[Vpn-help] First 2.1.0 alpha build now available ...
Matthew Grooms
mgrooms at shrew.net
Wed Nov 28 01:28:39 CST 2007
All,
Along with the final 2.0.3 release, I thought I would be nice to
include a taste of whats to come for the future 2.1.0 release. I'm
really excited about this branch as the software is really starting to
come together quite nicely. Many new features have been added as well as
improvements to interoperability, performance and reliability.
Here is a quick breakdown of whats included ...
New Features - Two new configuration modes have now been added to the
client. The first is a fully manual configuration mode that works well
with gateways that do not support client auto configuration. If you have
struggled to configure a previous version of the client for a gateway
that doesn't support modecfg, then you already know why this new mode
will be a welcome addition. The other new configuration method is DHCP
over IPsec. This has only been tested with Fortinet gateways but it
appears to work reliably.
Interoperability Improvements - This build of the client introduces
compatibility improvements for several commercial gateways. Among the
ones tested are Cisco PIX & ASA, Juniper SSG, Fortigate, Zywall and
Checkpoint. A very special thanks goes to both Harondel J Sibble and
Juan Rios who's efforts where instrumental in making the Fortigate and
Checkpoint related changes possible.
Performance Improvements - The windows kernel drivers received another
round of close attention. An new stateful fragment inspection system has
been added to improve throughput, minimize on firewall rules and prevent
unnecessary packets from being forwarded from kernel to user land. Multi
packet send and receive functions have also been implemented which
reduces the packet retrieval system calls by up to 90% in some tests.
The IPsec packet handlers have also been rewritten to reduce buffer
copies and dynamic memory allocation.
Reliability Improvements - Previous versions of the Shrew Soft IKE
daemon have been prone to processing duplicate exchange packets. This
can lead to problems with IV synchronization and cause phase1 or phase2
negotiations to fail in unpredictable ways. Thanks goes to Checkpoint
here for creating a gateway that can reliably generate an unprecedented
amount of spurious packets during almost any exchange :) The other major
improvement is that the client traffic processing rules are now dynamic.
This means that the client won't prevent other VPN clients from working
when installed on the same machine. Several Irp related kernel driver
bugs were also fixed which may have caused problems for some users in
the past.
In any case, this is starting to look like a good foundation to build a
new feature release. If you have time to test it and find any problems,
please let me know. Its never too early in a development cycle to submit
a good bug report :)
Thanks again,
-Matthew
More information about the vpn-help
mailing list