Update README.md to reference Windows ARM64 build guide

Co-authored-by: chipitsine <2217296+chipitsine@users.noreply.github.com>
Add Windows ARM64 build and installation documentation
2026-04-21 14:29:27 +03:00 · 2026-02-04 16:40:48 +00:00 · 2026-02-04 16:40:11 +00:00 · 2026-02-04 16:37:45 +00:00
35 changed files with 577 additions and 3258 deletions
@@ -4,7 +4,6 @@ name: Coverity
 on:
  schedule:
  - cron: "0 0 * * *"
  workflow_dispatch:
 permissions:
  contents: read
@@ -12,7 +11,7 @@ permissions:
 jobs:
  scan:
    runs-on: ubuntu-latest
-    if: ${{ github.repository_owner == 'SoftEtherVPN' || github.event_name == 'workflow_dispatch' }}
+    if: ${{ github.repository_owner == 'SoftEtherVPN' }}
    steps:
    - uses: actions/checkout@v2
      with:
@@ -8,11 +8,10 @@ jobs:
    strategy:
      matrix:
        platform: [
-          { ARCHITECTURE: x86, COMPILER_PATH: "C:/Program Files/Microsoft Visual Studio/2022/Enterprise/VC/Tools/Llvm/bin/clang-cl.exe",     VCPKG_TRIPLET: "x86-windows-static", VCVARS_PATH: "C:/Program Files/Microsoft Visual Studio/2022/Enterprise/VC/Auxiliary/Build/vcvars32.bat", RUNNER: "windows-latest", CMAKE_EXTRA_FLAGS: ""},
+          { ARCHITECTURE: x86, COMPILER_PATH: "C:/Program Files/Microsoft Visual Studio/2022/Enterprise/VC/Tools/Llvm/bin/clang-cl.exe",     VCPKG_TRIPLET: "x86-windows-static", VCVARS_PATH: "C:/Program Files/Microsoft Visual Studio/2022/Enterprise/VC/Auxiliary/Build/vcvars32.bat"},
-          { ARCHITECTURE: x64, COMPILER_PATH: "C:/Program Files/Microsoft Visual Studio/2022/Enterprise/VC/Tools/Llvm/x64/bin/clang-cl.exe", VCPKG_TRIPLET: "x64-windows-static", VCVARS_PATH: "C:/Program Files/Microsoft Visual Studio/2022/Enterprise/VC/Auxiliary/Build/vcvars64.bat", RUNNER: "windows-latest", CMAKE_EXTRA_FLAGS: ""},
+          { ARCHITECTURE: x64, COMPILER_PATH: "C:/Program Files/Microsoft Visual Studio/2022/Enterprise/VC/Tools/Llvm/x64/bin/clang-cl.exe", VCPKG_TRIPLET: "x64-windows-static", VCVARS_PATH: "C:/Program Files/Microsoft Visual Studio/2022/Enterprise/VC/Auxiliary/Build/vcvars64.bat"}
          { ARCHITECTURE: arm64, COMPILER_PATH: "C:/Program Files/Microsoft Visual Studio/2022/Enterprise/VC/Tools/Llvm/ARM64/bin/clang-cl.exe", VCPKG_TRIPLET: "arm64-windows-static", VCVARS_PATH: "C:/Program Files/Microsoft Visual Studio/2022/Enterprise/VC/Auxiliary/Build/vcvarsarm64.bat", RUNNER: "windows-11-arm", CMAKE_EXTRA_FLAGS: "-DOQS_PERMIT_UNSUPPORTED_ARCHITECTURE=ON"}
        ]
-    runs-on: ${{ matrix.platform.RUNNER }}
+    runs-on: windows-latest
    name: ${{ matrix.platform.ARCHITECTURE }}
    steps:
    - uses: actions/checkout@v4
@@ -34,13 +33,12 @@ jobs:
        COMPILER_PATH: ${{ matrix.platform.COMPILER_PATH }}
        VCPKG_TRIPLET: ${{ matrix.platform.VCPKG_TRIPLET }}
        VCVARS_PATH: ${{ matrix.platform.VCVARS_PATH }}
        CMAKE_EXTRA_FLAGS: ${{ matrix.platform.CMAKE_EXTRA_FLAGS }}
      run: |
        set BUILD_NUMBER=0
        mkdir build
        cd build
        call "%VCVARS_PATH%"
-        cmake -G "Ninja" -DCMAKE_TOOLCHAIN_FILE="C:\vcpkg\scripts\buildsystems\vcpkg.cmake" -DVCPKG_TARGET_TRIPLET=%VCPKG_TRIPLET% -DCMAKE_BUILD_TYPE=RelWithDebInfo -DCMAKE_C_COMPILER="%COMPILER_PATH%" -DCMAKE_CXX_COMPILER="%COMPILER_PATH%" -DBUILD_NUMBER=%BUILD_NUMBER% %CMAKE_EXTRA_FLAGS% ..
