------------------------------------------------------------------------
r722 | mgrooms | 2010-08-11 06:03:56 +0000 (Wed, 11 Aug 2010) | 2 lines
Modify the BSD libip route management class to be smarter about
replacing routes. On Windows and linux, we utilize route metrics. On
BSD, we replace routes to duplicate networks and later restore them.
Don't replace routes if they are locally reachable.
------------------------------------------------------------------------
r719 | mgrooms | 2010-08-11 05:28:01 +0000 (Wed, 11 Aug 2010) | 1 line
Correct a bug in iked policy generation. Only set the ipsec policy
request id value when the UNIQUE level is specified. Other levels don't
require this value since it is only used to pair outbound SAs to unique
policies. Setting this value at require level breaks SA negotiation on
Linux systems.
------------------------------------------------------------------------
r716 | mgrooms | 2010-08-10 18:55:50 +0000 (Tue, 10 Aug 2010) | 2 lines
Modify iked to create a DHCP seed value in a file. A new configuration
file parameter allows the path of this file to be specified. If the file
doesn't exist, a new file is created and a new seed value is written
automatically.
------------------------------------------------------------------------
r713 | mgrooms | 2010-08-10 05:22:58 +0000 (Tue, 10 Aug 2010) | 1 line
Modify iked use the DHCP MAC address seed value. This is mutated using
the peer IP address value to create the value sent to the peer during
DHCP over IPsec negotiation. This value is consistent across connections
so that a new IP address won't be assigned by the DHCP server. This
helps avoid DHCP address pool exhaustion. Thanks to Uwe Weber for
reporting this issue.
------------------------------------------------------------------------
r710 | mgrooms | 2010-08-05 06:44:22 +0000 (Thu, 05 Aug 2010) | 1 line
Modify iked to detect when a next-hop is used to reach the VPN gateway.
If so, install a NONE policy to ensure that packets destined to the
next-hop won't match an IPsec policy. This is used by the IPsec daemon
on Windows avoid responding to ARP requests for the next-hop on the
virtual adapter when the local network overlaps with a tunneled network.
------------------------------------------------------------------------
r707 | mgrooms | 2010-08-05 06:25:31 +0000 (Thu, 05 Aug 2010) | 2 lines
Modify the Fortigate DHCP over IPsec support to act like a BOOTP relay
agent. This allows us to use the feature when VPN client host has a
public interface that is also DHCP configured by avoiding the bind
conflict with system DHCP.
------------------------------------------------------------------------
r698 | mgrooms | 2010-07-17 16:45:49 +0000 (Sat, 17 Jul 2010) | 1 line
Modify iked to be smarter about selecting the generated policy level
when set to auto. Previously, we always selected shared when the client
received a CISCO-UNITY ID. Now we select shared when the client receives
a CISCO-UNITY ID but not a KAME / ipsec-tools vendor ID.
------------------------------------------------------------------------
r694 | mgrooms | 2010-07-08 00:06:53 +0000 (Thu, 08 Jul 2010) | 1 line
Branch for 2.1.6 release.
------------------------------------------------------------------------
r693 | mgrooms | 2010-07-05 21:24:14 +0000 (Mon, 05 Jul 2010) | 2 lines
Add the ability to utilize a pid file on Linux/BSD/OSX platforms.
Another mechanism is used on Windows platforms to ensure only one iked
process is running.
------------------------------------------------------------------------
r691 | mgrooms | 2010-07-02 18:46:19 +0000 (Fri, 02 Jul 2010) | 1 line
Remove a temporary log statement that was used to debug the IKE fragment
code. Also log more debug level detail when parsing IKE fragment
payloads.
------------------------------------------------------------------------
r689 | mgrooms | 2010-07-01 02:27:03 +0000 (Thu, 01 Jul 2010) | 1 line
Correct a bug in iked related to the IKE fragmentation extension. When
IKE fragments were being evaluated, the list index was not being reset
when a fragment ID match was found. This caused the next match to fail
if the fragments were received out of order.
------------------------------------------------------------------------
r687 | mgrooms | 2010-06-29 05:06:18 +0000 (Tue, 29 Jun 2010) | 1 line
Cosmetic change in iked. Use a more descriptive member variable name in
the name service information structure.
------------------------------------------------------------------------
r685 | mgrooms | 2010-06-29 03:47:58 +0000 (Tue, 29 Jun 2010) | 2 lines
Modify the cmake configure scripts to allow a library install directory
to be specified. This is useful for platforms that use /usr/lib64
instead of /usr/lib on 64bit platforms. While here, fix some typos and
make some minor updates to the README.TXT fike.
------------------------------------------------------------------------
r678 | mgrooms | 2010-06-27 16:53:16 +0000 (Sun, 27 Jun 2010) | 6 lines
Modify the Qt UI components to support the new IPSEC policy level
option. Correct an issue reported by Peter Schauer that caused the local
identity properties to be clobbered by the UI when a site configuration
using RSA authentication was loaded.
