r1481 | mgrooms | 2010-08-17 21:19:58 +0000 (Tue, 17 Aug 2010) | 1 line

Generate HTML documents by topic name not by UID. This should prevent
links to the documentation from breaking every time its re-generated
from source.
r1478 | mgrooms | 2010-08-17 21:15:06 +0000 (Tue, 17 Aug 2010) | 1 line

Update the help documentation to reflect the policy level changes.
r1472 | mgrooms | 2010-08-10 05:15:51 +0000 (Tue, 10 Aug 2010) | 1 line

Modify iked to store a DHCP MAC address seed value in the Windows
registry. Another file storage mechanism will be used on Linux and BSD.
r1469 | mgrooms | 2010-08-10 03:50:13 +0000 (Tue, 10 Aug 2010) | 1 line

Modify ipsecd to not add padding to ESP payloads when the pad length
equals the block cipher size. Certain gateways drop the packets when
additional padding is optionally appended. Thanks to Andrew Langefeld at
Adtran for diagnosing the issue.
r1466 | mgrooms | 2010-08-05 06:41:52 +0000 (Thu, 05 Aug 2010) | 1 line

Modify ipsecd to avoid responding to ARP requests on the virtual adapter
when the ARP source and target match a NONE policy. This helps the
client work correctly when the local host network overlaps with a
tunneled network.
r1463 | mgrooms | 2010-08-05 06:34:18 +0000 (Thu, 05 Aug 2010) | 1 line

Modify the Windows NSIS installer script to be smarter about upgrading a
system. If removing components require a reboot, do this before we
install new components. The installer now prompts the user to reboot and
automatically restarts the installer.
r1458 | mgrooms | 2010-07-22 03:47:52 +0000 (Thu, 22 Jul 2010) | 1 line

Prepare for signed kernel driver releases. The source code has now been
relocated to a separate repository branch. The code is now common among
all releases. A subversion property is now used to point a vpn client
release at a particular kernel release branch bin folder that contains
the signed kernel drivers. Remove the kernel code source from this
branch and update the scripts to point to the new subversion external.
r1426 | mgrooms | 2010-07-14 06:42:32 +0000 (Wed, 14 Jul 2010) | 1 line

Fix another bug in the driver package build script.
r1423 | mgrooms | 2010-07-14 06:27:46 +0000 (Wed, 14 Jul 2010) | 3 lines

Switch DNS proxy port to 4553. Using 50053 can cause conflicts if the OS
allocates that port for dynamic use.

Fix a bug in the driver package build script. This was preventing a
complete build of install package after a fresh checkout.
r1420 | mgrooms | 2010-07-10 22:42:55 +0000 (Sat, 10 Jul 2010) | 3 lines

Modify the DNS proxy daemon to install DNS divert rules when an active
connection has proxy policies installed. The DNS divert rules are
removed when the proxy policy count reaches zero. Also switch the UDP
DNS proxy port from 8053 to 50053 to avoid any potential conflict with
other software that may use this port.

Modify the IPsec daemon to only install the ARP mirror rule when a pfkey
client has IPsec security policies installed. The ARP mirror rule is
removed when the security policy count reaches zero.
r1417 | mgrooms | 2010-07-09 07:10:35 +0000 (Fri, 09 Jul 2010) | 1 line

Update documentation images and catch up with some feature changes.
r1414 | mgrooms | 2010-07-09 02:48:09 +0000 (Fri, 09 Jul 2010) | 1 line

Correct a regression in libvnet. When a iked attempts to acquire a
virtual adapter and none are available, libvnet creates a new device on
behalf of the caller. This process was broken on Windows Vista/7
platforms. To correct this, adapt the updated device creation code in
our installation helper application devcfg to work in libvnet. Device
creation now works correctly on all supported Windows platforms.
r1411 | mgrooms | 2010-07-08 00:00:01 +0000 (Thu, 08 Jul 2010) | 1 line