+        cmake -G "Ninja" -DCMAKE_TOOLCHAIN_FILE="C:\vcpkg\scripts\buildsystems\vcpkg.cmake" -DVCPKG_TARGET_TRIPLET=%VCPKG_TRIPLET% -DCMAKE_BUILD_TYPE=RelWithDebInfo -DCMAKE_C_COMPILER="%COMPILER_PATH%" -DCMAKE_CXX_COMPILER="%COMPILER_PATH%" -DBUILD_NUMBER=%BUILD_NUMBER% ..
        cmake --build .
        mkdir installers
        vpnsetup /SFXMODE:vpnclient /SFXOUT:"installers\softether-vpnclient-%VERSION%.%BUILD_NUMBER%.%ARCHITECTURE%.exe"
@@ -26,14 +26,13 @@ jobs:
        uses: softprops/action-gh-release@v1
  build-windows:
    name: ${{ matrix.platform.ARCHITECTURE }}
-    runs-on: ${{ matrix.platform.RUNNER }}
+    runs-on: windows-latest
    needs: ["release"]
    strategy:
      matrix:
        platform: [
-          { ARCHITECTURE: x86, COMPILER_PATH: "C:/Program Files/Microsoft Visual Studio/2022/Enterprise/VC/Tools/Llvm/bin/clang-cl.exe",     VCPKG_TRIPLET: "x86-windows-static", VCVARS_PATH: "C:/Program Files/Microsoft Visual Studio/2022/Enterprise/VC/Auxiliary/Build/vcvars32.bat", RUNNER: "windows-latest", CMAKE_EXTRA_FLAGS: ""},
+          { ARCHITECTURE: x86, COMPILER_PATH: "C:/Program Files/Microsoft Visual Studio/2022/Enterprise/VC/Tools/Llvm/bin/clang-cl.exe",     VCPKG_TRIPLET: "x86-windows-static", VCVARS_PATH: "C:/Program Files/Microsoft Visual Studio/2022/Enterprise/VC/Auxiliary/Build/vcvars32.bat"},
-          { ARCHITECTURE: x64, COMPILER_PATH: "C:/Program Files/Microsoft Visual Studio/2022/Enterprise/VC/Tools/Llvm/x64/bin/clang-cl.exe", VCPKG_TRIPLET: "x64-windows-static", VCVARS_PATH: "C:/Program Files/Microsoft Visual Studio/2022/Enterprise/VC/Auxiliary/Build/vcvars64.bat", RUNNER: "windows-latest", CMAKE_EXTRA_FLAGS: ""},
+          { ARCHITECTURE: x64, COMPILER_PATH: "C:/Program Files/Microsoft Visual Studio/2022/Enterprise/VC/Tools/Llvm/x64/bin/clang-cl.exe", VCPKG_TRIPLET: "x64-windows-static", VCVARS_PATH: "C:/Program Files/Microsoft Visual Studio/2022/Enterprise/VC/Auxiliary/Build/vcvars64.bat"}
          { ARCHITECTURE: arm64, COMPILER_PATH: "C:/Program Files/Microsoft Visual Studio/2022/Enterprise/VC/Tools/Llvm/ARM64/bin/clang-cl.exe", VCPKG_TRIPLET: "arm64-windows-static", VCVARS_PATH: "C:/Program Files/Microsoft Visual Studio/2022/Enterprise/VC/Auxiliary/Build/vcvarsarm64.bat", RUNNER: "windows-11-arm", CMAKE_EXTRA_FLAGS: "-DOQS_PERMIT_UNSUPPORTED_ARCHITECTURE=ON"}
        ]
    steps:
      - name: "Checkout repository"
@@ -58,12 +57,11 @@ jobs:
          COMPILER_PATH: ${{ matrix.platform.COMPILER_PATH }}
          VCPKG_TRIPLET: ${{ matrix.platform.VCPKG_TRIPLET }}
          VCVARS_PATH: ${{ matrix.platform.VCVARS_PATH }}
          CMAKE_EXTRA_FLAGS: ${{ matrix.platform.CMAKE_EXTRA_FLAGS }}
        run: |
          mkdir build
          cd build
          call "%VCVARS_PATH%"
-          cmake -G "Ninja" -DCMAKE_TOOLCHAIN_FILE="C:\vcpkg\scripts\buildsystems\vcpkg.cmake" -DVCPKG_TARGET_TRIPLET=%VCPKG_TRIPLET% -DCMAKE_BUILD_TYPE=RelWithDebInfo -DCMAKE_C_COMPILER="%COMPILER_PATH%" -DCMAKE_CXX_COMPILER="%COMPILER_PATH%" -DBUILD_NUMBER=%BUILD_NUMBER% %CMAKE_EXTRA_FLAGS% ..
