----------------------------------------------------------------------
VPN Client
----------------------------------------------------------------------
Alpha release ...
----------------------------------------------------------------------
X Resolve host dns to address in ipsecc
X Transmit size in vnet driver
X DHCP renew effects phase2 sa's
X Client status message rework
X Allow the configuration of the dns suffix in ipseca
X NAT-T force option in ipseca & ipsecc
X Manual config of client settings in ipsecd ( review ipseci )
X Key size in ipseca for phase1
X Dir path problem ipsecc & ipsecd
X Pre-fragment support in ipsecd
X Update logging facility in ipsecd
X Use generic logging facility in dll classes
X Test all dialog options for feature parity
Beta release ...
----------------------------------------------------------------------
X Rewrite vnet driver
X Create cleanup routines for all sa and tunnel objects
X Fix license view in about dialog
X Delete sa's after they are declared dead
X Isakmp re-transmit in ipsecd
X Send NAT keep-alive packets
X Mutual auth XAuth mode
1.0.0 release ...
----------------------------------------------------------------------
X SPI size of 8 in sa payload
X Flag tunnel as dead when proposal is rejected
X Handle notification payloads when bundled in phase1 or phase2
X Correct dialog layout issues
X Allow for disabled client WINS and DNS settings
X IKE fragmentation
X Send delete messages as outlined in RFC 2408
X Handle delete messages as outlined in RFC 2408
X Send notify messages as outlined in RFC 2408
X Handle notify messages as outlined in RFC 2408
X Client feedback for failure cases
X Fix crash after items deleted in ipseca
X Support the modecfg banner attribute
X Cleanup IPFRAG class
X Phase2 sa re-establish after expire
X Create debugger application interface
X Prevent multiple tunnels from using the same gateway
X Support the pfs modecfg attribute
X Support the split exclude modecfg attribute
X Correct client busy loop bug
X Pre-configured client packaging system
X Fix multiple tunnel issues
X Write documentation
X Button default issue in ipsecc
X Test non-admin user operation
X Correct loss of default route
X Correct the VNET MTU dropping to 175
X Update VProt Interface to handle Dialup Adapters
1.1.0 release - Bug fixes and fine tuning
----------------------------------------------------------------------
X Add Split DNS Support
X Cleanup orphaned dnsfwd entries
X Cleanup PACKET_DNS memory leaks
X Add Dead Peer Detection responder
X Add Dead Peer Detection initiator
X Move away from dynamic adapter creation ( adapter pools )
X Correct phase2 negotiation issues
X Replace DHCP support with static configuration
X Fix session termination messages
X Move remaining projects in-branch to share versions
X Modify interfaces to support Split DNS, DPD Banner and Notify
X Remove tunnel references to internal API
X Standardize and fix validation of inform and config hashes
X Audit use of random generation
X Correct debug output for modecfg banner
X Restructure SDB and packet resend
X Resolve issue with devcfg initial device creation
X Report phase 2 id types and values
X Add client username and password command line options
X Remove media sense from VNet driver
X Track down a rare ipsecc freeze when server rudely disconnect
X Review driver locking
X Modify VProt to handle multiple dialup adapters
X Review adapter registry configurtaion
X Update release documentation
X Look into reported issue with Split DNS
X Implement Split DNS reverse lookups
X Correct p12 related problems
X Add support for encrypted p12 and pem files
X Correct problems with local ID checking
X Test kernel drivers with multi-core systems
2.0.0 release - Interface below TCPIP and friends
----------------------------------------------------------------------
X Replace Protocol driver with IM filter driver
X Build rule based filter framework into IM driver
X Implement divert/mirror rule processing ( like FreeBSD ipfw )
X Implement accept/reject rule processing
X Use filter framework for packet inspection / redirection
X Remove uneeded functionality from virtual network interface
X Hide platform specific route index detail in libip
X Add support for using a real interface as a tunnel endpoint
X Review locking and stabilize IM filter driver
X Modify transparent DNS proxy code to work in direct or virtual mode
X Modify IM filter driver to support rule priorities for insertion
X Modify libflt ethernet header creation routine to use ARP data
