------------------------------------------------------------------------
r584 | mgrooms | 2008-11-11 14:38:24 -0600 (Tue, 11 Nov 2008) | 2 lines

Update the version number in CMakeLists and the version.h header.

------------------------------------------------------------------------
r583 | mgrooms | 2008-11-11 14:27:29 -0600 (Tue, 11 Nov 2008) | 1 line

Branch for 2.1.4 release.
------------------------------------------------------------------------
r581 | mgrooms | 2008-11-10 14:57:01 -0600 (Mon, 10 Nov 2008) | 2 lines

Modify the unix VPN connect application to report which peer iked has
established a tunnel with. This is useful when communicating with Cisco
gateways that perform load balancing.

------------------------------------------------------------------------
r579 | mgrooms | 2008-11-10 13:14:00 -0600 (Mon, 10 Nov 2008) | 1 line

Correct handling of Cisco Unity LOAD-BALANCE notifications in iked.
Reset some tunnel statistics before we attempt to re-negotiate with the
specified peer. Pass the peer address along with the statistics so we
can report which gateway address the user is connected to.
------------------------------------------------------------------------
r577 | mgrooms | 2008-11-09 12:57:27 -0600 (Sun, 09 Nov 2008) | 1 line

Correct handling of Cisco Unity LOAD-BALANCE notifications in iked.
Increment and decrement the phase1 handle when flagging it for deletion
to ensure the delete notification is sent before we modify the peer
endpoint addresses. Also remove any event timer entries so duplicates
are not queued by the timer class when the tunnel re-initializes.
------------------------------------------------------------------------
r575 | mgrooms | 2008-11-06 12:59:07 -0600 (Thu, 06 Nov 2008) | 1 line

Correct a bug in the iked pfkey io thread that could lead to a hang when
the service control manager attempts to stop the process. This could
lead to issues especially during uninstall.
------------------------------------------------------------------------
r573 | mgrooms | 2008-11-05 14:06:56 -0600 (Wed, 05 Nov 2008) | 1 line

Add support for Cisco Unity LOAD-BALANCE notifications. A device working
in a high availability group can send this notification message which
contains the IP address of a new gateway. If the tunnel has not reached
maturity, the client migrates to the new gateway immediately on receipt
of this request.
------------------------------------------------------------------------
r570 | mgrooms | 2008-11-05 11:25:43 -0600 (Wed, 05 Nov 2008) | 2 lines

Add a new option to the Unix Access Manager and VPN Connect applications
that allows the Checkpoint vendor ID option to be enabled during phase1
negotiations.

------------------------------------------------------------------------
r568 | mgrooms | 2008-11-05 10:50:56 -0600 (Wed, 05 Nov 2008) | 1 line

Modify iked to be more selective when handling vendor IDs during phase1
negotiations. Both Checkpoint and Cisco PIX routers require that the
last vendor ID in a packet be the vendor specific ID. By default, iked
now sends the Cisco Unity ID as the last ID in the packet. If requested
by the client, the Checkpoint ID is sent as the last vendor ID in the
packet.
------------------------------------------------------------------------
r564 | mgrooms | 2008-11-02 16:48:08 -0600 (Sun, 02 Nov 2008) | 3 lines

Add overloaded equality comparison operators for the basic data class.

Update the todo list.
------------------------------------------------------------------------
r563 | mgrooms | 2008-11-02 16:45:02 -0600 (Sun, 02 Nov 2008) | 1 line

Modify iked to process multiple NAT discovery payloads in accordance
with RFC 3947. Previously we assumed a single remote address hash
payload would be received. We now accept multiple hash values and
compare them properly. While here, remove two NAT related bool values
from the phase1 handle which were no longer in use.
------------------------------------------------------------------------
r562 | mgrooms | 2008-11-02 12:56:29 -0600 (Sun, 02 Nov 2008) | 1 line

Modify iked to ignore any split network definitions that use a null
address or subnet value. The client will generate a single 0.0.0.0/0
include policy if no specific remote network definitions are received.
This avoids any problems that may occur when the gateway sends
configuration data that would prevent the client from operating
correctly.
------------------------------------------------------------------------
r558 | mgrooms | 2008-10-16 23:25:47 -0500 (Thu, 16 Oct 2008) | 3 lines

Revert the change that re-transmits a configuration packet after the
configuration has become mature. This can cause problems when
communicating with a Cisco device if the virtual network adapter is
taking an unusually long time to initialize. A ping-pong packet war will
commence which quickly leads to premature tunnel termination. A more
appropriate long term fix will be committed after pre-requisite work is
completed.

Introduce a new policy option that forces a single phase2 SA to be
negotiated after a policy is created. Use this option to ensure phase2
negotiation occurs immediately after a connection has been established
with a Cisco gateway. These devices will disconnect a client shortly
after initial contact if an IPsec SA is not established.
------------------------------------------------------------------------
r554 | mgrooms | 2008-10-13 18:47:13 -0500 (Mon, 13 Oct 2008) | 1 line

Correct some minor issues in iked. Ensure the isakmp payload reserved
values are null during packet validation. Always note the reason we
refuse to process a packet due to a validation failure. Remove the
phase1 duplicate payload checks as they are no longer required. Make
sure we re-transmit the phase1 and phase2 packet queue when a decrypt
error is detected. Safe guard against a thread state issue that caused
an outbound phase2 packet to be processed simultaneously by the recv and
pfkey threads. This problem was reported by Mark Jenks as a phase2
negotiation failure.
------------------------------------------------------------------------
r549 | mgrooms | 2008-10-11 16:45:36 -0500 (Sat, 11 Oct 2008) | 2 lines

Work around a regression in iked where we attempt to acquire the idb
lock mutex when it is already owned.

------------------------------------------------------------------------