These release notes describe Lucent IPSec Client 9.2.0 Release.

Specific information is provided for the following topics.

• Noteworthy changes in version 9.2.0
• Noteworthy changes in version 9.0.1
• Noteworthy changes in version 9.0.0
• Noteworthy changes in version 7.1.3
• Noteworthy changes in version 7.1.2
• Noteworthy changes in version 7.1.1
• Noteworthy changes in version 7.1.0
• Noteworthy changes in version 7.0.0
• Noteworthy changes since version 6.0.4
• Hardware Requirements
• Operating System Requirements
• Installation
• Known Issues
• Event Reporting Notes
• Licensing

Noteworthy changes in version 9.2.0 of the IPSec Client

It is recommended to uninstall all the previous IPsec Client versions before installing the new release.

• Using new icons, names, titles to reflect the Alcatel-Lucent intellectual property and ownership of IPSec Client.


• Starting from 9.2.0, Alcatel-Lucent IPSec Clients do not support Windows 98, Windows NT and Windows Me, the early versions of Windows platforms, any more.

New features in 9.2.0 release:

• Add new end-users security enforcement policy. Company may need to force a certain application to be run whenever a user connects to the corporate network. This application may control such things as inventory management, and patch management, as well as meet certain legal requirements such as having a user agree to a set of conditions prior to connecting to the corporate network. In some case, access to the network must be denied if this application does not complete successfully, either because it generates an error or because it does not exist. Additionally, these actions can be controlled on a per authentication basis, as various combinations of user, client OS, and client versions will have different defined applications and/or actions on error or failure.
• Client now can download CRL list (file) when machine's LAN Settings is using Automatic configuration options in addition to the Proxy server settings. It is either 'Automatically detect settings' or 'Use automatic configuration script'.
• Fixed a bug of failing to set tunnel DNS and WINs settings foe Windows Server 2003 platform.
• Fixed a bug of failing to download CRL list when the CRL site URL is a non .com site, for example, http://pilot.verisign.edu is failed, because it is a .edu URL not a .com URL.

Noteworthy changes in version 9.0.1 of the IPSec Client

It is recommended to uninstall all the previous IPsec Client versions before installing the new release.

• Fixed an IPSec Client Engine (Driver) bug. The bug may cause some multi-processors machines Blue Screen of Death (BSOD) crash while VPN tunnels are enabled. For example, Lenovo^TM ThinkPad T60 and Dell Inspiron^TM  E1505.

New features in 9.0.1 release:

• A VPN tunnel can be enabled or disabled by pressing the Enter key.

Noteworthy changes in version 9.0.0 of the IPSec Client

It is recommended to uninstall all the previous IPsec Client versions before installing the new release.
IPSec Client 9.0.0 release is mainly for administrative reasons:

• To synchronize with Brick/LSMS 9.x release.
• To have new 9.0.0 User Guide and On-line helps.

New features in 9.0.0 release:

• Unlike all previous releases, Client 9.0.0 can be installed on Windows 2003 Server machine. However, It's Lucent policy that IPSec Client does not support all Windows Server platforms.
• Functionality has been added to allow users to save and restore tunnel configurations to and from a file. This allows the tunnel configuration to be saved before uninstalling the IPSec Client and restore the saved configuration after the Client has been re-installed.

Noteworthy changes in version 7.1.3 of the IPSec Client

It is recommended to uninstall all the previous IPsec Client versions before installing the new release.

• Fixed resources (memory and handles) leak issues.
• Fixed the issue of the failure to add a tunnel using CLI command "-entry add ..." for a freshly installed IPSec Client.
• Added CLI "-entry del | delete -name *" to delete all tunnel configurations.
• Force Kerberos to use TCP instead of UDP
  After installing the VPN Client in Windows XP and Windows 2000, if you try to log in using Kerberos, for example, Outlook 2003, your log in may be very slow or time-out. The problem is caused by fragmentation of large UDP Kerberos packets, especially when operating behind PAT devices where fragmentation reassembly is not handled properly. This bug is resolved by setting the Registry subkey during installation:
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters
  Value Name: MaxPacketSize
  Data Type: REG_DWORD
  Value: 1
  This forces Kerberos to always use TCP instead of UDP.

Noteworthy changes in version 7.1.2 of the IPSec Client

It is recommended to uninstall all the previous IPsec Client versions before installing the new release.

• The CLI Command "-entry add ..." does not resolve the FQDN for TEP during configuration time as the previous versions do. For example, for the given CLI command "LucedntIPSecClient -name test -primary cio-lra.lucent.com -entry add ...", Client will not resolve cio-lra.lucent.com to an IP address when it's adding the tunnel configuration.
  
  
• Conditionally release and renew DHCP lease on specific DHCP-enabled network adapters.

