Release Notes PN 93000693_D Digi ConnectPort WAN VPN (Verizon) 82001350_D EOS January 31, 2007 INTRODUCTION This is a production release of firmware for the Digi ConnectPort WAN VPN. The ConnectPort WAN VPN is a hardened, upgradeable 3G cellular router that provides secure high speed wireless connectivity to remote sites and devices. It can be used for primary wireless broadband network connectivity to equipment at remote locations, as well as for a backup to existing landline communications. The ConnectPort WAN VPN is ideal for use where wired networks (e.g., leased line/frame relay, ISDN, DSL) are not feasible, or where alternative network connections are required. SUPPORTED PRODUCTS Digi ConnectPort WAN VPN SUPPORTED AIR INTERFACES Sierra Wireless AirCard 775 Sierra Wireless AirCard 850 Sierra Wireless AirCard 860 Sierra Wireless MC5720 Sierra Wireless MC8755 Sierra Wireless MC8765 ENHANCEMENTS Change default time interval for SureLink mobile link integrity test to 2 hours for the Verizon Network. BUG FIXES Remove capability to enable LCP echos for the Verizon Network. KNOWN ISSUES On some IPSec VPNs, SA lifetime is not negotiated correctly. To work around this issue, configure the SA lifetime on the Digi ConnectPort WAN VPN to be less than that configured on the VPN concentrator. For IPSec VPN tunnels using AES encryption, multiple key lengths (128-, 192- and 256-bit) are supported for ISAKMP/IKE phase 1 encryption proposals. For ISAKMP/IKE phase 2 proposals, currently only 256-bit keys are supported for AES encryption. DOCUMENTATION ERRATA None. ADDITIONAL INFORMATION It is recommended that you perform a backup of your device's settings prior to upgrading your firmware. If you should need to revert back to a previous version of firmware, this will ensure that you will be able to restore your device to its previous settings in the event that some settings are not restored properly after downgrading the firmware. To backup your device settings, follow this simple procedure: 1) Open the web user interface and navigate to the "Administration" section and select "Backup/Restore". 2) Click the "Backup" button and select the location to where you want to save your backup file. To restore: 1) Navigate to the same section within the web UI. 2) Click the "Browse" button to select the backup file you saved in the previous steps. 3) Click the "Restore" button to upload the configuration settings contained in your backup file. On initial boot of this device, it will generate some encryption key material: an RSA key for SSL/TLS operations, and a DSA key for SSH operations. This process can take as long as 40 minutes to complete. Until the corresponding key is generated, the device will be unable to initiate or accept that type of encrypted connection. It will also report itself as 100% busy but, since key generation takes place at a low priority, the device will still function normally. On subsequent reboots, the device will use its existing keys and will not need to generate another unless a reset to factory defaults is done, which will cause a new key to be generated on the next reboot. HISTORY 82001350_D - January 31, 2007 See ENHANCEMENTS and BUG FIXES information above. 82001350_C - October 17, 2006 ENHANCEMENTS Add "ping" pinhole for IP pass-through mode of operation. Increase to five the number of concurrent VPN tunnels. Add more mobile status information items including network speed, service type, frame erasure rate, noise and others. Add LCP echo support in web UI for Movistar Panama. Add PPP option to enable/disable IPCP acquisition of DNS IP addresses, enabled by default to preserve prior behavior. For NAT: o Add port range support for port forwarding rules. o Increase the maximum number of triggers to 1024 (was 512). o Add maximum number of triggers configuration field to web UI. o Reduce TCP trigger idle lifetime to free associated resources: new idle lifetime is 122 minutes rather than 24 hour). For SureLink (tm) link integrity monitoring "ping" test: o Change ping data size to minimum of 4 bytes (was 56), to reduce data usage for cellular network connections. o Increase ping "wait for reply" interval to 5 seconds (was 3) to reduce the likelihood of unnecessary retries and hence reduce data usage for cellular network connections. Add the use of the "nonadministrative reset" statistic for PPP, to count occasions when the cellular network disconnects the PPP session by means of an LCP Terminate message (versus dropping the call). Add a new item to indicate the reason/type of the last PPP connection reset. BUG FIXES IPSec updates (fixes specific to IKE). Fix a possible lockup condition in the processing of network stack timers. For NAT: o Fix a bug in which NAT would forward an untranslated packet to a public network when the maximum trigger limit was reached. (19552) o Fix a bug in which a NATed FTP session could become nonresponsive and eventually that session would abort. Fix various pmodem issues. (19206, 19226) Improve "revert" help. (17161) Fix a timing problem when reading the phone number from the SIM via an AT command sent to the Siemens MC75 module. Fix a problem in IP pass-through mode in which some services may not be accessible from the Ethernet side, if a pinhole was configured for that service. (19487) Improve the resolution of the TCP idle/keepalive timer to comply better with configured keepalive settings. (19546) Fix stack size problem for simple password daemon. (19659) 82001350_B - August 30, 2006 ENHANCEMENTS: Add IP Pass-through mode (optional): IP Pass-through (bridged) mode specifies that IP packets received by the Digi device server will be bridged transparently between the Ethernet and mobile data links. This is useful for interoperability with third-party routers. Effectively, the mobile IP address of the Digi device server is given to a host on the Ethernet side of that Digi device server. Please consult with your mobile plan provider to obtain addresses to use (IP, DNS), and that your plan supports static address assignment. Optional "pinholes" can be configured such that a user can still access specific services of the Digi device server from the mobile network side, even when it is operating in IP Pass-through mode. For example, one can configure a pinhole that permits a user to telnet to the Digi device server over the mobile network connection. Add Socket Tunnel feature: A Socket Tunnel can be used to connect two network devices - one on the Digi device server's local network and the other on the remote network. This is especially useful for providing SSL data protection when the local devices do not support the SSL protocol. One of the endpoint devices is configured to initiate the socket tunnel. The tunnel is initiated when that device opens a TCP socket to the Digi device server on the configured port number. The Digi device server then opens a separate connection to the specified destination host. Once the tunnel is established, the Digi device server acts as a proxy for the data between the remote network socket and the local network socket, regardless of which end initiated the tunnel. Support additional wireless carriers: o Cellular South (CDMA) o Movistar Colombia (CDMA) o Movistar Panama (CDMA) o Movistar Peru (CDMA) o Verizon Puerto Rico (CDMA) Improve cellular module provisioning (web UI and CLI). Add SureLink (tm) statistics and additional mobile information to the Mobile System Information web page. Connectware Manager (Remote Management): o Add Server-Initiated Connection support for Connectware Manager, allowing the server to connect to the device (on demand) as a configurable option. Includes Last Known Address (LKA) updates to the Connectware Manager when the mobile IP address changes. o Decrease the amount of data exchanged over a cellular connection when connecting to the Connectware Manager server. o Simplify Remote Management Configuration web pages for an improved user experience. o Add support to disconnect from the Connectware Manager when the connection to the server is idle for a configurable interval. DHCP Server: o Add configurable conflict detection, whereby the DHCP Server pings an IP address to verify its availability, before offering it to a client for a new lease. Conflict detection is disabled by default. o Improve information on web page for DHCP Server Management. o Improve web UI help information. Add RealPort (tm) "exclusive" mode option: Exclusive mode provides the ability for the Digi device to close an existing RealPort connection and establish a new one immediately upon a new connection request from the same IP address. This mode is useful when using RealPort over wide area networks that can be unstable and where you are charged by the byte (such as cellular or satellite) and do not wish to incur costs for keep-alive traffic. Exclusive mode will allow your application to retain continuity when temporary, unexpected interruptions in network connectivity occur. This configuration is available via the command line. Syntax: set realport exclusive=on|off Add support for new air interface cards: o Sierra Wireless MC8755 (GSM/GPRS/HSDPA/UMTS) - European frequency o Sierra Wireless MC8765 (GSM/GPRS/HSDPA/UMTS) - North American frequency Operate with newer Sierra Wireless AirCard 850 with SIM PINs enabled. BUG FIXES: Fixed an issue in which some of the cached DHCP Server configuration information may be corrupt after a button reset. (18483) Fixed an issue in which a network endpoint (UDP socket) could become blocked because of an empty packet being sent to it. (18626) Invalid alarm subject when configuring an snmp trap alarm. (17656) In Network Services Settings page, ADDP UDP port may no longer be configured by the user. (16811) Added mobile phone number of cellular modem to Mobile System Information page in web UI. (17752) Fixed an issue in which telnet breaks were not being sent on a serial port. (17568) Fixed memory leaks. (17730, 18440) Fixed a failure to detect in a timely manner the end of a session in SSL/TLS, particularly during the handshake phase. (19068) Removed unneeded or invalid groups from the RCI reply. This eliminates confusion and significantly reduces the size of the generated output. (18880) Corrected duplicate and elements in the group. (19052) Added multiple AES key lengths (128, 192 and 256 bit) to ISAKMP/IKE phase 1 encryption proposals. Clarified encryption proposals for ISAKMP/IKE phase 2 proposals, which currently support only 256-bit keys. Removed the other key length selections from the UI for phase 2, until we support a configurable AES key length. (18824) 82001350_A - April 26, 2006 Initial release. - SureLink (tm) link integrity monitor. - DynDNS.org dynamic DNS support. - GSM data-only SIM/plan support. - Mobile data throughput enhancements. - Support for newer AirCard 860 firmware (1.1.29). - An issue was corrected which may have prevented negotation of PAP over the mobile link. - An issue was corrected where, under certain conditions, it was possible for the Digi Connect to be unaware of the dropped mobile link.