Use correct branch name.
r1410 | mgrooms | 2010-07-07 23:57:58 +0000 (Wed, 07 Jul 2010) | 1 line

Branch for 2.1.6 release.
r1409 | mgrooms | 2010-07-05 19:45:24 +0000 (Mon, 05 Jul 2010) | 1 line

Update dptd to specify larger packet buffer sizes for use with libike
packet read functions. Make sure we reset the IP packet buffer size
after every read. Simplify the DNS state handling code. The refcount
implementation was overkill considering how simple the locking
requirements are. We now use simple mutex locking to protect the state
r1407 | mgrooms | 2010-07-05 19:40:20 +0000 (Mon, 05 Jul 2010) | 1 line

Update iked to use specify larger packet buffer sizes for use with
libike packet read functions. While here, normalize some common variable
name suffixes so they are more uniform.
r1405 | mgrooms | 2010-07-02 19:30:39 +0000 (Fri, 02 Jul 2010) | 1 line

Correct a regression in the iked socket wrapper code. After fixing
several bugs in the NDIS6 LWF driver, the client interface library now
honors an option that was previously being ignored. The socket wrapper
no longer requests that only a single packet be returned for each recv
call. This causes IP/UDP fragments to be dropped since the call would
overwrite any unread packet data that had been returned in a previous
call. To avoid this, a new libike member function has been added to
allow a caller to check to see if data is available in the recv buffer.
The recv function is now only called when the recv buffer is empty.
r1402 | mgrooms | 2010-06-29 05:12:04 +0000 (Tue, 29 Jun 2010) | 1 line

Correct an issue in iked related to registry address list handling. Make
sure we null the buffer before reading and parsing an address list.
Otherwise, we may believe we read an address from a zero data length
registry value. This leads to problems when we attempt to revert
temporary address modifications. Many thanks to St?\195?\169phane Daguet
for submitting the bug report and his before/during/after registry
screen shots.
r1399 | mgrooms | 2010-06-27 06:40:50 +0000 (Sun, 27 Jun 2010) | 1 line

Modify the Windows release build script to sign all executables. This
allows a descriptive name and the company name to be displayed when
prompted by UAC. Also juggle the VPN Trace application icon resources so
that they are used correctly by the Windows shell. Previously, the low
resolution icon was being displayed when the high resolution version
should have been.
r1397 | mgrooms | 2010-06-26 20:10:24 +0000 (Sat, 26 Jun 2010) | 3 lines

Add Windows program manifest files for the IKE, IPSEC and DNS daemons as
well as the VPN Trace application. These manifests specify that
administrative privileges are required for proper operation. This should
avoid the issue where the VPN Trace application appears broken due to
insufficient execution privileges.

Modify the Windows IPsec daemon, VPN Connect and VPN Access Manager
applications to support the new IPsec policy level options. These
changes are compatible with Linux/BSD PF_KEY conventions.
r1395 | mgrooms | 2010-06-26 19:26:58 +0000 (Sat, 26 Jun 2010) | 3 lines

Fix a bug in the NDIS6 LWF driver. When a Miniport indicates received
NBLs using the RESOURCES flag, make sure we revert any changes we made
to the linked list before returning. Otherwise, the calling driver may
fail to reclaim the associated NBLs resources and eventually stop
indicating traffic. Add send and receive NBL functions which are
equivalent to the Microsoft Passthrough samples. These will remain
commented out but could be useful for testing issues in the future.
While here, rewrite a user device handle NULL pointer check to be

Bump all driver versions for the next beta release.
r1394 | mgrooms | 2010-05-26 04:04:46 +0000 (Wed, 26 May 2010) | 1 line

When installing the NDIS5 filter drivers on 2K/XP, call DIFx pre-install
on both mfilter and pfilter INFs. An IM driver install doesn't appear to
be complete without calling pre-install on the miniport INF but the
driver isn't removed properly unless remove is also called on protocol
INF. This appears to leave systems cleaner after our software is removed
and also avoids a crash when the Novell client is installed. While here,
correct a drvcfg message box typo displayed during error conditions.
r1391 | mgrooms | 2010-05-12 00:35:50 +0000 (Wed, 12 May 2010) | 1 line