Noteworthy changes in version 7.1.1 of the IPSec Client

It is recommended to uninstall all the previous IPsec Client versions before installing the new release.
If your LSMS 7.x and/or 8.x is patched for the ISAKMP Vulnerability #273756, and IKE on Brick is not enabled, you have to install the Client 7.1.1 or above. Contact your VPN network administrator for more information.

• Banner message size is unlimited. Previously it was 1024 bytes.
  
  
• Fixed a bug of heartbeat interval calculation for Brick/LSMS version 8.0 or above.
  
  
• Service Pack SP4 is required for installing IPSec Client 7.x or above in Windows 2000.
  
  

Noteworthy changes in version 7.1.0 of the IPSec Client

It is recommended to uninstall all the previous IPsec Client versions before installing the new release.

• AES (Advanced Encryption Standard) support. IPSec Client 7.1 now supports AES with 128-bit key, AES with 192-bit key and AES with 256-bit key for encryption.
  
  
• Log Viewer Enhancement. Add "Refresh" and "Highlight" functions.
  
  
• Support up to 15 tunnel configurations.
• Fixed a bug in TrayIocn application that caused TrayIcon application to exit abnormally.
  
  
• Fixed a bug of LucentIKE application that cuases "Memory Access Violation" error when DHCP lease time period was too short.
  
  
• Fixed a bug of LucentIKE application that cuases "Bind to Soket" error when DHCP lease time period was too short.
  
  
• Fixed a bug of IPSec Engine (Driver) that hangs the machine when it performed a dial-up connection with Windows XP QoS service enabled.
  
  

Noteworthy changes in version 7.0.0 of the IPSec Client

It is recommended to uninstall all the previous IPsec Client versions before installing the new release.

• VeriSign Digital Certificate Support. It includes end-user enrollment of VeriSign digital certificate and VeriSign digital certificate authentication in VPN tunnel creation. Brick/LSMS 8.0 and above are required to support it.
  
  
• Microsoft CAPI Store Integration. A GUI is provided to allow end-users to browse and select a digital certificate in the Microsoft CAPI store as long as the digital certificate is in the Local Computer store and Current User Store.
  
  
• Secure USB Tokens Authentication Support. It include Entrust Secure USB Tokens digital certificate enrollment and authentication. SafeNet iKey 2000 USB Token is recommended.
  
  

• VeriSign digital certificate, CAPI Store integration and USB Token supports are available for Windows 2000 and above.

Noteworthy change for version 6.0.4 of the IPSec Client

It is recommended to uninstall all the previous IPsec Client versions before installing the 6.0.4 release.

All versions of Lucent IPSec Client from 4.x to 6.0.3, will stop working on 11/16/2004. This is because an internally used certificate file will expire on 11/16/2004. The patch release version 6.0.4 will resolve the problem.

Hardware Requirements

• Windows 2000 Professional SP4
  Processor: Pentium II 133 MHz or higher
  Memory (RAM): 64 MB (min), 128 MB (recommended)
  Free Hard Drive Space: 16 MB
  
  
• Windows XP Professional and Home Edition
  Processor: Pentium II 300 MHz or higher.
  Memory (RAM): 64 MB (min), 128 MB (recommended)
  Free Hard Drive Space: 16 MB



• Windows Server 2003 Standard Edition
  Processor: Pentium III 550 MHz or higher.
  Memory (RAM): 128 MB of RAM required; 256 MB or more recommended
  Free Hard Drive Space: 1.25 to 2 GB

Operating System Requirements

• Windows 2000 Pro - SP4
• Windows XP Pro - SP2
• Windows XP Home Edition - SP2
• Windows Server 2003 - SP1

Installation

Notes

• Windows 2000 and Windows XP do not require a system restart after the software is installed for the first time.
  
  
• IPSec Client Installation will detect the presence of ICS (Internet Connection Sharing). If the ICS is detected, the Installation will show the following message "Installation has detected the presence of ICS. Please uninstall ICS before installing IPSec Client. Refer to README file or contact your administrator for help.” and then quit the installation. So it is necessary to uninstall the ICS and then install IPSec Client.
  
  
• The IPSec Client 6.0.0 and above support ipUnplugged Mobile IP Client. However, in order to install IPSec Client on top of ipUnplugged Mobile Client, it is required that install the ipUnplugged Mobile Client before the IPSec Client installation. Therefore, if a previous version of IPSec Client installed, then the IPSec client got to be uninstalled.

Known Issues

• In Windows XP Dial-up connection, there is no IPSec traffic when Windows XP's built-in firewall is enabled.
• How to force Kerberos to use TCP instead of UDP
• Can not automatically update WINS settings for Dial-up connection
• Windows NT host may not be able to renew a DHCP lease
• IPSec Client is not Windows XP Certified yet
• Client is connected to a DHCP LAN and the user has manually configured the DNS servers...
• VPN DNS server settings override the LAN DNS...
• Windows XP Home Edition, Microsoft does not support logging onto the Windows domain...
• Network Associates Sniffer 4.5 is not compatible with the IPsec Client
• IPSec client does not gracefully bring down the tunnel
• IPSec client can not co-exist with another VPN client

In Windows XP Dial-up connection, there is no IPSec traffic when Windows XP's built-in firewall is enabled

In Windows XP dial-up connection, there is no IPSec traffic when Windows XP's built-in firewall is enabled. Workaround: Turn off Windows XP's built-in firewall.

