File Changes.txt: 1. Corrected behaviour with some external personal firewalls. 2. When using RSA SIG (Certificates) the client enforced IKE ID type to ASN1 Distinguished Name independent of the configured IKE ID type. Due to feedback from different partners this has now been changed. The client now for RSA SIG uses the configured IKE ID type. For current installations using RSA SIG and where ASN1 DN is used, please check that the IKE ID Type is set to "ASN1 Distinguished Name". The content of the IKE ID is in this case irrelevant. 3. Support for Netscreen XAUTH and Mode Config (IKECFG). 4. Prompt for XAUTH password if field is left empty. 5. Re-keying of IKE (phase I) without disconnecting fixed. 6. Added support to run concurrently with basically any external firewall. When an external firewall is installed the NCP firewall should be turned off. 7. When the RAS dialer and not the NCP internal dialer was used to create the provider connection, the VPN connection worked properly. After a disconnect and a second connect the tunnel was established but it was not possible to communicate over the tunnel. This is now corrected. 8. When using RSA-Signatures (Certificates) the client enforced MAIN mode. This behaviour has now been changed in such a way that the client always uses the configured exchange mode. BINTEC Entry Client ver 1.0 build 84: changes to all previous versions and builds - 1. Problem with de-installation when using WINXP (SP2) fixed. Before de-installing the NCP Entry Client please update with this build and then reboot. After reboot you can de-install the NCP Entry Client. BINTEC Entry Client ver 1.0 build 85 (08-09-2004): changes to previous version - 1. Hybrid Authentication Mode (eg. CheckPoint XAUTH) now supported. 2. COSINE IKECFG mode corrected. 3. When the client receives unencrypted data in crypto state during the IKE negotiation it will no longer send a NOTIFY("SITUATION_NOT_SUPPORTED"). This caused some gateways to terminate the IKE negotiation. BINTEC Entry Client ver 1.0 build 86 (09-09-2004): changes to previous version - 1. When the internal NCP dialer is used and the mediatype is GPRS the PIN and APN are automatically sent by the client. For the Vodaphone and T-Mobile GPRS/UMTS cards the wait time after sending the PIN before proceeding was 12 seconds. This wait time has now been set to 20 seconds to provide a more reliable connect. BINTEC Entry Client ver 1.0 build 87 (11-10-2004): changes to previous version - 1. Corrected split-tunneling behaviour when the clients IP address assignment is set to "Local Address". 2. The re-keying of phase II affected the re-keying (LifeTime) of phase I.This is now corrected. 3. Some Firewall's were able to block the client from working properly over lan. The client was not able to recognize the LAN adapters.This has now been fixed. 4. DEFLATE compression is now supported. The monitor (GUI) still displays "Use IP compression (LZS)" but both methods are negotiated (LZS and DEFLATE). Look into the logbook to view what actually was negotiated. The GUI will be corrected. BINTEC Entry Client ver 1.0 build 90 (14-10-2004): changes to previous version - 1. The checkbox "Use IP compression (LZS)" is now corrected to the following: "Use IP compression" 2. It is now possible to configurate the Domain name within the "IP Address assignment" tab. BINTEC Entry Client ver 1.0 build 91 (22-10-2004): changes to previous version - 1. EAP 802.1x changes: For WLAN and switches supporting port authentication the client supports EAP - MD5 - TLS. This makes it unneccessary to install a separate EAP client. EAP-MD5: UserId/Password authentication is supported and the possibility exists to get the UserId/Password from the certificate used for the VPN connections. EAP-TLS: Certificates are used and are taken from the NCP certificate configuration. EAPOL KEY (Dynamic WEP key ) is supported. BINTEC Entry Client ver 1.01 build 20 (09-11-2004): changes to previous version - 1- changes done to support ZYXEL XAUTH. BINTEC Entry Client ver 1.01 build 22 (12-11-2004): changes to previous version - 1- Certficate configuration not possible: The menu for configuration of certificates was missing after entering a correct serial number and activation key via the NCP popup programm. This has now been corrected. BINTEC Entry Client ver 1.01 build 23 (15-11-2004): changes to previous version - 1- For non-VPN connections to provider SPI (Statefull Packet Inspection ) is now always enabled. BINTEC Entry Client ver 1.01 build 24 (16-11-2004): changes to previous version - 1- Corrected a problem when the NCPMON (NCP Monitor) was closed and then started again. This caused the monitor to disconnect the current connection. BINTEC Entry Client ver 1.01 build 25 (26-11-2004): changes to previous version - 1- Corrected the reading of MTU size for the installed LAN adapters. For LAN/WLAN adapters that are using a MTU size smaller than 1500 Bytes a problem occurred with fragmentation. 