X Modify ipsecd, vflt and libvflt to deal with transient devices
X Add auto configuration for phase1 and phase2 parameters
X Review and correct any issues with the exchange handlers
X Rewrite code related to proposal generation and checking
X Rewrite code related to policy management
X Fix ipsecd internal structure exposure to ipsecc
X Rewrite ipsec processing code to be policy driven
X Add support for ah in ipsecd
X Add support for ipcomp and deflate compression
X Rewrite packet queuing system
X Add ability to view FW rules in VPN Trace
X Add support for bundled proposals
X Seperate ike process, ipsec control and ipsec process threads
X Split ipsec daemon into ipsecd and iked
X Port iked to a single unix target
X Build pfkey interface for SPD and SAD management
X Add ability to view SPD and SAD entries in VPN Trace
X Fix information exchange and notify support
X Add iked config file support for unix targets using flex/bison
X Add iked support for sending responder lifetime notifications
X Add iked support for xauth via local and ldap sources
X Add iked support for modecfg
X Add iked support for advanced policy generation
X Split DNS Transparent proxy support into dtpd
X Remove optional esp packet pre-fragmentation from ipsecd
X Review all db locking and entry removal
X Improve phase2 rekey in ipsecd
X Add tunnel route to peer with default route
X Modify existing default route metric
X Add iked and iked.conf man pages
X Fix initial vnet device usage
X Add support for config push mode
X Modify the client gui for manual policy include/exclude
X Modify the client gui for config push or pull
X Fix the vpn trace sdb output tabs
X Update the client gui network tab
X Test all client features against racoon and iked
X Update the documentation
2.0.1 release - Improve platform support
----------------------------------------------------------------------
X Add support for Windows XP amd64 platform
X Add support for x86/amd64 FreBSD platforms
X Add support for x86/amd64 NetBSD platforms
X Add support for x86/amd64 Linux platforms
2.0.2 release - Bug fix and fine tuning
----------------------------------------------------------------------
X Various bug fixes
2.0.3 release - Bug fix and fine tuning
----------------------------------------------------------------------
X various bug fixes
2.1.0 release - Improve platform and gateway support
----------------------------------------------------------------------
X Review option flag usage for client struct
X Make divert rule management dynamic ( be nice to other clients )
X Add support for syslog output on unix targets
X Add support for DHCP over IPsec configuration method
X Add support for strictly manual client configuration method
X Add stateful fragment evaluation to filter driver
X Add batched packet send and recv support to filter driver
X Add support for older Linux distributions
X Fix errors associated with iked processing duplicate packets
X Fix validation and trimming of trailing packet data
X Fix IM driver conflicts with the Cisco VPN Client ( DNE driver )
X Use exchange specific re-send timeout handlers for better logging
X Fix iked to work with any udp service port
X Add site connection support using the access manager system tray
X Add iked support for multiple DNS/WINS server addresses
X Add support for NAT-T draft 00 and 01 versions
X Fix IM driver issues with Windows 2K and Virtualization Software
X Add support for specifying the virtual network adapter MTU
X Add DNS and WINS support for direct adapter mode
X Fix Split DNS to work with an adapter specific default domain
X Add support for Windows x86/amd64 Vista platforms
X Fix route management for tunnels that force all traffic
X Add support for renegotiating IKSAMP SAs in client mode
X Add support for persistent IPSEC SAs
X Add support for site configuration file format versioning
X Add support for storing key and cert data in the site config
X Add user preference dialog for site manager
X Add preference for client minimize to system tray
X Add preference for pre-populating user names
X Add timestamps for non-syslog log output
X Add checks for illegal site configuration names
X Add site name and file conflict resolution dialogs
X Fix any differences between unix and windows site configuration
X Fix dissapearing DNS settings when the connection fails
X Fix the event timer class to avoid wakeups
X Fix hangs on *nix targets during iked shutdown
X Add work around for missing xauth type attribute
