Stormshield Network VPN Client 6.12 build 002

Features, improvements and fixes since release 6.08

Features

  • Disable SHA-384 choice, SSL and IPsec IKEv2 VPN tunnel.
  • IP address can change during renegotiation with VPN tunnel using IKEv2.
  • SSL disabled.
  • Support of IPv4 and IPv6 simultaneously
    • Ability to handle heterogeneous IPv4 and IPv6 networks on the LAN and WAN sides, either on corporate or user home networks. The feature 'Auto' (for IPv4/IPv6) enables to support those complex environments with IPsec (IKEv1/v2) or SSL VPN tunnels.
    • Ability to detect IPv4 or IPv6 network automatically for both IPsec and SSL VPN tunnels.
    • Ability to send IPv4 and IPv6 within the same tunnel.
  • Support of IPsec and SSL/TLS simultaneously
    • Ability to open multiple SSL VPN tunnels with any VPN gateways supporting OpenVPN.
    • Introduction of two new user authentication mechanisms specific to SSL i.e. Mode TLSAuth and Extra Login/Password.
    • Auto adaptive capabilities to adapt to the SSL gateway settings automatically, assuming the gateway support multi proposal mechanism. The IT manager can disable this feature and force his own settings.
    • Ability to define a redundant SSL gateway in case of unavailability of the primary SSL gateway.
    • Ability to open SSL VPN tunnel on detection of traffic to the remote network.
    • Ability to start automation via scripts before/after tunnel opens or closes.
    • Ability to start a desktop sharing session with a machine on remote network in one click.
    • Ability to add traffic compression.
    • Inherits all IPsec encryption and hash algorithms from TheGreenBow IPsec VPN client (e.g. SHA1, SHA2, ..).
  • Support of IPsec with IKEv1 and IKEv2 simultaneously
    • Ability to open IKEv1 and IKEv2 VPN tunnels simultaneously.
    • Ability to define a redundant gateway in case of unavailability of the primary gateway.
    • IKEv2 introduces a new user authentication mechanism called EAP similar to X-Auth. The new user authentication mechanism EAP can be combined with Certificate (i.e. select multiple Auth support in your VPN tunnel configuration > 'IKEv2 Auth' > 'IKE SA' tab. EAP replaces X-Auth when using IKEv2 VPN tunnel.
    • Auto adaptive capabilities to adapt to the gateway settings automatically, assuming the gateway support multi proposal mechanism. The IT manager can disable this feature and force his own settings.

Improvements

  • Support of TLS connection without user certificate.
  • Prevent broadcast transfers to remote network.
  • Support of all 3 addressing modes i.e. host, subnet and IP address range with IKEv2 VPN tunnels.
  • Certificate Authority (CA) might or might not be specified when importing a P12 certificate within an IKEv2 VPN tunnel configuration.
  • IKEv2 VPN tunnel supports an empty Remote ID and it is considered as 'Accept any ID from remote' as it does in IKEv1 VPN tunnels.
  • New default Algorithms for Auto selections.
  • Various text strings and user interface improvements.
  • Various user interface improvements.
  • VPN tunnel opens faster when using a certificate on a PKCS#11 Smartcard or Token.
  • All settings in the 'Security' tab are set to 'Auto' mode when creating a new SSL VPN tunnel.
  • User interface improvement for IPsec IKEv2 & IKEv1 VPN configuration:
    • Root tree strings "IKE V1 Configuration" &"IKE V2 Configuration" might be truncated.
  • VPN tunnel IKEv2 and IPV6, replace mask with prefix length in the Child SA.
  • New menu strings to create a Phase1 and Phase2 consistent between IKEv1 and IKEv2 now called 'New VPN Gateway' and 'New VPN Connection' accordingly.