Modify the vvflt driver to avoid crashes when handling WANLINE UP/DOWN
notification messages. We now perform several sanity checks on the
message structure and avoid calls to RtlUnicodeStringToAnsiString which
should not be called at dispatch level. Many thanks to Joel Wener who
reported this issue, provided minidumps and tested several candidate
fixes before a correct solution could be found. Bump all driver versions
to reflect a new build number.
r1389 | mgrooms | 2010-05-12 00:16:48 +0000 (Wed, 12 May 2010) | 1 line

Modify the libup IPROUTE iface_2_addr member function to pass a gateway
address value. This allow us to use fuzzy matching to select the correct
address when multiple addresses exist for a single interface.
r1387 | mgrooms | 2010-03-15 01:01:11 +0000 (Mon, 15 Mar 2010) | 1 line

Update the internal driver version number. It was out of sync with the
inf version.
r1386 | mgrooms | 2010-03-15 00:58:00 +0000 (Mon, 15 Mar 2010) | 1 line

Update the internal driver version number. It was out of sync with the
inf version.
r1385 | mgrooms | 2010-03-14 23:53:31 +0000 (Sun, 14 Mar 2010) | 1 line

Modify the Windows VPN Connect application to blank the password once a
connection attempt is in flight. Also add an installation check to
ensure the software is not being installed with compatibility settings
enabled. This can have dire consequences as incorrect kernel drivers can
be installed as a result of the OS reporting an incorrect version during
install. The software also performs runtime checks to execute the
correct code path based on the OS version reported.
r1383 | mgrooms | 2010-03-14 21:57:10 +0000 (Sun, 14 Mar 2010) | 7 lines

Modify iked to not hold a virtual network device handle open during the
life of the connection. Instead, we now open and close device handles as
needed during tunnel setup and teardown. This allows systems to easily
transition to a low power state without iked monitoring the handle for

Correct a regression in the flt drivers which was introduced recently.
After collecting a list of fragmented packets, recreate the test buffer
using the data from the lead packet. This fixes fragment processing in
the filter code path.

Keep track of the number of active adapters when NDIS6 filter adapter
bindings are being paused or restarted. We use this count to determine
when the system will potentially transition into a low power mode or a
system shutdown. When this occurs, all bindings are paused so we use
this opportunity to proactively free resources and fail certain client

Update driver inf and resource files to reflect a version and date
r1381 | mgrooms | 2010-03-05 07:23:37 +0000 (Fri, 05 Mar 2010) | 1 line

Modify the NDIS5 and NDIS6.2 filter drivers to validate Ethernet packets
match the adapter Ethernet address before processing. This should allow
bridged networking services ( VMware and VirtualBox bridged networking )
to co-exist with the Shrew Soft VPN client on the host computer.
r1379 | mgrooms | 2010-03-05 06:01:57 +0000 (Fri, 05 Mar 2010) | 3 lines

Correct a bug in the vflt interface library that did not classify an
error return code properly. This caused the driver unload process to
hang because a service would not close the handle after returning from a
select call general failure ( ie, device no longer available ).

Push down the select ioctl error handling into the select function call
on windows. We want to recycle the handle in the case of an unexpected
r1377 | mgrooms | 2010-03-02 04:34:07 +0000 (Tue, 02 Mar 2010) | 3 lines

Update the NDIS6 LWF driver to NDIS6.1 and implement support for Windows
7 Mobile Broadband adapters. This change includes some fairly major
changes to the IPv4 fragmentation cache and packet filtering code.
Windows Mobile Broadband adapters pass raw IP frames with no Ethernet
headers so several key function were modified to bypass Ethernet header
processing to accommodate this. Several issues were also corrected where
an IPv6 frame could be evaluated as an IPv4 frame. This could cause
instability in some edge cases.

