-
Notifications
You must be signed in to change notification settings - Fork 27
/
TODO.TXT
382 lines (360 loc) · 18 KB
/
TODO.TXT
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
----------------------------------------------------------------------
VPN Client
----------------------------------------------------------------------
Alpha release ...
----------------------------------------------------------------------
X Resolve host dns to address in ipsecc
X Transmit size in vnet driver
X DHCP renew effects phase2 sa's
X Client status message rework
X Allow the configuration of the dns suffix in ipseca
X NAT-T force option in ipseca & ipsecc
X Manual config of client settings in ipsecd ( review ipseci )
X Key size in ipseca for phase1
X Dir path problem ipsecc & ipsecd
X Pre-fragment support in ipsecd
X Update logging facility in ipsecd
X Use generic logging facility in dll classes
X Test all dialog options for feature parity
Beta release ...
----------------------------------------------------------------------
X Rewrite vnet driver
X Create cleanup routines for all sa and tunnel objects
X Fix license view in about dialog
X Delete sa's after they are declared dead
X Isakmp re-transmit in ipsecd
X Send NAT keep-alive packets
X Mutual auth XAuth mode
1.0.0 release ...
----------------------------------------------------------------------
X SPI size of 8 in sa payload
X Flag tunnel as dead when proposal is rejected
X Handle notification payloads when bundled in phase1 or phase2
X Correct dialog layout issues
X Allow for disabled client WINS and DNS settings
X IKE fragmentation
X Send delete messages as outlined in RFC 2408
X Handle delete messages as outlined in RFC 2408
X Send notify messages as outlined in RFC 2408
X Handle notify messages as outlined in RFC 2408
X Client feedback for failure cases
X Fix crash after items deleted in ipseca
X Support the modecfg banner attribute
X Cleanup IPFRAG class
X Phase2 sa re-establish after expire
X Create debugger application interface
X Prevent multiple tunnels from using the same gateway
X Support the pfs modecfg attribute
X Support the split exclude modecfg attribute
X Correct client busy loop bug
X Pre-configured client packaging system
X Fix multiple tunnel issues
X Write documentation
X Button default issue in ipsecc
X Test non-admin user operation
X Correct loss of default route
X Correct the VNET MTU dropping to 175
X Update VProt Interface to handle Dialup Adapters
1.1.0 release - Bug fixes and fine tuning
----------------------------------------------------------------------
X Add Split DNS Support
X Cleanup orphaned dnsfwd entries
X Cleanup PACKET_DNS memory leaks
X Add Dead Peer Detection responder
X Add Dead Peer Detection initiator
X Move away from dynamic adapter creation ( adapter pools )
X Correct phase2 negotiation issues
X Replace DHCP support with static configuration
X Fix session termination messages
X Move remaining projects in-branch to share versions
X Modify interfaces to support Split DNS, DPD Banner and Notify
X Remove tunnel references to internal API
X Standardize and fix validation of inform and config hashes
X Audit use of random generation
X Correct debug output for modecfg banner
X Restructure SDB and packet resend
X Resolve issue with devcfg initial device creation
X Report phase 2 id types and values
X Add client username and password command line options
X Remove media sense from VNet driver
X Track down a rare ipsecc freeze when server rudely disconnect
X Review driver locking
X Modify VProt to handle multiple dialup adapters
X Review adapter registry configurtaion
X Update release documentation
X Look into reported issue with Split DNS
X Implement Split DNS reverse lookups
X Correct p12 related problems
X Add support for encrypted p12 and pem files
X Correct problems with local ID checking
X Test kernel drivers with multi-core systems
2.0.0 release - Interface below TCPIP and friends
----------------------------------------------------------------------
X Replace Protocol driver with IM filter driver
X Build rule based filter framework into IM driver
X Implement divert/mirror rule processing ( like FreeBSD ipfw )
X Implement accept/reject rule processing
X Use filter framework for packet inspection / redirection
X Remove uneeded functionality from virtual network interface
X Hide platform specific route index detail in libip
X Add support for using a real interface as a tunnel endpoint
X Review locking and stabilize IM filter driver
X Modify transparent DNS proxy code to work in direct or virtual mode