X Add a generic IPC class to avoid wakeups and reduce latency
X Port libdtp to use generic IPC class
X Port libike to use generic IPC class
X Port libpfk to use generic IPC class
X Fix high number of select wakeups on socket calls
X Fix the client statistics update
X Fix MS dnscache problems the right way
X Import new logo and improved icon sets
X Fix DPD problems while transitioning between ISAKMP SAs
X Improve DPD timeout algorithm
X Provide non WHQL signed Vista drivers
X Correct NDIS 6 miniport compatibility issue with filter driver
X Validate and document support for Cisco ASA gateways
X Validate and document support for Juniper SSG gateways
X Validate and document support for Zywall gateways
X Validate and document support for Fortigate gateways
2.1.1 release - Bug fix and fine tuning
----------------------------------------------------------------------
X Fix NDIS 6 miniport problems with filter driver
X Fix VPN Trace problems on 64 bit Windows targets
2.1.2 release - Bug fix and fine tuning
----------------------------------------------------------------------
X Various platform specific bug fixes
2.1.3 release - Bug fix and fine tuning
----------------------------------------------------------------------
X Fix Diffie Hellman negotiation failures
X Fix mature SA packet re-transmit issues
X Fix config mode packet retransmit issues
X Add checks for mandatory reboot post install on Windows Platforms
X Fix dns resoltion for names that begin with numeric digit
2.1.4 release - Bug fix and fine tuning
----------------------------------------------------------------------
X Fix a thread state bug that caused phase2 to fail in rare cases
X Fix a phase2 responder bug that caused packet re-transmit to fail
X Add explicit link state notifications for Vista filter drivers
X Fix quick disconnects after negotiating with a cisco gateway
X Add Dialup/PPP adapter support for Vista Platforms
X Fix a critical bug in the windows libvflt ip forward caching code
X Add proper support for multiple NAT-T hash values
2.1.5 release - Bug fix and fine tuning
----------------------------------------------------------------------
X Add support for Cisco hybrid mode authentication ( mutual group )
X Add support for Cisco PCF file import
X Add support for auto uninstall during install of Windows package
X Add support for the XAuth radius chap method
X Add support for correctly handling multiple certificate requests
X Fix Checkpoint authentication regressions
X Fix reported link speed issue with virtual network driver
X Fix various kernel driver related issues reported by users
X Fix problems with resolv.conf file generation on unix platforms
X Fix NAT-T configuration issue
2.1.6 release - Bug fix and fine tuning
----------------------------------------------------------------------
X Fix problem with direct adapter mode DNS configuration
X Fix DHCP over IPsec via DHCP adapters by immitating a bootp relay
X Fix DHCP pool exhaustion issue by retaining fake MAC see value
X Fix ESP payload padding issue with Adtran gateways
X Fix runtime creation of virtual adapter instances on Vista/7
X Fix dropped packets issues with vflt socket wrappers
X Fix uninstall issue that occured when Novell client was installed
X Fix kernel driver crash due to WANLINE (PPP/PPTP) notify parsing
X Fix various kernel driver issues blocking DTM controller tests
X Fix a bug related to using the IKE Fragmentation extestion
X Fix a bug in IKE push mode that called a pull handler instead
X Use a different port for DNS proxy to avoid 3rd party conflicts
X Add support for overlapping local and remote networks
X Add support for shared policy generation mode
X Add manifest files so users are prompted for elevated privileges
X Add pid file support on Linux/BSD platforms
X Add support for reporting the UNITY app version and firewall type
X Improve adapter/address selection for multiple inet connections
X Initial kernel driver versions signed by Microsoft WHQL
2.1.7 release - Bug fix and fine tuning
----------------------------------------------------------------------
X Fix negotiation of tunnel-all ( 0.0.0.0/0 ) configurations in iked
X Fix inbound SA negotiation with shared policy generation mode
X Fix iproute deletion issue on Vista/7 platforms
X Fix import of PCF files with non-encrypted password
X Apply IPsec policy and filename promts fixed from Michael Kenny
X Improve DNS Proxy divert rule management
2.2.0 release - Major feature improvements
----------------------------------------------------------------------