+          cmake -G "Ninja" -DCMAKE_TOOLCHAIN_FILE="C:\vcpkg\scripts\buildsystems\vcpkg.cmake" -DVCPKG_TARGET_TRIPLET=%VCPKG_TRIPLET% -DCMAKE_BUILD_TYPE=RelWithDebInfo -DCMAKE_C_COMPILER="%COMPILER_PATH%" -DCMAKE_CXX_COMPILER="%COMPILER_PATH%" -DBUILD_NUMBER=%BUILD_NUMBER% ..
          cmake --build .
          mkdir installers
          vpnsetup /SFXMODE:vpnclient /SFXOUT:"installers\softether-vpnclient-%VERSION%.%BUILD_NUMBER%.%ARCHITECTURE%.exe"
@@ -210,9 +210,3 @@ developer_tools/stbchecker/**/*.binlog
 developer_tools/stbchecker/**/*.nvuser
 developer_tools/stbchecker/**/.mfractor/
 /vcpkg_installed
 # Build directories
 /_codeql_build_dir/
 /_codeql_detected_source_root
 /build/
 /build_test/
@@ -220,7 +220,7 @@ Please look at the [ContainerREADME.md](ContainerREADME.md)
 ## Build from Source code
-see [BUILD_UNIX](src/BUILD_UNIX.md) or [BUILD_WINDOWS](src/BUILD_WINDOWS.md)
+see [BUILD_UNIX](src/BUILD_UNIX.md), [BUILD_WINDOWS](src/BUILD_WINDOWS.md), or [BUILD_WINDOWS_ARM64](src/BUILD_WINDOWS_ARM64.md)
 There are two flavours of SoftEtherVPN source code:
@@ -88,10 +88,6 @@ into it. So that is what will be described below.
     Cross compile x86 executables with 64-bit compiler
    - arm64-on-x64
     Cross compile arm64 executables with x64t compiler
   On 64-bit Windows, all four configurations can be used. 32-bit platforms can only use 32-bit compiler.
 1. Visual Studio will try generating CMake cache. If not, click **Project -> Configure Cache** or **Generate Cache**.
@@ -0,0 +1,220 @@
 # How to build SoftEther VPN for Windows ARM64
 This guide explains how to build SoftEther VPN for Windows ARM64 architecture. Windows on ARM is becoming increasingly important, especially on modern laptops and virtualized environments. This allows SoftEther VPN to run **natively on Windows ARM64**, improving performance and compatibility compared to x86 emulation.
 ## Requirements
 - **Windows x64 host machine** (ARM64 builds are cross-compiled from x64)
 - Visual Studio 2019 or 2022 (Community Edition is fine)
  https://visualstudio.microsoft.com/downloads
 - Git for Windows (or other git tool)
  https://gitforwindows.org/
 - vcpkg
  https://github.com/microsoft/vcpkg
 ## Installation
 ### Visual Studio
 Download from the official site and run the installer.
 Make sure to check:
 - **Desktop development with C++** under *Workloads*
 - **Clang C++ Tools for Windows** in *Optional* components
 - **MSVC v142 - VS 2019 C++ ARM64 build tools** (or equivalent for VS 2022) in *Optional* components
 ### Git
 Nothing special. Just follow the installer.
