All, I just posted 2.1.6 beta 9 on the download page. It includes the last of the userland changed I had planned for the 2.1.6 release. A lot of bugs related to the Linux/BSD UI have been corrected. A LWF driver fix is also included in this release. This should fix the problem for most people who were loosing their ARP entry for their default gateway. If you experienced this issue, please test this build and report back to the list. In addition, an option that allows for more flexible control over how SAs are managed has been added. This was the last key element for improving cisco vpn compliant compatibility. Here is the relevant change log section ...
Add a new option that allows a user to specify the IPsec policy level for generated policies. These map to the REQUIRE and UNIQUE security policy levels as implemented via PK_KEY on Linux/BSD systems. We do not implement the USE level as it has little utility for a VPN client. The exposed configuration options are 'auto', 'require', 'unique' and 'shared'. The 'unique' option is the exact behavior the Shrew Soft VPN client has always used. It will negotiate unique SAs as needed ( using the policy source and destination network IDs ) for each policy generated. The 'require' option negotiates SAs as needed using the policy source and destination network IDs. However, instead of negotiating unique SAs for each policy, it uses any SA already established with the peer to protect traffic that matches any generate policy for that peer. The 'shared' option is a non-standard mode of operation designed to mimic the way Cisco VPN clients manage security associations. Policies are generated using the 'require' level. However, when negotiating SAs with the remote peer, a remote network ID of 0.0.0.0/0 is used instead of the policy defined value. This allows a single SA to be shared amongst multiple policies using unique source/destination network IDs while maintaining compatibility with the standard Linux/BSD conventions. The 'auto' option defaults to 'shared' level when a Cisco compatible vendor ID is received during phase1 negotiation. Otherwise, the 'unique' level is used. ... For backwards compatibility, the client will default to using the 'auto' behavior when a site configuration doesn't explicitly specify a policy level. With this change in place, it should now be much easier to use the Shrew Soft VPN client as a drop-in replacement for the Cisco VPN client. If you are using the work-around of adding a 0.0.0.0/0 include network under the policy tab, please install beta 9 and remove the include network. It should 'just work'. In all honesty, this should have been the 2.1.6 release candidate. The only reason we are still calling these beta is that we expect one more bug fix to get integrated for a Windows 7 kernel driver. If you have the time, please download beta 9 and help us test the changes. And as always, please report any problems you find to this mailing list. Thanks, -Matthew _______________________________________________ vpn-help mailing list [email protected] http://lists.shrew.net/mailman/listinfo/vpn-help