Modify the nailed policy code to match the head version. This change is
completely cosmetic.
Update the CMakeLists release version to match the version.h value.
------------------------------------------------------------------------
r676 | mgrooms | 2010-06-26 20:19:22 +0000 (Sat, 26 Jun 2010) | 3 lines
Add a new option that allows a user to specify the IPsec policy level
for generated policies. These map to the REQUIRE and UNIQUE security
policy levels as implemented via PK_KEY on Linux/BSD systems. We do not
implement the USE level as it has little utility for a VPN client. The
exposed configuration options are 'auto', 'require', 'unique' and
'shared'. The 'unique' option is the exact behavior the Shrew Soft VPN
client has always used. It will negotiate unique SAs as needed for each
policy generated. The 'require' option negotiates SAs as needed using
the policy source and destination network IDs. However, instead of
negotiating unique SAs for each policy, it uses any SA already
established with the peer to protect traffic that matches any generate
policy for that peer. The 'shared' option is a non-standard mode of
operation designed to mimic the way Cisco VPN clients manage security
associations. Policies are generated using the 'require' level. However,
when negotiating SAs with the remote peer, a remote network ID of
0.0.0.0/0 is used instead of the policy defined value. This allows a
single SA to be shared amongst multiple policies using unique
source/destination network IDs while maintaining compatibility with the
standard Linux/BSD conventions. The 'auto' option defaults to 'shared'
level when a Cisco compatible vendor ID is received during phase1
negotiation. Otherwise, the 'unique' level is used.
Correct a bug in iked that caused a memory allocation to be freed twice
under some circumstances.
------------------------------------------------------------------------
r674 | mgrooms | 2010-05-12 00:20:25 +0000 (Wed, 12 May 2010) | 1 line
Modify the libup IPROUTE iface_2_addr member function to pass a gateway
address value. This allow us to use fuzzy matching to select the correct
address when multiple addresses exist for a single interface.
------------------------------------------------------------------------
r657 | mgrooms | 2010-03-05 06:08:25 +0000 (Fri, 05 Mar 2010) | 3 lines
Correct a bug in the ith ipc interface library that did not classify an
error return code properly.
Push down the select ioctl error handling into the select function call
on windows.
------------------------------------------------------------------------
r655 | mgrooms | 2010-02-02 04:06:14 +0000 (Tue, 02 Feb 2010) | 1 line
Fix a bug in the config exchange that caused the pull mode receive
handler to be called when it should call the push handler. This has been
reported to fix interoperability with strongswan and probably fixes
issues when communicating with other push based implementations. Also
fix a bug that caused RSA negotiations using self signed certificates to
fail. This bug was introduced when support for verifying a certificate
stack received "out of order".
------------------------------------------------------------------------
r653 | mgrooms | 2010-02-02 03:56:36 +0000 (Tue, 02 Feb 2010) | 2 lines
Modify the unix access manager application to allow for 0.0.0.0/0 routes
to be added as an include network. This will allow clients to force all
traffic across the tunnel even if a split network list is received by
the gateway. Fix a bug that caused pcf imports to be incomplete when a
group name was not specified. We now set a default local identity type
value of address for PSK authentication modes and asn1dn for RSA modes.
Fix a bug that caused pcf imports to fail when a key name was specified
with no value.
------------------------------------------------------------------------
r651 | mgrooms | 2009-12-20 06:53:48 +0000 (Sun, 20 Dec 2009) | 2 lines
Correct a bug in the iked *nix build related to stricter const void type
checking in newer versions of gcc. Also correct an application crash
related to the BDATA class not properly handling assignment when being
instantiated. For now, just instantiate the object and then assign.
------------------------------------------------------------------------
r649 | mgrooms | 2009-12-17 06:56:38 +0000 (Thu, 17 Dec 2009) | 1 line
Modify iked to output the received Cisco Unity application string when
debug level output is enabled. This should allow users to identify the
remote Cisco device more easily. Fix the new support for reporting the
application string and firewall type to Cisco gateways. This was
mis-merged from head. Change the application string that we report on
*nix platforms to match the Cisco format. Re-order some attribute
handling code to match the definition order. This last change is purely
cosmetic.
------------------------------------------------------------------------
r647 | mgrooms | 2009-12-15 08:11:42 +0000 (Tue, 15 Dec 2009) | 4 lines
Modify iked to send an application version string and firewall type when
communicating with Cisco gateways. This should offer improved
compatibility in some cases. Thanks to Nick Maio who provided the bug
report and testing.
Modify iked to always create NONE policies to ensure to ensure we will
still communicate with our peer for
the case where IPSEC policies exist that encrypt traffic between client
and gateway endpoint addresses. Thanks to Evan Kinney who provided the
bug report and testing.
------------------------------------------------------------------------
r645 | mgrooms | 2009-11-15 18:26:47 +0000 (Sun, 15 Nov 2009) | 2 lines
Now that we have branched for the 2.1.5 release, update the version to
2.1.6.
------------------------------------------------------------------------