X Add Qt4 gui components to replace Qt3 components on Linux/BSD
X Add console based VPN Connect component on Linux/BSD ( non-gui )
X Add initial support for Intel Mac OSX platforms w/ DMG installer
X Add an option for selecting a randomized virtual subnet address
X Add GUI support for multiple DNS/WINS server addresses
X Add support for automatic stable software update checks
X Add text that displays the connection time in system tray tooltip
X Add support for Sidewinder 6.x, 7.x gateways ( merged to 2.1.x )
X Add support for Netgear gateways ( merged to 2.1.x )
X Fix secrity flaws in the ipc server admin code
X Fix slow responsiveness duing DHCP over IPsec negotiations
X Fix reverse DNS lookup issues with DNS proxy daemon
X Make the client config subordinate to the phase1 handle
X Use bdata instead of openssl key struct pointer in keyfile code
X Use overlapped IO to interface with the windows filter driver
X Fix the 500ms wakeup issue by avoiding vflt select-like calls
X Fix all memory leaks reported by various debugging tools
X Fix TCP LSO task offload in vflt driver on Vista/7 platforms
X Fix WLAN virtual adapter issue reported on mailing list
X Fix dialog color issues for windows HCB accessibility modes
X Fix keyboard navigation to site profiles in access manager
X Fix reported problems with DHCP over IPsec
X Add support for newer openssl supported message auth algorithms
X Add support for both ike and pfs dh groups 16, 17 and 18
X Add support for unattended installations ( needs signed drivers )
X Make all client platforms use file based site configurations
X Make certificate data an embedded component of the site config
X Add support for public site configurations on Windows Platforms
. Add support for Secure Domain Login on Vista/7 platforms
. Add support for encrypted site configuration storage
. Fix DNS setting issues with newer Mac OSX platforms
. Investigate PPP vs Virtual Adapter DNS preference issue
. Improve support for automatic stable software update checks
. Cleanup all references to the obsolete COMPAT policy mode
. Cleanup registry based site configuration data
. Test all rsa key file scenarios that use password protection
2.2.1 release - Bug fix and fine tuning
----------------------------------------------------------------------
. Fix or add all documented command line options in iked
. Fix handling of low-power-state notifications in iked on Windows
. Add support for two factor user authentication methods
. Apply Qt4 French translation patch from Alexis Lagoutte
Near Term Goals
----------------------------------------------------------------------
. Validate USB WIFI/Ethernet adapter support on Windows Platforms
. Validate and document support for OpenBSD gateways
. Validate and document support for Strong/OpenSWAN gateways
. Validate and document support for SonicWall gateways
x Validate and document support for Checkpoint gateways
. Validate and document support for Lancom gateways
. Cleanup libpfk, its really ugly
. Fix static buffer usage for temporary string data
? Use Qt4 to build unified cross platform GUI components
? Add ability to drag site connections as shortcuts
? Add support for client connect/disconnect script execution
? Add adaptive communications during connect ( Frag/NATT )
? Move to a purely primitive based tunnel confguration interface
? Add support for lzs compression ( patent encumbered )
? Add support for microsoft certificate and key storage api
Long Term Goals
----------------------------------------------------------------------
. Fix the server mode support in iked
. Write a setkey replacement based on libpfk
. Stateful client side firewall
. Create lightweight kernel or userland buildable crypto library
. Move ip security processing into the kernel
----------------------------------------------------------------------
pfSense
----------------------------------------------------------------------
X Add support for modecfg
X Add support for Xauth
. Add support for fine grained network access control
----------------------------------------------------------------------
IPSEC-TOOLS
----------------------------------------------------------------------
X LDAP auth module
X Group based sainfo selection
X Group based xauth
X isakmp_id2str
X sainfo debug improvements
X responder ignores inital fragment
X clientaddr
. review sa cleanup after client disconnect
. cleanup modeconfg and introduce ike push mode
. negotiate unity firewall rulesets via modecfg