Update all driver inf and resource files to reflect a version change. We
now use the latest WDK to build the NDIS5 drivers using the WXP platform
type. Several tests were run to ensure the Windows 2K OS platforms were
r1372 | mgrooms | 2010-01-31 19:12:39 +0000 (Sun, 31 Jan 2010) | 1 line

Modify the windows access manager application to allow for
routes to be added as an include network. This will allow clients to
force all traffic across the tunnel even if a split network list is
received by the gateway. Fix a bug that caused pcf imports to be
incomplete when a group name was not specified. We now set a default
local identity type value of address for PSK authentication modes and
asn1dn for RSA modes. Fix a bug that caused pcf imports to fail when a
key name was specified with no value.
r1370 | mgrooms | 2009-12-16 15:45:33 +0000 (Wed, 16 Dec 2009) | 1 line

Rervert our change to the NDIS5 virtual network driver that removed
handling of OID_802_3_MAXIMUM_LIST_SIZE. Apparently it is required for
proper operation even if we don't support multicast addresses.
r1368 | mgrooms | 2009-12-15 07:48:40 +0000 (Tue, 15 Dec 2009) | 1 line

Correct a minor whitespace nit in NDIS6 virtual adapter driver.
r1366 | mgrooms | 2009-12-15 07:44:45 +0000 (Tue, 15 Dec 2009) | 7 lines

Add a run time check in our NDIS5 driver to determine if we are running
on Windows 2000 or XP. Convert the statistics to return 32bit counter
values on 2000 and 64bit on XP. Use 64bit counters in our NDIS6 driver
for SentOk and RecvOk. All other NDIS6 counters already returned 64bit

Remove handling of OID_802_3_MAXIMUM_LIST_SIZE in our NDIS5/6 drivers as
we don't support multi-cast addresses.

Return NDIS_STATUS_NOT_SUPPORTED in our NDIS5 driver for all IODs that
we don't handle instead of NDIS_STATUS_INVALID_OID. This is what
examples in the WDK do.

Update the NDIS5/6 virutal adapter INFs to report NCF_VIRTUAL as
suggested by Thomas.
r1364 | mgrooms | 2009-12-13 02:58:39 +0000 (Sun, 13 Dec 2009) | 1 line

Modify libvnet and consumers to be more intelligent when opening device
handles. When read access is requested, the driver queues packets on the
send path on behalf of the consumer. This is undesirable unless we
really plan to read them.
r1362 | mgrooms | 2009-12-13 02:04:56 +0000 (Sun, 13 Dec 2009) | 1 line

Revert a minor change that was unnecessary for proper NDIS6 virtual
network adapter statistics gathering.
r1360 | mgrooms | 2009-12-13 01:43:07 +0000 (Sun, 13 Dec 2009) | 1 line

Update the test_vnet application to allow the adapter link state and
speed to be manually set.
r1358 | mgrooms | 2009-12-13 01:41:54 +0000 (Sun, 13 Dec 2009) | 1 line

Update both the NDIS5 and NDIS6 virtual network adapter drivers to
report statistics correctly.
r1356 | mgrooms | 2009-12-05 19:33:34 +0000 (Sat, 05 Dec 2009) | 1 line

Add the Visual Studio project I missed while adding test_vnet in a
previous commit.
r1355 | mgrooms | 2009-12-05 19:32:55 +0000 (Sat, 05 Dec 2009) | 1 line

Merge the filter and virtual adapter interface library code in from
head. This provides the appropriate control interfaces for the updated
kernel drivers. Modify consumers to honor these changes.
r1352 | mgrooms | 2009-12-05 19:21:43 +0000 (Sat, 05 Dec 2009) | 1 line

Bring in virtual network adapter changes from the private driver
development branch. The updated driver allows for functionality similar
to *nix tap devices. Also import a new vnet_test application which
creates a virtual Ethernet bridge between two systems using UDP socket
relay. This allows us to stress test the new features in a lab