---------------------------------------------------------------------- VPN Client ---------------------------------------------------------------------- Alpha release ... ---------------------------------------------------------------------- X Resolve host dns to address in ipsecc X Transmit size in vnet driver X DHCP renew effects phase2 sa's X Client status message rework X Allow the configuration of the dns suffix in ipseca X NAT-T force option in ipseca & ipsecc X Manual config of client settings in ipsecd ( review ipseci ) X Key size in ipseca for phase1 X Dir path problem ipsecc & ipsecd X Pre-fragment support in ipsecd X Update logging facility in ipsecd X Use generic logging facility in dll classes X Test all dialog options for feature parity Beta release ... ---------------------------------------------------------------------- X Rewrite vnet driver X Create cleanup routines for all sa and tunnel objects X Fix license view in about dialog X Delete sa's after they are declared dead X Isakmp re-transmit in ipsecd X Send NAT keep-alive packets X Mutual auth XAuth mode 1.0.0 release ... ---------------------------------------------------------------------- X SPI size of 8 in sa payload X Flag tunnel as dead when proposal is rejected X Handle notification payloads when bundled in phase1 or phase2 X Correct dialog layout issues X Allow for disabled client WINS and DNS settings X IKE fragmentation X Send delete messages as outlined in RFC 2408 X Handle delete messages as outlined in RFC 2408 X Send notify messages as outlined in RFC 2408 X Handle notify messages as outlined in RFC 2408 X Client feedback for failure cases X Fix crash after items deleted in ipseca X Support the modecfg banner attribute X Cleanup IPFRAG class X Phase2 sa re-establish after expire X Create debugger application interface X Prevent multiple tunnels from using the same gateway X Support the pfs modecfg attribute X Support the split exclude modecfg attribute X Correct client busy loop bug X Pre-configured client packaging system X Fix multiple tunnel issues X Write documentation X Button default issue in ipsecc X Test non-admin user operation X Correct loss of default route X Correct the VNET MTU dropping to 175 X Update VProt Interface to handle Dialup Adapters 1.1.0 release - Bug fixes and fine tuning ---------------------------------------------------------------------- X Add Split DNS Support X Cleanup orphaned dnsfwd entries X Cleanup PACKET_DNS memory leaks X Add Dead Peer Detection responder X Add Dead Peer Detection initiator X Move away from dynamic adapter creation ( adapter pools ) X Correct phase2 negotiation issues X Replace DHCP support with static configuration X Fix session termination messages X Move remaining projects in-branch to share versions X Modify interfaces to support Split DNS, DPD Banner and Notify X Remove tunnel references to internal API X Standardize and fix validation of inform and config hashes X Audit use of random generation X Correct debug output for modecfg banner X Restructure SDB and packet resend X Resolve issue with devcfg initial device creation X Report phase 2 id types and values X Add client username and password command line options X Remove media sense from VNet driver X Track down a rare ipsecc freeze when server rudely disconnect X Review driver locking X Modify VProt to handle multiple dialup adapters X Review adapter registry configurtaion X Update release documentation X Look into reported issue with Split DNS X Implement Split DNS reverse lookups X Correct p12 related problems X Add support for encrypted p12 and pem files X Correct problems with local ID checking X Test kernel drivers with multi-core systems 2.0.0 release - Interface below TCPIP and friends ---------------------------------------------------------------------- X Replace Protocol driver with IM filter driver X Build rule based filter framework into IM driver X Implement divert/mirror rule processing ( like FreeBSD ipfw ) X Implement accept/reject rule processing X Use filter framework for packet inspection / redirection X Remove uneeded functionality from virtual network interface X Hide platform specific route index detail in libip X Add support for using a real interface as a tunnel endpoint X Review locking and stabilize IM filter driver X Modify transparent DNS proxy code to work in direct or virtual mode X Modify IM filter driver to support rule priorities for insertion X Modify libflt ethernet header creation routine to use ARP data X Modify ipsecd, vflt and libvflt to deal with transient devices X Add auto configuration for phase1 and phase2 parameters X Review and correct any issues with the exchange handlers X Rewrite code related to proposal generation and checking X Rewrite code related to policy management X Fix ipsecd internal structure exposure to ipsecc X Rewrite ipsec processing code to be policy driven X Add support for ah in ipsecd X Add support for ipcomp and deflate compression X Rewrite packet queuing system X Add ability to view FW rules in VPN Trace X Add support for bundled proposals X Seperate ike process, ipsec control and ipsec process threads X Split ipsec daemon into ipsecd and iked X Port iked to a single unix target X Build pfkey interface for SPD and SAD management X Add ability to view SPD and SAD entries in VPN Trace X Fix information exchange and notify support X Add iked config file support for unix targets using flex/bison X Add iked support for sending responder lifetime notifications X Add iked support for xauth via local and ldap sources X Add iked support for modecfg X Add iked support for advanced policy generation X Split DNS Transparent proxy support into dtpd X Remove optional esp packet pre-fragmentation from ipsecd X Review all db locking and entry removal X Improve phase2 rekey in ipsecd X Add tunnel route to peer with default route X Modify existing default route metric X Add iked and iked.conf man pages X Fix initial vnet device usage X Add support