Bug fixing

  • Certificate could not be imported from Windows Certificate Store.
  • Import or export VPN Configuration to or from a mapped drive fails.
  • Packets with a payload smaller than 24 bytes are dropped in IPv6 VPN tunnel, causing issues for FTP.
  • Incoming packets ending with .255 on port 4500 are not handled properly.
  • 'TSocket message data type 0 could not be sent' error message preventing an IKEv1 VPN tunnel to open using an IPv6 IP address.
  • VPN tunnel fails to open due to unknown OID from the Certificate (i.e. Object Identifier). Need to add 'GN' label for OID (i.e. Given Name).
  • Pre Shared Key can be saved with shortcut 'Crtl+S' without checking against the 'Confirm' field.
  • Error "disagreement on PFS" when configured with 'Auto' for PFS in IKEv1 Phase2 (gateway specific).
  • The VPN Client might crash if import a VPN configuration file modified with wrong parameters for a VPN tunnel configured using IKEv1.
  • VPN tunnel imported which uses a port that no other tunnel is using, doesn't open properly.
  • A new network interface is not detected when it becomes up.
  • VPN tunnel configured with IKEv2 and IPv4 toward a VPN gateway configured with IPv6 VPN tunnel is not opening properly.
  • VPN tunnel configured with IKEv2 and IPv6 toward a VPN gateway configured with IPv4 VPN tunnel is not opening properly.
  • 'View Certificate' button is not working properly with VPN tunnel using IKEv2, after saving the VPN configuration.
  • 'New Phase1' and 'Paste Phase1' menu from root tree not working properly.
  • VPN configuration with IKEv2 can be saved although Remote Gateway field is empty.
  • IKEv2 default parameters (IDs and Config Payload) are not properly setup when creating a new configuration.
  • VPN tunnel with IKEv2 CHILD SA negotiation in IKE AUTH exchange with Diffie-Hellman.
  • VPN tunnel with IKEv2, user must click twice on EAP button to have password enabled.
  • VPN tunnel with IKEv2, Pre Share Key is empty after saving the VPN Configuration.
  • VPN tunnel with IKEv2, the local/remote ID type of ID set to null is not working properly.
  • VPN tunnel with IKEv1, Auto for Phase 1 doesn't work.
  • VPN tunnel with IKEv1, X-Auth login/password popup is not working properly.
  • Change in configuration from IPv6 to IPv4 in VPN tunnel within IKEv2 Child SA is not detected.
  • VPN tunnel configured with IKEv1 and IPv4 toward a VPN gateway configured with IPv4, has no traffic if PFS=None and without NAT-T in Phase 1.
  • VPN tunnel configured with IKEv2 and IPv4 toward a VPN gateway configured with IPv4, has no traffic if PFS=None.
  • New buttons in the Configuration Panel root IKEv1, IKEv2 and SSL export all tunnels instead of particular branch tunnel.
  • Both 'IKE SA' and 'Child SA' phases (equivalent to Phase1 and Phase2) renegotiation fails with IKEv2 VPN tunnels.
  • Config Payload information in VPN tunnel configured with IKEv2 not displayed properly when tunnel opens or closes.
  • Timeout of 30sec to monitor VPN tunnel opening might too short in some circumstances like using USB Token with a certificate protected by PIN, or large number of packet rejections.
  • Word 'Static' appears in the Configuration Panel tree root IKEv1, IKEv2 and SSL.
  • Texts of protocol description displayed in the Configuration Panel tree for each protocol (i.e. SSL, IPsec IKEv1, IKEv2) are not corrects.
  • New buttons in the Configuration Panel root IKEv1, IKEv2 and SSL export all tunnels instead of particular branch tunnel.
  • VPN tunnel using IKEv2 opens only once when LocalId is not filled in with certificate subject.
  • The type IKEV2_ID_FQDN as remote ID Type is not yet supported.
  • Several text typos in Configuration Panel 'Child SA' or Phase2 tabs.
  • Phase renegotiation, on VPN tunnel with IKEv1, uses port 500 again instead of port 4500.
  • Shortcut Crtl+S doesn't save the remote sharing and Certificate store settings.
  • Feature blocking traffic outside VPN Tunnel (i.e. Split tunneling) with IKEv2 and SSL VPN tunnels is not yet available.
  • Notification FAILED_CP_REQUIRED with IKEv2 VPN tunnels received from the gateway closes the VPN tunnel unexpectedly.
  • The 'Initial Contact' mechanism is not yet supported with IKEv2 VPN tunnels.
  • VPN Configuration with IKEv2 and SSL is lost after transferring IPsec IKEv1 configuration to USB mode.
  • Remote ID ID_DER_ASN1_DN received from the gateway is not checked properly.
  • Both 'IKE SA' and 'Child SA' phases (equivalent to Phase1 and Phase2) renegotiation fails with IKEv2 VPN tunnels.
  • SHA2 in 'Child SA' tab is not available yet with IKEv2 VPN tunnels.
  • DNS/WINS manual setup is not yet supported with IKEv2 VPN tunnels.