------------------------------------------------------------------------
r582 | mgrooms | 2008-11-11 01:00:37 -0600 (Tue, 11 Nov 2008) | 1 line
Correct an issue with IPsec over DHCP communications. Ensure that
responses are read when the event wakeup timer expires but requests are
only sent once per second. Also increase the DHCP retry count to 8.
------------------------------------------------------------------------
r580 | mgrooms | 2008-11-10 14:55:31 -0600 (Mon, 10 Nov 2008) | 2 lines
Modify the unix VPN connect application to report which peer iked has
established a tunnel with. This is useful when communicating with Cisco
gateways that perform load balancing.
------------------------------------------------------------------------
r578 | mgrooms | 2008-11-10 13:13:45 -0600 (Mon, 10 Nov 2008) | 1 line
Correct handling of Cisco Unity LOAD-BALANCE notifications in iked.
Reset some tunnel statistics before we attempt to re-negotiate with the
specified peer. Pass the peer address along with the statistics so we
can report which gateway address the user is connected to.
------------------------------------------------------------------------
r576 | mgrooms | 2008-11-09 12:57:14 -0600 (Sun, 09 Nov 2008) | 1 line
Correct handling of Cisco Unity LOAD-BALANCE notifications in iked.
Increment and decrement the phase1 handle when flagging it for deletion
to ensure the delete notification is sent before we modify the peer
endpoint addresses. Also remove any event timer entries so duplicates
are not queued by the timer class when the tunnel re-initializes.
------------------------------------------------------------------------
r574 | mgrooms | 2008-11-06 12:58:02 -0600 (Thu, 06 Nov 2008) | 1 line
Correct a bug in the iked pfkey io thread that could lead to a hang when
the service control manager attempts to stop the process. This could
lead to issues especially during uninstall.
------------------------------------------------------------------------
r572 | mgrooms | 2008-11-05 13:56:00 -0600 (Wed, 05 Nov 2008) | 1 line
Add a safeguard to prevent iked from migrating in response to a Cisco
Unity LOAD-BALANCE notification if the tunnel is already mature.
------------------------------------------------------------------------
r571 | mgrooms | 2008-11-05 13:42:56 -0600 (Wed, 05 Nov 2008) | 1 line
Add support for Cisco Unity LOAD-BALANCE notifications. A device working
in a high availability group can send this notification message which
contains the IP address of a new gateway. The client migrates to the new
gateway immediately on receipt of this request.
------------------------------------------------------------------------
r569 | mgrooms | 2008-11-05 11:25:21 -0600 (Wed, 05 Nov 2008) | 2 lines
Add a new option to the unix Access Manager and VPN Connect applications
that allows the Checkpoint vendor ID option to be enabled during phase1
negotiations.
------------------------------------------------------------------------
r567 | mgrooms | 2008-11-05 10:37:41 -0600 (Wed, 05 Nov 2008) | 1 line
Modify iked to be more selective when handling vendor IDs during phase1
negotiations. Both Checkpoint and Cisco PIX routers require that the
last vendor ID in a packet be the vendor specific ID. By default, iked
now sends the Cisco Unity ID as the last ID in the packet. If requested
by the client, the Checkpoint ID is sent as the last vendor ID in the
packet.
------------------------------------------------------------------------
r566 | mgrooms | 2008-11-03 15:32:48 -0600 (Mon, 03 Nov 2008) | 3 lines
I omitted the message in the last commit log so I am adding it here. Add
support to iked for the XAuth Radius CHAP authentication method. The use
of CHAP vs generic authentication is determined automatically by
examining the XAuth authentication type.
Update todo list.
------------------------------------------------------------------------
r565 | mgrooms | 2008-11-03 15:19:14 -0600 (Mon, 03 Nov 2008) | 1 line
------------------------------------------------------------------------
r561 | mgrooms | 2008-11-02 12:46:24 -0600 (Sun, 02 Nov 2008) | 1 line
Modify iked to ignore any split network definitions that use a null
address or subnet value. The client will generate a single 0.0.0.0/0
include policy if no specific remote network definitions are received.
This avoids any problems that may occur when the gateway sends
configuration data that would prevent the client from operating
correctly.
------------------------------------------------------------------------
r560 | mgrooms | 2008-10-28 23:23:01 -0500 (Tue, 28 Oct 2008) | 3 lines
Add initial support for Netgear routers to iked. These routers use a md5
hash of "DPD" instead of the RFC specified vendor ID to negotiate
support of this feature. Additionally, when sending a DPD notification
message, they specify the ISAKMP protocol with a zero length protocol
SPI, add a 16 byte null ISAKMP cookie pair followed by a DPD sequence
number. This is interpreted by compliant implementations as 20 bytes of
notification data. We work around this by skipping any leading bytes in
the notification data before reading the DPD sequence number.
Modify our vendor ID handling to send an updated version of the Cisco
Unity vendor ID. When reading a Unity vendor ID, only intemperate the
constant value bytes and ignore the version. This should make our
implementation more versatile when attempting to detect Cisco compatible
peers.
------------------------------------------------------------------------
r559 | mgrooms | 2008-10-28 13:18:54 -0500 (Tue, 28 Oct 2008) | 3 lines
Correct a few bugs in iked that were preventing the RSA authentication
methods from working. While here, free the temporary configuration data
cached in the admin thread loop at connect time instead of allowing to
persist until the connection is closed. The RSA authentication problems
were reported by Tai-hwa Liang.
Update the todo list.
------------------------------------------------------------------------