for config push mode X Modify the client gui for manual policy include/exclude X Modify the client gui for config push or pull X Fix the vpn trace sdb output tabs X Update the client gui network tab X Test all client features against racoon and iked X Update the documentation 2.0.1 release - Improve platform support ---------------------------------------------------------------------- X Add support for Windows XP amd64 platform X Add support for x86/amd64 FreBSD platforms X Add support for x86/amd64 NetBSD platforms X Add support for x86/amd64 Linux platforms 2.0.2 release - Bug fix and fine tuning ---------------------------------------------------------------------- X Various bug fixes 2.0.3 release - Bug fix and fine tuning ---------------------------------------------------------------------- X various bug fixes 2.1.0 release - Improve platform and gateway support ---------------------------------------------------------------------- X Review option flag usage for client struct X Make divert rule management dynamic ( be nice to other clients ) X Add support for syslog output on unix targets X Add support for DHCP over IPsec configuration method X Add support for strictly manual client configuration method X Add stateful fragment evaluation to filter driver X Add batched packet send and recv support to filter driver X Add support for older Linux distributions X Fix errors associated with iked processing duplicate packets X Fix validation and trimming of trailing packet data X Fix IM driver conflicts with the Cisco VPN Client ( DNE driver ) X Use exchange specific re-send timeout handlers for better logging X Fix iked to work with any udp service port X Add site connection support using the access manager system tray X Add iked support for multiple DNS/WINS server addresses X Add support for NAT-T draft 00 and 01 versions X Fix IM driver issues with Windows 2K and Virtualization Software X Add support for specifying the virtual network adapter MTU X Add DNS and WINS support for direct adapter mode X Fix Split DNS to work with an adapter specific default domain X Add support for Windows x86/amd64 Vista platforms X Fix route management for tunnels that force all traffic X Add support for renegotiating IKSAMP SAs in client mode X Add support for persistent IPSEC SAs X Add support for site configuration file format versioning X Add support for storing key and cert data in the site config X Add user preference dialog for site manager X Add preference for client minimize to system tray X Add preference for pre-populating user names X Add timestamps for non-syslog log output X Add checks for illegal site configuration names X Add site name and file conflict resolution dialogs X Fix any differences between unix and windows site configuration X Fix dissapearing DNS settings when the connection fails X Fix the event timer class to avoid wakeups X Fix hangs on *nix targets during iked shutdown X Add work around for missing xauth type attribute X Add a generic IPC class to avoid wakeups and reduce latency X Port libdtp to use generic IPC class X Port libike to use generic IPC class X Port libpfk to use generic IPC class X Fix high number of select wakeups on socket calls X Fix the client statistics update X Fix MS dnscache problems the right way X Import new logo and improved icon sets X Fix DPD problems while transitioning between ISAKMP SAs X Improve DPD timeout algorithm X Provide non WHQL signed Vista drivers X Correct NDIS 6 miniport compatibility issue with filter driver X Validate and document support for Cisco ASA gateways X Validate and document support for Juniper SSG gateways X Validate and document support for Zywall gateways X Validate and document support for Fortigate gateways 2.1.1 release - Bug fix and fine tuning ---------------------------------------------------------------------- X Fix NDIS 6 miniport problems with filter driver X Fix VPN Trace problems on 64 bit Windows targets 2.1.2 release - Bug fix and fine tuning ---------------------------------------------------------------------- X Various platform specific bug fixes 2.1.3 release - Bug fix and fine tuning ---------------------------------------------------------------------- X Fix Diffie Hellman negotiation failures X Fix mature SA packet re-transmit issues X Fix config mode packet retransmit issues X Add checks for mandatory reboot post install on Windows Platforms X Fix dns resoltion for names that begin with numeric digit 2.1.4 release - Bug fix and fine tuning ---------------------------------------------------------------------- X Fix a thread state bug that caused phase2 to fail in rare cases X Fix a phase2 responder bug that caused packet re-transmit to fail X Add explicit link state notifications for Vista filter drivers X Fix quick disconnects after negotiating with a cisco gateway X Add Dialup/PPP adapter support for Vista Platforms X Fix a critical bug in the windows libvflt ip forward caching code X Add proper support for multiple NAT-T hash values 2.1.5 release - Bug fix and fine tuning ---------------------------------------------------------------------- X Add support for Cisco hybrid mode authentication ( mutual group ) X Add support for Cisco PCF file import X Add support for auto uninstall during install of Windows package X Add support for the XAuth radius chap method X Add support for correctly handling multiple certificate requests X Fix Checkpoint authentication regressions X Fix reported link speed issue with virtual network driver X Fix various kernel driver related issues reported by users X Fix problems with resolv.conf file generation on unix platforms X Fix NAT-T configuration issue 2.1.6 release - Bug fix and fine tuning ---------------------------------------------------------------------- X Fix problem with direct adapter mode DNS configuration X Fix DHCP over IPsec via DHCP adapters by immitating a bootp relay X Fix DHCP pool exhaustion issue by retaining fake MAC see value X Fix ESP payload