How to force Kerberos to use TCP instead of UDP

The Windows Kerberos Authentication package is the default in Windows 2000 and Windows XP. It try UDP protocol first. The limitation on the UDP packet size may result in problem.

By default, Windows 2000 and Windows XP use UDP when the data can be fit in packets under 2,000 bytes. Any data above this value uses TCP to carry the packets. The value of 2,000 bytes is configurable by modifying a registry key and value.

(a) Start Registry Editor.
(b) Locate and then click the following key in the registry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters
If the Parameters key does not exist, you can create it now. On the Edit menu, click Add Value, and then add the following registry value:
Value Name: MaxPacketSize
Data Type: REG_DWORD
Value: any integer value in the range 1 to 1400 (in bytes)


(c) Quit Registry Editor.
(d) Restart your computer.

Can not automatically update WINS settings for Dial-up connection

Under Windows 2000 or Windows XP with a Dial-Up connection, WINS settings for the tunnel are not updated automatically upon tunnel setup.
Workaround: Update the WINS server addresses manually in the dial-up connection properties. If you manually configure the WINS for a dial-up connection, Microsoft requires that DNS servers should also be manually configured. Manually configure the ISP DNS and VPN WINS server addresses in the dial-up connection properties before establishing the dial-up connection.

Windows NT host may not be able to renew a DHCP lease

Under Windows NT, if the Firewall setting is set to "Block ALL Clear Text Traffic", the Windows NT host may not be able to renew a DHCP lease. Renewing the lease manually may hang the PC, and the system may need to be restarted.

IPSec Client is not Windows XP Certified

Version 7.0.0 of the IPSec Client (IPSec Driver) is not Windows XP Certified.
Under Windows XP, the driver signature message will pop up for every adapter present on the PC. You may need to set this option to "ignore as follows:

(a) Right-click "My Computer" and select "properties"
(b) Click the "Hardware" tab
(c) Click "Driver Signing"
(d) Click the "Ignore" radio button for Driver Signing

Client is connected to a DHCP LAN and the user has manually configured the DNS servers...

Under Windows NT, Windows 2000, or Windows XP, if the Client is connected to a DHCP LAN and the user has manually configured the DNS servers, the VPN DNS servers are not updated when the tunnel is configured. This prevents you from accessing resources by name through the VPN tunnel.
Workaround: If the LAN DNS server addresses need to be manually configured, manually configure the VPN DNS servers.

VPN DNS server settings override the LAN DNS...

Under Windows 98 or Windows ME, if the client is on a DHCP LAN while setting up the tunnel, the VPN DNS server settings override the LAN DNS server settings. In case of a split tunnel configuration, this prevents the user from accessing the resources on the LAN that need name resolution.
Workaround: Manually configure the LAN DNS server addresses in the TCP/IP properties of the corresponding adapter.

Windows XP Home Edition, Microsoft does not support logging onto the Windows domain...

Under Windows XP Home Edition, Microsoft does not support logging onto the Windows domain and accessing resources such as shared drives from the Windows domain. Therefore, under Windows XP Home Edition, IPSec Client does not support logging onto the Windows domain and accessing resources from the Windows domain over the VPN tunnel.

Network Associates Sniffer 4.5 is not compatible with the IPsec Client

Network Associates Sniffer 4.5 is not compatible with the IPsec Client. We do not recommend installing Sniffer 4.5 software onto any PC that has the IPSec Client installed.

IPSec client does not gracefully bring down the tunnel

If an end user manually releases and/or renews the IP address of a PC on a DHCP LAN, the IPSec client does not gracefully bring down the tunnel. Instead, the server and client wait for failed heartbeat messages to bring down the tunnel. During the period between releasing the IP addresses and timing-out on failed/non-receipt of heartbeat messages, unexpected behavior can occur. A future revision of the IPSec Client will gracefully bring down the tunnel immediately following the release of the IP address. The end user will then need to manually reestablish the tunnel.

IPSec client can not co-exist with another VPN client

IPSec client does not work if a VPN client from another vendor is installed on the same PC.

Event Reporting Notes

Certain Error/Notify popups now include a Reason Code (RC) to denote additional granularity for troubleshooting purposes:

• RC1000 - RC1999 are reported by the LucentIKE service component
  
  
• RC2000 - RC2999 are reported by the gui component
  
  
• RC3000 - RC3999 are reported by the tray icon component
  
  
• RC4000 - RC4999 are reported by the driver component