---------------------------------------------------------------------- VPN Client ---------------------------------------------------------------------- Alpha release ... ---------------------------------------------------------------------- X Resolve host dns to address in ipsecc X Transmit size in vnet driver X DHCP renew effects phase2 sa's X Client status message rework X Allow the configuration of the dns suffix in ipseca X NAT-T force option in ipseca & ipsecc X Manual config of client settings in ipsecd ( review ipseci ) X Key size in ipseca for phase1 X Dir path problem ipsecc & ipsecd X Pre-fragment support in ipsecd X Update logging facility in ipsecd X Use generic logging facility in dll classes X Test all dialog options for feature parity Beta release ... ---------------------------------------------------------------------- X Rewrite vnet driver X Create cleanup routines for all sa and tunnel objects X Fix license view in about dialog X Delete sa's after they are declared dead X Isakmp re-transmit in ipsecd X Send NAT keep-alive packets X Mutual auth XAuth mode 1.0.0 release ... ---------------------------------------------------------------------- X SPI size of 8 in sa payload X Flag tunnel as dead when proposal is rejected X Handle notification payloads when bundled in phase1 or phase2 X Correct dialog layout issues X Allow for disabled client WINS and DNS settings X IKE fragmentation X Send delete messages as outlined in RFC 2408 X Handle delete messages as outlined in RFC 2408 X Send notify messages as outlined in RFC 2408 X Handle notify messages as outlined in RFC 2408 X Client feedback for failure cases X Fix crash after items deleted in ipseca X Support the modecfg banner attribute X Cleanup IPFRAG class X Phase2 sa re-establish after expire X Create debugger application interface X Prevent multiple tunnels from using the same gateway X Support the pfs modecfg attribute X Support the split exclude modecfg attribute X Correct client busy loop bug X Pre-configured client packaging system X Fix multiple tunnel issues X Write documentation X Button default issue in ipsecc X Test non-admin user operation X Correct loss of default route X Correct the VNET MTU dropping to 175 X Update VProt Interface to handle Dialup Adapters 1.1.0 release - Bug fixes and fine tuning ---------------------------------------------------------------------- X Add Split DNS Support X Cleanup orphaned dnsfwd entries X Cleanup PACKET_DNS memory leaks X Add Dead Peer Detection responder X Add Dead Peer Detection initiator X Move away from dynamic adapter creation ( adapter pools ) X Correct phase2 negotiation issues X Replace DHCP support with static configuration X Fix session termination messages X Move remaining projects in-branch to share versions X Modify interfaces to support Split DNS, DPD Banner and Notify X Remove tunnel references to internal API X Standardize and fix validation of inform and config hashes X Audit use of random generation X Correct debug output for modecfg banner X Restructure SDB and packet resend X Resolve issue with devcfg initial device creation X Report phase 2 id types and values X Add client username and password command line options X Remove media sense from VNet driver X Track down a rare ipsecc freeze when server rudely disconnect X Review driver locking X Modify VProt to handle multiple dialup adapters X Review adapter registry configurtaion X Update release documentation X Look into reported issue with Split DNS X Implement Split DNS reverse lookups X Correct p12 related problems X Add support for encrypted p12 and pem files X Correct problems with local ID checking X Test kernel drivers with multi-core systems 2.0.0 release - Interface below TCPIP and friends ---------------------------------------------------------------------- X Replace Protocol driver with IM filter driver X Build rule based filter framework into IM driver X Implement divert/mirror rule processing ( like FreeBSD ipfw ) X Implement accept/reject rule processing X Use filter framework for packet inspection / redirection X Remove uneeded functionality from virtual network interface X Hide platform specific route index detail in libip X Add support for using a real interface as a tunnel endpoint X Review locking and stabilize IM filter driver X Modify transparent DNS proxy code to work in direct or virtual mode X Modify IM filter driver to support rule priorities for insertion X Modify libflt ethernet header creation routine to use ARP data X Modify ipsecd, vflt and libvflt to deal with transient devices X Add auto configuration for phase1 and phase2 parameters X Review and correct any issues with the exchange handlers X Rewrite code related to proposal generation and checking X Rewrite code related to policy management X Fix ipsecd internal structure exposure to ipsecc X Rewrite ipsec processing code to be policy driven X Add support for ah in ipsecd X Add support for ipcomp and deflate compression X Rewrite packet queuing