X Modify IM filter driver to support rule priorities for insertion
X Modify libflt ethernet header creation routine to use ARP data
X Modify ipsecd, vflt and libvflt to deal with transient devices
X Add auto configuration for phase1 and phase2 parameters
X Review and correct any issues with the exchange handlers
X Rewrite code related to proposal generation and checking
X Rewrite code related to policy management
X Fix ipsecd internal structure exposure to ipsecc
X Rewrite ipsec processing code to be policy driven
X Add support for ah in ipsecd
X Add support for ipcomp and deflate compression
X Rewrite packet queuing system
X Add ability to view FW rules in VPN Trace
X Add support for bundled proposals
X Seperate ike process, ipsec control and ipsec process threads
X Split ipsec daemon into ipsecd and iked
X Port iked to a single unix target
X Build pfkey interface for SPD and SAD management
X Add ability to view SPD and SAD entries in VPN Trace
X Fix information exchange and notify support
X Add iked config file support for unix targets using flex/bison
X Add iked support for sending responder lifetime notifications
X Add iked support for xauth via local and ldap sources
X Add iked support for modecfg
X Add iked support for advanced policy generation
X Split DNS Transparent proxy support into dtpd
X Remove optional esp packet pre-fragmentation from ipsecd
X Review all db locking and entry removal
X Improve phase2 rekey in ipsecd
X Add tunnel route to peer with default route
X Modify existing default route metric
X Add iked and iked.conf man pages
X Fix initial vnet device usage
X Add support for config push mode
X Modify the client gui for manual policy include/exclude
X Modify the client gui for config push or pull
X Fix the vpn trace sdb output tabs
X Update the client gui network tab
X Test all client features against racoon and iked
X Update the documentation
2.0.1 release - Improve platform support
----------------------------------------------------------------------
X Add support for Windows XP amd64 platform
X Add support for x86/amd64 FreBSD platforms
X Add support for x86/amd64 NetBSD platforms
X Add support for x86/amd64 Linux platforms
2.0.2 release - Bug fix and fine tuning
----------------------------------------------------------------------
X Various bug fixes
2.0.3 release - Bug fix and fine tuning
----------------------------------------------------------------------
X various bug fixes
2.1.0 release - Improve platform and gateway support
----------------------------------------------------------------------
X Review option flag usage for client struct
X Make divert rule management dynamic ( be nice to other clients )
X Add support for syslog output on unix targets
X Add support for DHCP over IPsec configuration method
X Add support for strictly manual client configuration method
X Add stateful fragment evaluation to filter driver
X Add batched packet send and recv support to filter driver
X Add support for older Linux distributions
X Fix errors associated with iked processing duplicate packets
X Fix validation and trimming of trailing packet data
X Fix IM driver conflicts with the Cisco VPN Client ( DNE driver )
X Use exchange specific re-send timeout handlers for better logging
X Fix iked to work with any udp service port
X Add site connection support using the access manager system tray
X Add iked support for multiple DNS/WINS server addresses
X Add support for NAT-T draft 00 and 01 versions
X Fix IM driver issues with Windows 2K and Virtualization Software
X Add support for specifying the virtual network adapter MTU
X Add DNS and WINS support for direct adapter mode
X Fix Split DNS to work with an adapter specific default domain
X Add support for Windows x86/amd64 Vista platforms
X Fix route management for tunnels that force all traffic
X Add support for renegotiating IKSAMP SAs in client mode
X Add support for persistent IPSEC SAs
X Add support for site configuration file format versioning
X Add support for storing key and cert data in the site config
X Add user preference dialog for site manager
X Add preference for client minimize to system tray
X Add preference for pre-populating user names
X Add timestamps for non-syslog log output
X Add checks for illegal site configuration names
X Add site name and file conflict resolution dialogs
X Fix any differences between unix and windows site configuration
X Fix dissapearing DNS settings when the connection fails
X Fix the event timer class to avoid wakeups