2 - Changed the XAUTH protocol for use with NETSCREEN and OTP. BINTEC Entry Client ver 1.01 build 31 (09-12-2004): changes to previous version - 1 - Corrected the retry behaviour when DPD (Dead Peer Detection) is active. Retries are now sent out with increasing sequence numbers. BINTEC Entry Client ver 1.01 build 34 (14-12-2004): changes to previous version - 1 - Support for ASCII import configuration. BINTEC Entry Client ver 1.01 build 36 (13-1-2005): changes to previous version - 1 - Added support for RFC.3947 (Negotiation of NAT - Traversal in IKE).and RFC 3498 (UDP Encapsulation of IPSEC ESP packets). The older drafts are of course still supported. BINTEC Entry Client ver 1.01 build 39 (20-1-2005): changes to previous version - 1 - Fragmenting. As the NCP client is fragmenting packets (if necessary) before applying IPSEC, we now also reset the DF bit (Don't fragment bit) before fragmenting. 2 - Corrected the NCPGINA GUI when domain logon is active. The GUI didn't show a complete connection even though the connection was there. BINTEC Entry Client ver 1.01 build 42 (24-1-2005): changes to previous version - 1 - The NCP Extended Personal Firewall is introduced. 2 - Support for configuration import files. BINTEC Entry Client ver 1.10 build 46 (16-2-2005): changes to previous version - 1 - Corrections of the NCP Extended Personal Firewall.. BINTEC Entry Client ver 1.10 build 51 (23-2-2005): 1 - Corrected a problem with a user defined installation path containing space. BINTEC Entry Client ver 1.10 build 53 (01-03-2005): changes to previous version - 1 - Corrected some problems regarding the automatic HotSpot functionality. BINTEC Entry Client ver 1.10 build 58 (08-03-2005): changes to previous version - 1 - Added support for static UDP encapsulation of ESP (default port 10000). 2 - Corrected Aggressive mode with RSA SIG to send proper ASN1 Distinguished name. BINTEC Entry Client ver 1.10 build 64 (12-04-2005): changes to previous version - BINTEC Entry Client ver 1.10 build 69 (29-04-2005): changes to previous version - 1 - Fixed performance problem with the firewall and multihoming. 2 - Increased perfomance by running the ncprwsnt process with high priority class. BINTEC Entry Client ver 1.11 build 76 (20-06-2005): changes to previous version - 1 - Finally added GPRS/UMTS support for the T-Mobile Multimedia Card. 2 - XAUTH for the RAPTOR (Symantec) PowerVpn Server is now supported. BINTEC Entry Client ver 1.11 build 80 (22-06-2005): changes to previous version - 1 - Add the configuration checkbox "Use VPN-password for Windows logon". The VPN-Password is used for the Windows logon. 2 - Now support for international dial-up services via the NCP connection manager ( T_Online, Gric, ... ). BINTEC Entry Client ver 1.11 build 84 (08-07-2005): changes to previous version - 1 - The NCP GINA (used for domain logon ) monitor (GUI) now supports the T_Mobile Multimedia Card. 2 - Problems with licensing ("Testversion expired") are fixed. 3 - The user can now decide if a VPN connection should be kept or disconnected when Windows logoff is executed. 4 - End Point Security is introduced in conjunction with NCP gateways. BINTEC Entry Client ver 1.11 build 85 (21-07-2005): changes to previous version - 1 - Corrected the behaviour of the GUI when XAUTH with RSA SecureID or MS-CHAP is used. Now the correct input fields are shown to the corresponding message. 2 - Support for the newer T-Mobile Multimedia card (UMTS/GPRS). 3 - Added XAUTH support for the Symantec gateway (RAPTOR). Bintec entry Client ver 1.11 build 90 (09-08-2005): changes to previous version - 1 - XAUTH Background: Some security appliances support XAUTH without executing the proper negotiation for it. They merely send a Vendor ID payload telling that XAUTH is supported and then expect XAUTH to be executed after IKE phase I. The client is also sending this Vendor ID but is expecting a proper proposal to be negotiated. It ends up with the situation that the client doesn't execute XAUTH but the appliance executes it. Change: If the checkbox for XAUTH is checked and the security appliance sends a Vendor ID for XAUTH support the client will execute XAUTH without the proper negotiation. BINTEC Entry Client ver 1.11 build 92 (22-08-2005): changes to previous version - 1 - A problem with VPN networks was corrected. If more than one VPN network was configured only the first network was regarded as a VPN network. BINTEC Entry Client ver 1.11 build 102 (15-09-2005): changes to previous version - 1 - FUSION/OPTION - GPRS/UMTS/WLAN cards. Now all OPTION/FUSION cards should be supported independent of provider. BINTEC Entry Client ver 1.11 build 108 (27-09-2005): changes to previous version - 1 - Problem scenario: When the client used the mediatype PPPOE and the LAN adapter was configured for DHCP without an existing DHCP server the VPN connection time was delayed up to 40 seconds. This problem has now been solved.