| NetScreen weaker VPN encryption
Author : NetScreen <firstname.lastname@example.org>
Title: NetScreen Security Advisory 57226
Date: 16 April 2003
Impact: Weaker IPSec Tunnel Security Than Intended
Affected Products: Global PRO Policy Manager versions 4.0.0r1 through
Max Risk: Medium
An error in the Global PRO Policy Manager definitions for IPSec phase
1 and phase 2 proposals using the AES cryptographic algorithms causes
VPN configurations in NetScreen firewall/VPN appliances and systems to
use the DES cryptographic algorithm instead of the expected AES128.
All VPNs defined on NetScreen devices managed by Global PRO using the
predefined proposals named "g2-aes128-sha", "g2-aes128-md5",
"esp-aes128-sha", and "esp-aes128-md5" are affected.
(1) Create custom proposals for IPSec phase 1 and phase 2 using AES128
as the cryptographic algorithm.
(2) Update all affected VPN configurations to use these custom proposals.
(3) As soon as practical, upgrade your Global PRO to the maintenance release
identified below or a later version.
Global PRO 4.1.1, targeted for release on 5/15, will address this issue.
New VPNs created after installing or upgrading to this release will not
be prone to this issue. Upon upgrading to this release and pushing configuration
to the devices, previously existing VPNs will also be fixed.
If you have a release of Global PRO not addressed by the maintenance
release above, please contact email@example.com.
How to Get Global PRO:
If you have registered your product with NetScreen and have a valid service
contract, you can simply download the software from:
You will be prompted for your User ID and Password. Enter the whole or
part of your company name as your User ID and enter your registered NetScreen
device serial number as the password.
If you have not yet registered your product with NetScreen, you will
need to contact NetScreen Technical Support for special instructions on
how to obtain the fixed software. NetScreen Technical Support can be reached
from 8 a.m. to 5 p.m. Pacific time Monday through Friday excluding weekends
and observed holidays.
You may contact them via email at: firstname.lastname@example.org
or via phone at: 877-638-7273 or 408-543-2100 Option #1
Please reference this Advisory title as evidence of your entitlement
to the fixed software version.
NetScreen authorized channel partners have access to NetScreen software
versions and may also be a way to obtain the new release.