forked from breiter/vpnc
-
Notifications
You must be signed in to change notification settings - Fork 0
/
TODO
131 lines (113 loc) · 4.67 KB
/
TODO
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
TODO list
* On opensolaris we need to add -interface in case the route points
to an interface instead of a next hop, see
http://www.cwinters.com/blog/2008/02/02/getting_vpnc_to_work_on_opensolaris.html
* Add native ESP support
* Allow PSK without xauth.
* further research into the "packet too short" messages.
- see http://lists.unix-ag.uni-kl.de/pipermail/vpnc-devel/2005-February/000553.html
for more information
* pass IPSEC target network to script
- use it to initialize the tunnel interface and routes
* clean up scripts
- config-support for vpnc-script
- customizable handling of routing
- switch to disable resolv.conf rewriting
- do $something with split_dns
* beautify packet dump output
* large code cleanup
- at least one function per packet (instead of one function per phase)
- factor out a central select-loop, send / receive code, nat-t handling
- maybe even add some sort of state machine
- get a rid of remaining (non-const) global variables
* implement phase1 rekeying (with or without xauth-reauthentication)
* implement compression
* try a list of gateways (backup server)
* Generate the manpage command line part directly from vpnc
* optionally use in-kernel-ipsec with pf-key
- merge patch
* add support for pcap and dump decrypted traffic
* research/bugs:
- usernames containing "@" unable to login
- ipsec over tcp
- nortel support?
- segfault if > 100 routes/acls (to large packet? read size?)
(probably "fixed" by increasing the size in r_packet in vpnc.c,
but why did it crash?)
- amd64 somehow broken? maybe gcc bugs??
- some debug prints get the endianess wrong
- In case the psk in hybrid isn't correct, the server sends annother AM_2
packet - to port 500 of course, even if we are using nat-t and talked on
4500 already. We currently don't handle that.
* optional drop root (rekey? reconnect? vpnc-script calls?)
- Don't drop privileges, ever, but allow to be run suid.
- If euid != ruid, clear out env on program start.
- Sanitize variables for vpnc-script (snarf code from
callscript.c from dhcpclient).
- If euid != ruid, disable command line options (but not the profile
parameter).
- If euid != ruid, treat profiles as filenames only. They must not
be paths, i.e. contain PATHSEP. Read them relative to /etc/vpnc.
- Make sure vpnc-disconnect only kills processes owned by same user.
* implement certificate support
* implement dsa certificates in hybrid mode
* Adapt lifetime (when given as time) to certificate lifetime etc
(rfc2401, 4.4.3)
* implement main mode for phase 1 (needed to *use* certificates in
many cases)
* factor out crypto stuff (cipher, hmac, dh)
- http://libtomcrypt.org/features.html
- http://www.foldr.org/~michaelw/ patch fertig
- libgcrypt (old too?)
- autodetect?
- openssl??
- relicense to gpl+ssl?
* links to packages, howtos, etc.
- kvpnc http://home.gna.org/kvpnc/
- vpnc+Zaurus http://users.ox.ac.uk/~oliver/vpnc.html
- linux-mipsel (WRT54G) http://openwrt.alphacore.net/vpnc_0.3.2_mipsel.ipk
- howto-de http://localhost.ruhr.de/~stefan/uni-duisburg.ai/vpnc.shtml
----
* DONE implement hybrid-auth
* DONE implement DPD, RFC 3706 Dead Peer Detection
* DONE --local-address
* DONE implement phase2 rekeying
* DONE support rsa-SecurID token which sometimes needs 2 IDs
* DONE add macosx support
* DONE update "check pfs setting" error message
* DONE make doing xauth optional
* DONE implement udp transport NAT-T
* DONE fix Makefile (install, DESTDIR, CFLAGS, ...)
* DONE implement udp encap via port 10.000
* DONE svn-Repository
* DONE XAUTH Domain: (empty)
* DONE check /dev/net/tun, reject /dev/tun* on linux
* DONE spawn post-connect script
* DONE ask for dns/wins servers, default domain, pfs setting, netmask
* DONE automatic handling of pfs
* DONE send version string
* DONE send lifetime in phase1 and phase2
* DONE accept (== ignore) lifetime update in phase1
* DONE load balancing support (fixes INVALID_EXCHANGE_TYPE in S4.5)
* DONE include OpenBSD support from Nikolay Sturm
* DONE memleak fix from Sebastian Biallas
* DONE fix link at alioth
* DONE include man-page
* DONE post rfcs and drafts
* DONE post link to http://www.liebchen-online.de/vpn-zaurus.html
* DONE passcode == password
* DONE support for new libgcrypt versions
* DONE make /var/run/vpnc as needed
* DONE ignore "metric10 xx"
* DONE ignore attr 32136! (Cisco extension: XAUTH Vendor)
* DONE FreeBSD supported
* DONE NetBSD supported
* DONE fix vpnc-disconnect
* DONE --verbose
* DONE hide user/pass from --debug output
* DONE don't ignore all notifies at ipsec-sa-negotation
* DONE VERSION
* DONE --pid-file
* DONE --non-interactive
* DONE fix delete message
* DONE implement ISAKMP and IPSEC SA negotiate support