Version 4.2.2 bug fixes
Certificates and PKI
Support reference 81909
Whenever the Certificates and PKI module was opened, the automatic search process that ordinarily displays the list of CAs, identities and certificates would fail when the DN of a certificate exceeded 127 characters. This would then prevent the contents of the Certificates and PKI module from being displayed. This issue has been fixed.
Support reference 82179
Whenever an IPsec policy met both of the following conditions:
- The policy started with one or several bypass rules with None set as the peer, and which were created as an exclusion to the subsequent rules in the encryption policy. The routing policy manages traffic that matches these rules.
- These rules were followed by several rules regarding mobile IPsec tunnels.
The generated IPsec configuration file would then be wrong and only the first mobile tunnel configured could be set up. This issue has been fixed.
IPsec VPN - IKEv1 site-to-site tunnels
Support references 82199 - 82197
After the IPsec IKEv1 tunnel manager was changed, firewalls in version 4.2.1 could no longer negotiate IPsec IKEv1 tunnels with SNS firewalls in version 4.1.x or lower when both of the following conditions were met:
- The firewalls in version 4.1.x used an IPsec policy based exclusively on IKEv1 peers,
- The firewalls in version 4.2.1 initiated the negotiation.
This issue occurred due to the introduction of the ESN function which 4.1.x versions (and lower) do not support, and an issue relating to the new IPsec tunnel manager.
To resolve these issues, firewalls in version 4.2.2 (or higher) now disable ESN when the peer is in IKEv1.
Support reference 81914
During the installation of SNS 4.2.1 EVAs (elastic virtual appliances) in OVA format, the IPsec VPN tunnel manager would fail to start, preventing IPsec tunnels from being set up. This issue has been fixed.
Web administration interface
IPsec VPN - Authentication by certificate
Support reference 82185
During the selection of an IPsec peer’s certificate, the drop-down list would sometimes display only certificates created by default, such as those issued by the CAs of the SSL proxy and SSL VPN.
This list now correctly displays all the other certificates found in the PKI.