X Fix hangs on *nix targets during iked shutdown
X Add work around for missing xauth type attribute
X Add a generic IPC class to avoid wakeups and reduce latency
X Port libdtp to use generic IPC class
X Port libike to use generic IPC class
X Port libpfk to use generic IPC class
X Fix high number of select wakeups on socket calls
X Fix the client statistics update
X Fix MS dnscache problems the right way
X Import new logo and improved icon sets
X Fix DPD problems while transitioning between ISAKMP SAs
X Improve DPD timeout algorithm
X Provide non WHQL signed Vista drivers
X Correct NDIS 6 miniport compatibility issue with filter driver
X Validate and document support for Cisco ASA gateways
X Validate and document support for Juniper SSG gateways
X Validate and document support for Zywall gateways
X Validate and document support for Fortigate gateways
2.1.1 release - Bug fix and fine tuning
----------------------------------------------------------------------
X Fix NDIS 6 miniport problems with filter driver
X Fix VPN Trace problems on 64 bit Windows targets
2.1.2 release - Bug fix and fine tuning
----------------------------------------------------------------------
X Various platform specific bug fixes
2.1.3 release - Bug fix and fine tuning
----------------------------------------------------------------------
X Fix Diffie Hellman negotiation failures
X Fix mature SA packet re-transmit issues
X Fix config mode packet retransmit issues
X Add checks for mandatory reboot post install on Windows Platforms
X Fix dns resoltion for names that begin with numeric digit
2.1.4 release - Bug fix and fine tuning
----------------------------------------------------------------------
X Fix a thread state bug that caused phase2 to fail in rare cases
X Fix a phase2 responder bug that caused packet re-transmit to fail
X Add explicit link state notifications for Vista filter drivers
X Fix quick disconnects after negotiating with a cisco gateway
X Add Dialup/PPP adapter support for Vista Platforms
X Fix a critical bug in the windows libvflt ip forward caching code
X Add proper support for multiple NAT-T hash values
2.1.5 release - Bug fix and fine tuning
----------------------------------------------------------------------
X Add support for Cisco hybrid mode authentication ( mutual group )
X Add support for Cisco PCF file import
X Add support for auto uninstall during install of Windows package
X Add support for the XAuth radius chap method
X Add support for correctly handling multiple certificate requests
X Fix Checkpoint authentication regressions
X Fix reported link speed issue with virtual network driver
X Fix various kernel driver related issues reported by users
X Fix problems with resolv.conf file generation on unix platforms
X Fix NAT-T configuration issue
2.1.6 release - Bug fix and fine tuning
----------------------------------------------------------------------
X Fix problem with direct adapter mode DNS configuration
X Fix DHCP over IPsec via DHCP adapters by immitating a bootp relay
X Fix DHCP pool exhaustion issue by retaining fake MAC see value
X Fix ESP payload padding issue with Adtran gateways
X Fix runtime creation of virtual adapter instances on Vista/7
X Fix dropped packets issues with vflt socket wrappers
X Fix uninstall issue that occured when Novell client was installed
X Fix kernel driver crash due to WANLINE (PPP/PPTP) notify parsing
X Fix various kernel driver issues blocking DTM controller tests
X Fix a bug related to using the IKE Fragmentation extestion
X Fix a bug in IKE push mode that called a pull handler instead
X Use a different port for DNS proxy to avoid 3rd party conflicts
X Add support for overlapping local and remote networks
X Add support for shared policy generation mode
X Add manifest files so users are prompted for elevated privileges
X Add pid file support on Linux/BSD platforms
X Add support for reporting the UNITY app version and firewall type
X Improve adapter/address selection for multiple inet connections
X Initial kernel driver versions signed by Microsoft WHQL
2.1.7 release - Bug fix and fine tuning
----------------------------------------------------------------------
X Fix negotiation of tunnel-all ( 0.0.0.0/0 ) configurations in iked
X Fix inbound SA negotiation with shared policy generation mode
X Fix iproute deletion issue on Vista/7 platforms
X Fix import of PCF files with non-encrypted password
X Apply IPsec policy and filename promts fixed from Michael Kenny
X Improve DNS Proxy divert rule management
2.2.0 release - Major feature improvements
