counts---
Remote Address Mask Out->In In->Out
10.5.5.0 255.255.255.0 2 3
save
Saves the run-time configuration to permanent memory.
restore
Restores the run-time configuration from permanent memory.
zero
Zeroes the usage counters displayed under the list exceptions and the list fixed-IP-mapping commands.
Known Deficiencies, Limitations, and/or Clarifications
This section describes known deficiencies in OpenROUTE 5.6 and OpenROUTE 5.6.1 and indicates limitations with the software.
General
GT 60 Series routers do not have a time of day clock chip with battery backup. For time to be meaningful, you have to get the time from a nearby host or manually set the time whenever you restart the router. Use the time commands at the Config> prompt for these operations. Enter time set at restarts or set up the time configuration to poll a nearby host.
Certificate Management
Certificates with GT60 Routers
If GT60 routers are set up to retrieve the time from a host when you restart the router, CA certificates do not appear in listings until the GT60 receives the correct time from the host. It can take as long as three minutes before the GT60 displays CA certificates. During this time, you also see the following ELS message:
Nx Networks recommends that you wait at least 30 seconds after restarting the router before entering the list ca command. Entering list ca immediately after restarting the router can further delay the time the GT60 takes to display CA certificates.15:27:21 CERT.009: faild to insert CA CERT into cache due to 'Certificate not valid yet'
Long Certificate Chains
The certificate management feature now allows you to configure long certificate chains. Depending on the size of the individual certificates, the size of the IKE packet may exceed the size of the router's global buffers. If this occurs, an ELS message displays the current buffer size and the size needed. An example of this ELS message is:
If you see this message, configure a larger packet size as follows:00:10:21 IKE.079: fld to send 5804 bytes to 162.1.1.5 on 162.1.1.1; pkt size > I/O buf size 2304
CAUTION:
The voice ports on the analog voice module have
RJ-45 (8-pin) interfaces.
Inserting an RJ-11 (4-pin) connector into an RJ-45 port can damage the pins in the port.
Using an RJ-11 connector in the voice ports voids the warranty of the analog voice module.
Analog Voice
Using NAT With Voice
To run voice traffic and NAT over the Internet, you must assign a public IP address for the voice module, and that address must be visible to the Internet. You cannot hide the address behind a firewall.
To do this, you set up a fixed address mapping for the voice module so that NAT does not translate the voice IP address. You need to assign the same address as the public outside address and the private inside address. This address must also be on the same subnet as the Internet connection.
The following example shows how to set up a fixed address mapping, where 128.185.2.2 is the IP address of the voice module.
*config
Config>PROTOCOL ip
Internet protocol user configuration
IP config>nat
Network Address Translation Configuration
NAT Config>add FIXED-IP-MAPPINGS
Interface number [1]? 3
Public outside address [0.0.0.0]? 128.185.2.2
Mask [255.255.255.255]?
Private inside address [0.0.0.0]? 128.185.2.2
To check the global IP address that NAT is using, enter list nat at the NAT monitoring prompt.
*monitor
+PROTOCOL IP
IP>nat
Network Address Translation Console
NAT>LIST NAT-INTERFACE
Interface number [1]?
NAT Enabled on interface 1
Address is: 128.185.2.1 Service Table Used: Global
Current # entries: 0
Maximum # entries: 500 Global ageout: 1800 secs
TCP ageout (secs): 9000 TCP closed ageout: 30 secs
NAT Config>SET NAT-INTERFACE IP-ADDRESS
Interface number [1]?
NAT IP address (0.0.0.0 = use automatic default) [0.0.0.0]? 128.185.2.1
You cannot set up Frame Relay LAN Emulation (FRLANE) interfaces as DHCP clients.
When a DHCP lease is in the rebind state, the state still displays as the renewal state. This does not affect the operation of DHCP client.
Expandable Memory
The GTX Series User Guide incorrectly lists the expandable memory available for the GTX Series.
The available memory upgrade modules are 8, 16, 32, and 64 MB. Therefore, you can upgrade your GTX Series from 8 MB to 16, 24, 40, or 72.
IP Filters
Note the following information about using the isprec-= and prec-= options with the add filter or set filter commands.
You can only remove a precedence using a well-known name; you cannot use a number.
If you attempt to delete a precedence using a number, the error message displayed incorrectly states that you can enter a number.
Blowfish and IPCOMP Algorithms
The OpenROUTE 5.0 and later implementations of the IPSec algorithms Blowfish and IPCOMP are not interoperable with OpenROUTE 4.0 versions of OpenROUTE IPSec software. To run the Blowfish and IPCOMP algorithms in OpenROUTE 5.0 and later, you need to upgrade your routers from OpenROUTE 4.0 to release 5.0 or higher.
Quick Config and Unnumbered Ethernet
In Quick Config, if you assign the Ethernet interface to be unnumbered (dynamic), you cannot assign the unnumbered Ethernet interface as the default route.
When you get to the end of the IP configuration, Quick Config asks if you want to specify a default route. If you answer yes, Quick Config asks if you want to use an unnumbered or dynamic interface. If you answer yes and select a non-PPP interface, Quick Config tells you that you must use an unnumbered PPP interface, and gives the example of Interface #0 (the Ethernet) as an unnumbered PPP interface.
To work around this problem, answer no when Quick Config asks if you want to specify a default route. When you finish running Quick Config, go to the IP Config> prompt and use the add route command to set up the default route.
QuickWeb
QuickWeb allows you to add user accounts that use the challenge/response method of authentication. However, you cannot log into QuickWeb using a challenge/response. You can log into this type of account only at a CLI prompt. You can access the CLI from QuickWeb by clicking the CLI via Telnet button.
SDSL Module
At slower SDSL line speeds (160Kbps and 208Kbps), it can take several minutes for the SDSL module to come up and be available for data traffic. SDSL DSLAMs can take several minutes to begin the speed training process with the SDSL module. Once the speed training is complete, the activation process can take an additional two minutes before the interface is declared as Up. This is an inherent characteristic of the SDSL technology being deployed.
Because of the length of activation time, if the cable to the SDSL module is pulled during the activation process, it can take up to two minutes for the router to detect the pulled cable and drop out of the activation. If the DSLAM reissues its activation sequence before the SDSL module has dropped out, the SDSL module misses the activation sequence, and must wait for the DSLAM to issue its next activation sequence.
Due to the longer certificate chain, the amount of time required to compute the authentication signature will also increase. We recommend in these cases that you increment the default IKE retransmission timer from 12 to 1200.
Example: GTX-25: IPSec Config> list global
IPSEC Globals:
--------------
IKE Retransmission timer (in seconds) : 12
IKE Maximum Retransmissions : 4
IPSec Phase2 SA inactivity timer (in seconds) : 60
My ID type: IP-AddressGTX-25: IPSec Config> set global ike_retransmission_timer = 1200