[vpn-help] 2.1.6 Beta 9 Available ...

Matthew Grooms mgrooms at shrew.net
Tue Jun 29 09:19:32 CDT 2010


All,

I just posted 2.1.6 beta 9 on the download page. It includes the last of 
the userland changed I had planned for the 2.1.6 release. A lot of bugs 
related to the Linux/BSD UI have been corrected. A LWF driver fix is 
also included in this release. This should fix the problem for most 
people who were loosing their ARP entry for their default gateway. If 
you experienced this issue, please test this build and report back to 
the list. In addition, an option that allows for more flexible control 
over how SAs are managed has been added. This was the last key element 
for improving cisco vpn compliant compatibility. Here is the relevant 
change log section ...

Add a new option that allows a user to specify the IPsec policy level 
for generated policies. These map to the REQUIRE and UNIQUE security 
policy levels as implemented via PK_KEY on Linux/BSD systems. We do not 
implement the USE level as it has little utility for a VPN client. The 
exposed configuration options are 'auto', 'require', 'unique' and 'shared'.

The 'unique' option is the exact behavior the Shrew Soft VPN client has 
always used. It will negotiate unique SAs as needed ( using the policy 
source and destination network IDs ) for each policy generated.

The 'require' option negotiates SAs as needed using the policy source 
and destination network IDs. However, instead of negotiating unique SAs 
for each policy, it uses any SA already established with the peer to 
protect traffic that matches any generate policy for that peer.

The 'shared' option is a non-standard mode of operation designed to 
mimic the way Cisco VPN clients manage security associations. Policies 
are generated using the 'require' level. However, when negotiating SAs 
with the remote peer, a remote network ID of 0.0.0.0/0 is used instead 
of the policy defined value. This allows a single SA to be shared 
amongst multiple policies using unique source/destination network IDs 
while maintaining compatibility with the standard Linux/BSD conventions.

The 'auto' option defaults to 'shared' level when a Cisco compatible 
vendor ID is received during phase1 negotiation. Otherwise, the 'unique' 
level is used.

... For backwards compatibility, the client will default to using the 
'auto' behavior when a site configuration doesn't explicitly specify a 
policy level. With this change in place, it should now be much easier to 
use the Shrew Soft VPN client as a drop-in replacement for the Cisco VPN 
client. If you are using the work-around of adding a 0.0.0.0/0 include 
network under the policy tab, please install beta 9 and remove the 
include network. It should 'just work'.

In all honesty, this should have been the 2.1.6 release candidate. The 
only reason we are still calling these beta is that we expect one more 
bug fix to get integrated for a Windows 7 kernel driver. If you have the 
time, please download beta 9 and help us test the changes. And as 
always, please report any problems you find to this mailing list.

Thanks,

-Matthew



More information about the vpn-help mailing list