----------------------------------------------------------------------
X Add Qt4 gui components to replace Qt3 components on Linux/BSD
X Add console based VPN Connect component on Linux/BSD ( non-gui )
X Add initial support for Intel Mac OSX platforms w/ DMG installer
X Add an option for selecting a randomized virtual subnet address
X Add GUI support for multiple DNS/WINS server addresses
X Add support for automatic stable software update checks
X Add text that displays the connection time in system tray tooltip
X Add support for Sidewinder 6.x, 7.x gateways ( merged to 2.1.x )
X Add support for Netgear gateways ( merged to 2.1.x )
X Fix secrity flaws in the ipc server admin code
X Fix slow responsiveness duing DHCP over IPsec negotiations
X Fix reverse DNS lookup issues with DNS proxy daemon
X Make the client config subordinate to the phase1 handle
X Use bdata instead of openssl key struct pointer in keyfile code
X Use overlapped IO to interface with the windows filter driver
X Fix the 500ms wakeup issue by avoiding vflt select-like calls
X Fix all memory leaks reported by various debugging tools
X Fix TCP LSO task offload in vflt driver on Vista/7 platforms
X Fix WLAN virtual adapter issue reported on mailing list
X Fix dialog color issues for windows HCB accessibility modes
X Fix keyboard navigation to site profiles in access manager
X Fix reported problems with DHCP over IPsec
X Add support for newer openssl supported message auth algorithms
X Add support for both ike and pfs dh groups 16, 17 and 18
X Add support for unattended installations ( needs signed drivers )
X Make all client platforms use file based site configurations
X Make certificate data an embedded component of the site config
X Add support for public site configurations on Windows Platforms
X Fix handling of low-power-state notifications in iked on Windows
. Add support for Secure Domain Login on Vista/7 platforms
. Investigate PPP with Virtual Adapter DNS preference issue
. Improve support for automatic stable software update checks
. Cleanup registry based site configuration data
. Test all rsa key file scenarios that use password protection
2.2.1 release - Bug fix and fine tuning
----------------------------------------------------------------------
. Fix or add all documented command line options in iked
. Add support for encrypted site configuration storage
. Cleanup all references to the obsolete COMPAT policy mode
. Fix DNS setting issues with newer Mac OSX platforms
. Add support for two factor user authentication methods
. Apply Qt4 French translation patch from Alexis Lagoutte
Near Term Goals
----------------------------------------------------------------------
. Validate USB WIFI/Ethernet adapter support on Windows Platforms
. Validate and document support for OpenBSD gateways
. Validate and document support for Strong/OpenSWAN gateways
. Validate and document support for SonicWall gateways
x Validate and document support for Checkpoint gateways
. Validate and document support for Lancom gateways
. Cleanup libpfk, its really ugly
. Fix static buffer usage for temporary string data
? Use Qt4 to build unified cross platform GUI components
? Add ability to drag site connections as shortcuts
? Add support for client connect/disconnect script execution
? Add adaptive communications during connect ( Frag/NATT )
? Move to a purely primitive based tunnel confguration interface
? Add support for lzs compression ( patent encumbered )
? Add support for microsoft certificate and key storage api
Long Term Goals
----------------------------------------------------------------------
. Fix the server mode support in iked
. Write a setkey replacement based on libpfk
. Stateful client side firewall
. Create lightweight kernel or userland buildable crypto library
. Move ip security processing into the kernel
----------------------------------------------------------------------
pfSense
----------------------------------------------------------------------
X Add support for modecfg
X Add support for Xauth
. Add support for fine grained network access control
----------------------------------------------------------------------
IPSEC-TOOLS
----------------------------------------------------------------------
X LDAP auth module
X Group based sainfo selection
X Group based xauth
X isakmp_id2str
X sainfo debug improvements
X responder ignores inital fragment
X clientaddr
. review sa cleanup after client disconnect
. cleanup modeconfg and introduce ike push mode
. negotiate unity firewall rulesets via modecfg