system X Add ability to view FW rules in VPN Trace X Add support for bundled proposals X Seperate ike process, ipsec control and ipsec process threads X Split ipsec daemon into ipsecd and iked X Port iked to a single unix target X Build pfkey interface for SPD and SAD management X Add ability to view SPD and SAD entries in VPN Trace X Fix information exchange and notify support X Add iked config file support for unix targets using flex/bison X Add iked support for sending responder lifetime notifications X Add iked support for xauth via local and ldap sources X Add iked support for modecfg X Add iked support for advanced policy generation X Split DNS Transparent proxy support into dtpd X Remove optional esp packet pre-fragmentation from ipsecd X Review all db locking and entry removal X Improve phase2 rekey in ipsecd X Add tunnel route to peer with default route X Modify existing default route metric X Add iked and iked.conf man pages X Fix initial vnet device usage X Add support for config push mode X Modify the client gui for manual policy include/exclude X Modify the client gui for config push or pull X Fix the vpn trace sdb output tabs X Update the client gui network tab X Test all client features against racoon and iked X Update the documentation 2.0.1 release - Improve platform support ---------------------------------------------------------------------- X Add support for Windows XP amd64 platform X Add support for x86/amd64 FreBSD platforms X Add support for x86/amd64 NetBSD platforms X Add support for x86/amd64 Linux platforms 2.0.2 release - Bug fix and fine tuning ---------------------------------------------------------------------- X Various bug fixes 2.0.3 release - Bug fix and fine tuning ---------------------------------------------------------------------- X various bug fixes 2.1.0 release - Improve platform and gateway support ---------------------------------------------------------------------- X Review option flag usage for client struct X Make divert rule management dynamic ( be nice to other clients ) X Add support for syslog output on unix targets X Add support for DHCP over IPsec configuration method X Add support for strictly manual client configuration method X Add stateful fragment evaluation to filter driver X Add batched packet send and recv support to filter driver X Add support for older Linux distributions X Fix errors associated with iked processing duplicate packets X Fix validation and trimming of trailing packet data X Fix IM driver conflicts with the Cisco VPN Client ( DNE driver ) X Use exchange specific re-send timeout handlers for better logging X Fix iked to work with any udp service port X Add site connection support using the access manager system tray X Add iked support for multiple DNS/WINS server addresses X Add support for NAT-T draft 00 and 01 versions X Fix IM driver issues with Windows 2K and Virtualization Software X Add support for specifying the virtual network adapter MTU X Add DNS and WINS support for direct adapter mode X Fix Split DNS to work with an adapter specific default domain X Add support for Windows x86/amd64 Vista platforms X Fix route management for tunnels that force all traffic X Add support for renegotiating IKSAMP SAs in client mode X Add support for persistent IPSEC SAs X Add support for site configuration file format versioning X Add support for storing key and cert data in the site config X Add user preference dialog for site manager X Add preference for client minimize to system tray X Add preference for pre-populating user names X Add timestamps for non-syslog log output X Add checks for illegal site configuration names X Add site name and file conflict resolution dialogs X Fix any differences between unix and windows site configuration X Fix dissapearing DNS settings when the connection fails X Fix the event timer class to avoid wakeups X Fix hangs on *nix targets during iked shutdown X Add work around for missing xauth type attribute X Add a generic IPC class to avoid wakeups and reduce latency X Port libdtp to use generic IPC class X Port libike to use generic IPC class X Port libpfk to use generic IPC class X Fix high number of select wakeups on socket calls X Fix the client statistics update X Fix MS dnscache problems the right way X Import new logo and improved icon sets X Fix DPD problems while transitioning between ISAKMP SAs X Improve DPD timeout algorithm X Provide non WHQL signed Vista drivers X Correct NDIS 6 miniport compatibility issue with filter driver X Validate and document support for Cisco ASA gateways X Validate and document support for Juniper SSG gateways X Validate and document support for Zywall gateways X Validate and document support for Fortigate gateways 2.1.1 release - Bug fix and fine tuning ---------------------------------------------------------------------- X Fix NDIS 6 miniport problems with filter driver X Fix VPN Trace problems on 64 bit Windows targets 2.1.2 release - Bug fix and fine tuning ---------------------------------------------------------------------- X Various platform specific bug fixes 2.1.3 release - Bug fix and fine tuning ---------------------------------------------------------------------- X Fix Diffie Hellman negotiation failures X Fix mature SA packet re-transmit issues X Fix config mode packet retransmit issues X Add checks for mandatory reboot post install on Windows Platforms X Fix dns resoltion for names that begin with numeric digit 2.1.4 release - Bug fix and fine tuning ---------------------------------------------------------------------- X Fix a thread state bug that caused phase2 to fail in rare cases X Fix a phase2 responder bug that caused packet re-transmit to fail X Add explicit link state notifications for Vista filter drivers X Fix quick disconnects after negotiating with a cisco gateway X Add Dialup/PPP adapter support for Vista Platforms X Fix a critical bug in the windows libvflt ip forward caching code X Add proper support for multiple NAT-T hash values X Fix negotiation issues with Cisco PIX devices X Add support for Cisco Unity LOAD-BALANCE notifications 2.1.5 release - Bug fix and fine tuning ---------------------------------------------------------------------- X Add proper support for multiple certificate request payloads 2.2.0 release - Remote access server support ---------------------------------------------------------------------- X Use overlapped IO to interface with the windows filter driver X Note the connection time and display this as a tooltip X Use bdata instead of openssl key struct pointer in keyfile code X Fix secrity flaws in the ipc server admin code X Validate and document support for Sidewinder gateways X Add an option for selecting a randomized virtual subnet address X Add GUI support for multiple DNS/WINS server addresses X Fix problems with resolv.conf file generation on unix platforms X Add support for automatic stable software update checks X Fix slow responsiveness duing DHCP over IPsec negotiations X Validate and document support for Netgear gateways X Add support for the XAuth Radius CHAP method X Fix negotiation of tunnel-all ( 0.0.0.0/0 ) configurations in iked X Move to Qt4 for unix client GUI components X Make all libs build and link as shared ojects on unix platform . Fix hibernate high utilization loop problem in iked . Fix multiple assigned adapter addresses with DHCP over IPsec . Fix problem with direct adapter mode DNS configuration ? Fix reverse DNS lookup issues . Add support for Cisco PCF file import . Make the client config subordinate to the phase1 handle . Make the config exchange handle subordinate to the phase1 handle . Remove all references to the obsolete COMPAT policy mode . Fix the server mode support in iked . Verify support for multiple simultaneous VPN connections . Improve site configuration policy entry documentation Near Term Goals ---------------------------------------------------------------------- . Validate USB WIFI/Ethernet adapter support on Windows Platforms . Validate and document support for OpenBSD gateways . Validate and document support for Strong/OpenSWAN gateways . Validate and document support for SonicWall gateways x Validate and document support for Checkpoint gateways . Validate and document support for Lancom gateways . Cleanup libpfk, its really ugly . Fix static buffer usage for temporary string data . Add support for encrypted configuration storage ? Use Qt4 to build unified cross platform GUI components ? Add ability to drag site connections as shortcuts ? Add support for client connect/disconnect script execution ? Add adaptive communications during connect ( Frag/NATT ) ? Move to a purely primitive based tunnel confguration interface ? Add support for lzs compression ( patent encumbered ) ? Add support for microsoft certificate and key storage api Long Term Goals ---------------------------------------------------------------------- . Finalized kernel drivers signed by Microsoft WHQL . Add support for Intel Mac OSX platforms . Write a setkey replacement based on libpfk . Add support for unattended installations ( needs signed drivers ) . Secure Domain Login . Stateful client side firewall . Create lightweight kernel or userland buildable crypto library . Move ip security processing into the kernel ---------------------------------------------------------------------- pfSense ---------------------------------------------------------------------- X Add support for modecfg X Add support for Xauth . Add support for fine grained network access control ---------------------------------------------------------------------- IPSEC-TOOLS ---------------------------------------------------------------------- X LDAP auth module X Group based sainfo selection X Group based xauth X isakmp_id2str X sainfo debug improvements X responder ignores inital fragment X clientaddr . review sa cleanup after client disconnect . cleanup modeconfg and introduce ike push mode . negotiate unity firewall rulesets via modecfg