Stormshield Network IPSec VPN Client 6.62 build 002

Features, improvements, vulnerabilities, fixes and known issues since release 6.44.

Features

  • Display "No CRL" instead of "No CA" in console when appropriate,
  • New URL for customized release,
  • VPN Tunnel Fallback (for example: automatic fallback from an IPSec tunnel to an SSL tunnel when IPSec tunnel fails),
  • Implementation of administration and system logs, with ability to produce administration logs either locally, to the Windows Event Manager or to a Syslog Server,
  • Windows Store Certificate Roaming:Ability to select automatically the user certificate from the Windows Certificate Store, based on criteria (like for smartcards),
  • Ability to select and store multiple CA (Certificate Authority) in the VPN Configuration,
  • Support of Elliptic curve Diffie-Hellman (Diffie-Hellman group 19, 20, 21) for IKEv2,
  • Support AES-GCM & AES CTR algorithms for IKEv2,
  • Update OpenSSL library version,
  • SSL: Add a way to change the receive socket buffer size (SO_RCVBUF),
  • SSL: Support of multiple remote networks,
  • Option to disable DPD IKEv2,
  • IKEv2: Support of multiple networks in the same remote TS, in CP mode,
  • Global redesign of the interface (Configuration Panel) with a clearer organization of the configuration tabs (new "advanced" tab, homogenization of the tabs between IKEv1, IKEv2 and TLS),
  • Ability to configure wait time for gateway responses (timeout was previously set to 5 sec.),
  • Support of IAS smartcard,
  • Support of ID Prime MD smartcard,
  • Support of Gemalto MD smartcard ATR,
  • Set ERRORLEVEL on /add, /replace, /importonce commands,
  • Support of Microsoft Signing for W10 drivers,
  • Prevent tunnels to work when several users are logged simultaneously,
  • When rekeying, asking for X-Auth credentials is now configurable,
  • Time-out on token PIN Code pop-up,
  • Handling of PKCS8 (in addition to PKCS1) Private Key format,
  • Fragmentation of IkeV1 based on MS-IKE doc.

Improvements

  • Improvement of the CA handling in the Windows Certificate Store,
  • Handling of uppercase/lowercase certificates "name" OID,
  • IKE Port change are supported for more gateways configurations,
  • Optimize VPN configuration loading and saving,
  • Gina mode : Progress bar for IKEv2 and SSL enhanced,
  • DPD, lifetime and IKE Ports are configurable for each tunnel,
  • IKEv2 doesn't support PKCS#8 private key format, but only PKCS#1,
  • Remote Sharing : RDP is not opened automatically from configuration panel,
  • "vpnconf /stop"" doesn't work from another user session,
  • PIN code is no more asked when the phase 1 is already up.

Vulnerabilities

  • Possibility of a man-in-the-middle attack via the use of a CA stored in the Windows certificate store,
  • Ability to start a browser for captive portal authentication disabled,
  • Certificate date validity can be bypassed through the use of GeneralizedTime format,
  • DOS upon malformed certificate reception,
  • DOS while the software is in trace mode, with a UDP packet flood,
  • Some padding bytes of the VPN configuration file signature can be patched,
  • Crash upon malformed SA reception,
  • Listen port 1194 was open even if not required.

Bug Fixing

  • BSOD: Crash in ForwardIPPacket when using FwpsQueryPacketInjectionState0,

  • BSOD after VPN up,

  • Smartcard roaming with different readers (smartcardroaming=5) doesn't work for IKEV1,

  • Unable to enter a lifetime in the main interface,

  • Display of a french button,

  • Error upon certificate selection with keyusage = 3,

  • With some specific PKI configuration, tunnel opens only once,

  • IKEv2 Fragmentation issue: some fragment sizes lead to Auth Fail or Syntax Error,
  • BSOD when receiving data in tunnel with a high rate,
  • IKEv2 and TPM: Unable to import user certificate in internal store,
  • DN pattern doesn't work properly for IKEv2,
  • Remote ID mismatch on "DER ASN1 DN" with the same ASCII string,
  • Virtual interface: bad handling of ARP table to add/remove gateway IP address,
  • TLS Connection: renewal from gateway is not implemented, and tunnel closes after a while,
  • Error with 6.4x VPN Configuration using certificates with accents on smartcards,
  • Conversion tools: Ovpn2Tgb: verify-x509-name is not properly handled,
  • IKEv2: Sometimes tunnel doesn't open, IKE Initialization fails (error with "0"),
  • IKEv2 : No traffic to remote network.VirtualItf error 1 - 209 - 5010,
  • IKEv2 : Exporting a Single tunnel exports all Child SA,
  • IKEv1: Tunnel is not deleted when XAuth fails during a Phase 1 renegotiation,
  • Cannot open tunnel with a token inserted after the VPN Client starts,
  • IKEv2 child SA is not removed when tunnel is closed for DPD timeout reason,
  • IKEv2: no traffic when NATT port is changed for one tunnel, and UDP Encap enabled,
  • IKEv2: IPV4 DNS not set properly when Gateway sends an IPV6 address,
  • IKEv1 Traffic verification: 1st timer is not properly initialized,
  • IKEv2: Fragmentation IKEV2 and DH algo set to auto => fragmentation is not selected,
  • InjectP12 command: new cert not update when closing the session,
  • IKEv2 Fragmentation issue: some fragment sizes lead to Auth Fail or Syntax Error,
  • IKEv2: Sometimes tunnel doesn't open, IKE Init fails (error with "0"),
  • Traffic issue when physical IP Address ends with .255 and virtual IP address = Physical IP address.