padding issue with Adtran gateways X Fix runtime creation of virtual adapter instances on Vista/7 X Fix dropped packets issues with vflt socket wrappers X Fix uninstall issue that occured when Novell client was installed X Fix kernel driver crash due to WANLINE (PPP/PPTP) notify parsing X Fix various kernel driver issues blocking DTM controller tests X Fix a bug related to using the IKE Fragmentation extestion X Fix a bug in IKE push mode that called a pull handler instead X Use a different port for DNS proxy to avoid 3rd party conflicts X Add support for overlapping local and remote networks X Add support for shared policy generation mode X Add manifest files so users are prompted for elevated privileges X Add pid file support on Linux/BSD platforms X Add support for reporting the UNITY app version and firewall type X Improve adapter/address selection for multiple inet connections X Initial kernel driver versions signed by Microsoft WHQL 2.1.7 release - Bug fix and fine tuning ---------------------------------------------------------------------- X Fix negotiation of tunnel-all ( 0.0.0.0/0 ) configurations in iked X Fix inbound SA negotiation with shared policy generation mode X Fix iproute deletion issue on Vista/7 platforms X Fix import of PCF files with non-encrypted password X Apply IPsec policy and filename promts fixed from Michael Kenny X Improve DNS Proxy divert rule management 2.2.0 release - Major feature improvements ---------------------------------------------------------------------- X Add Qt4 gui components to replace Qt3 components on Linux/BSD X Add console based VPN Connect component on Linux/BSD ( non-gui ) X Add initial support for Intel Mac OSX platforms w/ DMG installer X Add an option for selecting a randomized virtual subnet address X Add GUI support for multiple DNS/WINS server addresses X Add support for automatic stable software update checks X Add text that displays the connection time in system tray tooltip X Add support for Sidewinder 6.x, 7.x gateways ( merged to 2.1.x ) X Add support for Netgear gateways ( merged to 2.1.x ) X Fix secrity flaws in the ipc server admin code X Fix slow responsiveness duing DHCP over IPsec negotiations X Fix reverse DNS lookup issues with DNS proxy daemon X Make the client config subordinate to the phase1 handle X Use bdata instead of openssl key struct pointer in keyfile code X Use overlapped IO to interface with the windows filter driver X Fix the 500ms wakeup issue by avoiding vflt select-like calls X Fix all memory leaks reported by various debugging tools X Fix TCP LSO task offload in vflt driver on Vista/7 platforms X Fix WLAN virtual adapter issue reported on mailing list X Fix dialog color issues for windows HCB accessibility modes X Fix keyboard navigation to site profiles in access manager X Fix reported problems with DHCP over IPsec X Add support for newer openssl supported message auth algorithms X Add support for both ike and pfs dh groups 16, 17 and 18 X Add support for unattended installations ( needs signed drivers ) X Make all client platforms use file based site configurations X Make certificate data an embedded component of the site config X Add support for public site configurations on Windows Platforms X Fix handling of low-power-state notifications in iked on Windows . Add support for Secure Domain Login on Vista/7 platforms . Investigate PPP with Virtual Adapter DNS preference issue . Improve support for automatic stable software update checks . Cleanup registry based site configuration data . Test all rsa key file scenarios that use password protection 2.2.1 release - Bug fix and fine tuning ---------------------------------------------------------------------- . Fix or add all documented command line options in iked . Add support for encrypted site configuration storage . Cleanup all references to the obsolete COMPAT policy mode . Fix DNS setting issues with newer Mac OSX platforms . Add support for two factor user authentication methods . Apply Qt4 French translation patch from Alexis Lagoutte Near Term Goals ---------------------------------------------------------------------- . Validate USB WIFI/Ethernet adapter support on Windows Platforms . Validate and document support for OpenBSD gateways . Validate and document support for Strong/OpenSWAN gateways . Validate and document support for SonicWall gateways x Validate and document support for Checkpoint gateways . Validate and document support for Lancom gateways . Cleanup libpfk, its really ugly . Fix static buffer usage for temporary string data ? Use Qt4 to build unified cross platform GUI components ? Add ability to drag site connections as shortcuts ? Add support for client connect/disconnect script execution ? Add adaptive communications during connect ( Frag/NATT ) ? Move to a purely primitive based tunnel confguration interface ? Add support for lzs compression ( patent encumbered ) ? Add support for microsoft certificate and key storage api Long Term Goals ---------------------------------------------------------------------- . Fix the server mode support in iked . Write a setkey replacement based on libpfk . Stateful client side firewall . Create lightweight kernel or userland buildable crypto library . Move ip security processing into the kernel ---------------------------------------------------------------------- pfSense ---------------------------------------------------------------------- X Add support for modecfg X Add support for Xauth . Add support for fine grained network access control ---------------------------------------------------------------------- IPSEC-TOOLS ---------------------------------------------------------------------- X LDAP auth module X Group based sainfo selection X Group based xauth X isakmp_id2str X sainfo debug improvements X responder ignores inital fragment X clientaddr . review sa cleanup after client disconnect . cleanup modeconfg and introduce ike push mode . negotiate unity firewall rulesets via modecfg