SunScreen 3.2 Release Notes

SunScreen 3.2 Known Problems

The following known problems exist in the SunScreen 3.2 product.

BugID #4548783

In a Trusted Solaris 8 Update 4 environment, IKE does not work with the TSOL protocol.
BugID #4554498

In an HA configuration with IKE, if the secondary HA system becomes active, existing IKE connections do not fail over and no new IKE connections can be initiated.
BugID #4531858

The IKE daemon may sporadically and on infrequent occasions, get in a state where it will not successfully negotiate new connections. The workaround is to kill the daemon and reactivate the policy.
BugID #4502706

Running SunScreen on the Trusted Solaris 8 operating environment when using the TSOL networking protocol, packets labeled CDP or IKE do not leave the system and iked eventually exits.

Two problems exist: One is the insufficient priv on ss_iked_restart; the second is that TSOL needs an explicit isakmp rule that unlabeled packets or the regular Solaris software do not need.

Perform the following steps:

Note -
The first two steps are always required. The third step is required for TSOL traffic, but not for unlabeled traffic.
1. Type the following command:
  # setfpriv -s -a ALL /usr/lib/sunscreen/lib/ss_iked
2. Change the tsol ss_iked_restart exec_attr line to include 35,61,68 SunScreen:tsol:cmd:::/usr/lib/sunscreen/lib/ss_iked_restart:privs=35,61,68;uid=0 ;gid=3;euid=0
  
  Note -
  Do this on the line that begins with SunScreen:tsol and not on the line that begins with SunScreen:suser.
3. For IKE with TSOL labeled traffic, you must add a rule to allow UDP port 500 traffic by typing:
  edit> add rule isakmp ALLOW
BugID #4495529

IKE does not work with the Commercial Internet Protocol Security Option (CIPSO) networking protocol.

IKE packets with CIPSO labels are dropped by screen_ipsec. "screen_ipsec predecrypt: not ipv4 or packet has options" IKE packets with options should be allowed by a Screen because they are valid in this situation.
BugID #4504676

Due to a packaging problem with SUNWsfwi, the ss_iked binary does not have all allowed privileges.

Perform the following steps:
1. Run the following as the secadmin role by typing:
  # setfpriv -s -a all /usr/lib/sunscreen/lib/ss_iked
  Without allowed privileges, IKE cannot get the inherited privileges defined in exec_attr.
2. Create the file pkgs/SUNWsfwi/tsolinfo with the following contents:
  default allowed_privs all
  This ensures that all executables delivered with this package have all allowed privileges (and, thus, can inherit them).
BugID #4491808

IKE fails in tunnel mode on SunScreen to a Windows 2000 system.

The same systems can connect in transport mode with a connection initiated from either side. Initiating a connection from a Windows 2000 system to the Screen in tunnel mode does work. Also, once an SA is negotiated, encrypted connections work from any direction. The oakley.log file on the Windows 2000 system says: "Tunnel mode is transport mode," which is an undocumented error message.
BugID #4500831

When installing SunScreen 3.2 on a Trusted Solaris 8 system and choosing to use SunScreen SKIP encryption on the remote Administration Station, a Java(TM) error causes the installer to exit when configuring and activating.

Do a default installation, then manually configure the remote Administration Station at a later time.
BugID #4496677

Using ssadm ha status -Z on a Non-high availability (HA) system returns the message: cannot open.
BugID #4497611

When multiple certificates have the same subject alternative name, the following error message is returned: "bad remote certificate, rejected!"

Windows 2000 IKE ignores CA preferential ordering and agrees on the first match it finds in its database, regardless of the ruleset. To fix this problem, limit the list of possible CA-issued certificates in the rule to one CA-issued certificate on Windows 2000 systems.
BugID #4330437

Removing an interface from the host causes the Screen to not come up.

The Screen does not work when you physically remove an interface from the host or change the Solaris network configuration and reboot without first removing the SunScreen Interface object definition for that interface. This happens when the interface that was removed has already been defined in the Screen.

You must add the interface back onto the host and reboot to fix this problem. Or, if the interface no longer exists, remove the interface object from the Screen.

Note -
You can no longer activate a policy through the command line user interface because the Screen cannot contact its secondary.

Perform the following steps:
1. Find the current policy by typing:
  # ssadm active
  For example, the output could be Initial.n, where n is the policy version number.
2. Activate the policy by typing:
  # ssadm activate -1 Initial.m
  Where m=n-1.
  
  Now, you can login to the ssadm server.
  
  Note -
  Rebooting, also brings up the Screen.
Use the following steps to remove the SunScreen interface object definition:
1. Log onto the console of the Screen as root, if not already.
2. Remove the offending Interface object from your SunScreen policy by typing:
  # ssadm edit Initial edit> delete interface qfe2 edit> save edit> quit
  Note -
  See "Interfaces" in the SunScreen 3.2 Administration Guide for more information on removing an interface.
3. Activate the policy by typing:
  # ssadm activate Initial
4. Reboot the system.