[vpn-help] Client features, perchance a wishlist

Matthew Grooms mgrooms at shrew.net
Wed Aug 23 15:42:05 CDT 2006 

Peter Eisch wrote:
>  - There should be a way to see the spd's and or at least purge them.
>     This is most useful in debugging, but if the disconnect doesn't go
> cleanly the user won't know how to reset the ipsecd.  The client will
> continue to use the phase 1 key while the server may have expired the key
> (er, or the server got reset perhaps?).
> 

Being able to list the policies and associations is a good idea. The VPN 
Trace application will grow in functionality over time and most likely 
gain this ability through some sort of administrative port.

Phase 1 associations die when the client disconnects from IPSECD so this 
shouldn't be an issue. If the server shuts down non-gracefully, that 
will be addressed once the DPD support in the 1.1 branch becomes active. 
At the moment it only responds to DPD queries.

>  - The session panel should minimize to the system tray like most any other
> "network interface" icon.
> 

Another good idea. The VPN Site Manager is going to gain a preferences 
dialog in a future release. This suggestion sounds like a good candidate 
for a user scope option ( ala winamp minimize to system tray ).

>  - Rolling over the session panel in the system tray should bubble the same
> information as displayed under the network tab.
> 

I will add this to my todo list for the 1.1 release.

>  - (blue sky thought) use the XP login auth credentials
> (login/domain/password) as the login at domain/passsword or atleast
> login/password when using a login and password
>     In the Auth tab of the config, provide a checkbox to use the domain
> login information.  There could be a hidden config (like for the banner)
> that could disable that checkbox for managed installs.
> 

I am opposed to storing or pre-populating user passwords. I don't think 
it would be possible to pull the user system password anyway given the 
2K/NT security architecture. There could be a user scope option for 
populating the user name. Let me think about it.

>  - When you click on "Disconnect" in the session panel, the message that
> appears indicates that the session ended prematurely.
>     If clicking on the button is premature, what would be the right time to
> terminate?
> 
>  - When the session ends for any reason other than the user clicking
> Disconnect, offer the option to automatically reconnect.
>     This could be in the preferences pane as an option.
> 

Both good calls. I will fix this for the 1.1 release.

>  - Is there a way to start a session from a .bat script?
> 

Yes, click the ipsecc.exe and it will spit out command line options in 
the feedback window. I have toyed with the idea of allowing users to 
drag a shortcut out of the Site Manager window directly to the desktop 
for quick connections.

>  - The DPD support, as you noted, would be good too
> 

Already in 1.1 branch as responder. Will work on the initiator support 
as well.

> I'll see if I can get -current running of ipsec-tools in my lab and get this
> pushed over to stable systems we can continue to work with here.
> 

Thanks for everything!

-Matthew

More information about the vpn-help mailing list