[Vpn-help] First 2.1.0 alpha build now available ...

[Matthew Grooms]

All,

      Along with the final 2.0.3 release, I thought I would be nice to 
include a taste of whats to come for the future 2.1.0 release. I'm 
really excited about this branch as the software is really starting to 
come together quite nicely. Many new features have been added as well as 
improvements to interoperability, performance and reliability.

Here is a quick breakdown of whats included ...

New Features - Two new configuration modes have now been added to the 
client. The first is a fully manual configuration mode that works well 
with gateways that do not support client auto configuration. If you have 
struggled to configure a previous version of the client for a gateway 
that doesn't support modecfg, then you already know why this new mode 
will be a welcome addition. The other new configuration method is DHCP 
over IPsec. This has only been tested with Fortinet gateways but it 
appears to work reliably.

Interoperability Improvements - This build of the client introduces 
compatibility improvements for several commercial gateways. Among the 
ones tested are Cisco PIX & ASA, Juniper SSG, Fortigate, Zywall and 
Checkpoint. A very special thanks goes to both Harondel J Sibble and 
Juan Rios who's efforts where instrumental in making the Fortigate and 
Checkpoint related changes possible.

Performance Improvements - The windows kernel drivers received another 
round of close attention. An new stateful fragment inspection system has 
been added to improve throughput, minimize on firewall rules and prevent 
unnecessary packets from being forwarded from kernel to user land. Multi 
packet send and receive functions have also been implemented which 
reduces the packet retrieval system calls by up to 90% in some tests. 
The IPsec packet handlers have also been rewritten to reduce buffer 
copies and dynamic memory allocation.

Reliability Improvements - Previous versions of the Shrew Soft IKE 
daemon have been prone to processing duplicate exchange packets. This 
can lead to problems with IV synchronization and cause phase1 or phase2 
negotiations to fail in unpredictable ways. Thanks goes to Checkpoint 
here for creating a gateway that can reliably generate an unprecedented 
amount of spurious packets during almost any exchange :) The other major 
improvement is that the client traffic processing rules are now dynamic. 
This means that the client won't prevent other VPN clients from working 
when installed on the same machine. Several Irp related kernel driver 
bugs were also fixed which may have caused problems for some users in 
the past.

In any case, this is starting to look like a good foundation to build a 
new feature release. If you have time to test it and find any problems, 
please let me know. Its never too early in a development cycle to submit 
a good bug report :)

Thanks again,

-Matthew