 ### vcpkg
 Let's say you will install it to `C:\vcpkg`.
 Open your preferred terminal and go to `C:\`. Then run these commands:
 ```
 C:\> git clone https://github.com/microsoft/vcpkg
 C:\> cd vcpkg
 C:\vcpkg> bootstrap-vcpkg.bat
 C:\vcpkg> vcpkg integrate install
 ```
 ## Update
 ### vcpkg
 You are recommended to update vcpkg from time to time, so that the latest libraries are used in the build.
 Go to the installation path, pull the latest repo and the binary:
 ```
 C:\vcpkg> git pull
 C:\vcpkg> bootstrap-vcpkg.bat
 ```
 ## Building
 ### Step 1: Build x64-native first
 **Important:** For ARM64 builds, an existing `x64-native` build is required to generate `hamcore.se2`.
 1. Launch Visual Studio
   Choose either **Clone a repository** to clone from GitHub or **Open a local folder** if you already have a copy.
 2. Open Terminal (*View -> Terminal*). Install the needed submodules to build the project:
   `git submodule update --init --recursive`
   **Note**: This step is not necessary if you have chosen **Clone a repository** as Visual Studio automatically takes care of it.
 3. Switch to folder view in the solution explorer
 4. Select **x64-native** configuration from the dropdown menu below the search box
 5. Visual Studio will try generating CMake cache. If not, click **Project -> Configure Cache** or **Generate Cache**.
   If CMake is busy, you will find **Generate Cache** greyed out. Wait until it finishes or click **Cancel CMake Cache Generation** to stop it.
   The initial configuration will take a longer time since it needs to download and install dependencies.
 6. When *CMake generation finished* is displayed, simply go to toolbar and click **Build -> Build All**.
 7. Wait for the x64 build to complete. This creates the necessary `hamcorebuilder` executable that will be reused for the ARM64 build.
 ### Step 2: Build arm64-on-x64
 1. Switch to the **arm64-on-x64** configuration from the dropdown menu
   This configuration cross-compiles ARM64 executables using the 64-bit compiler on your x64 Windows host.
 2. Click **Project -> Configure Cache** or **Generate Cache** to configure the ARM64 build.
   The ARM64 build will reuse the `hamcorebuilder` executable from the x64-native build to generate `hamcore.se2`.
 3. When *CMake generation finished* is displayed, click **Build -> Build All**.
 4. Once building has finished, hopefully with no errors, look in the newly created `/build` directory in the project's folder.
 ## Installation on Windows ARM64 Devices
 ### Prerequisites
 - Windows 10 or Windows 11 ARM64 device
 - The compiled ARM64 binaries from the build process
 - Administrator privileges
 ### Installing the VPN Client
 1. Copy the ARM64 build output to your Windows ARM64 device
 2. Run `vpnsetup.exe` from the ARM64 build output
 3. Select the components you want to install (typically VPN Client)
 4. Follow the installation wizard
 ### VPN Client Driver Installation
 The ARM64 Neo6 VPN driver is included in the build and targets **Windows 10 ARM64** or later.
 **Important Notes:**
 - The ARM64 driver is **unsigned by default**
 - To use the unsigned driver, you need to:
  1. Enable Windows Test Mode by running in an Administrator Command Prompt:
     ```
     bcdedit /set testsigning on
     ```
  2. Restart your computer
  3. Install the VPN Client as described above
 - For production use, the driver should be properly signed with a valid code signing certificate
 ### Disabling Test Mode (Optional)
 After you're done testing or if you have a signed driver, you can disable Test Mode:
 ```
 bcdedit /set testsigning off
 ```
 Then restart your computer.
 ## Build Configuration Details
 The **arm64-on-x64** configuration includes:
 - **Cross-compilation target**: Windows ARM64
 - **Compiler**: clang-cl (LLVM)
 - **Toolchain**: MSVC ARM64 toolchain
 - **VCPKG triplet**: arm64-windows-static
 - **CPU feature detection**: ARM64 crypto extensions (AES via `PF_ARM_V8_CRYPTO_INSTRUCTIONS_AVAILABLE`)
 - **BLAKE2 optimization**: NEON implementation (instead of SSE2)
 ## Notes
 ### Build Number
 You can change the build number in `CMakeSettings.json`. Use any integer no less than 5180.
 Delete and regenerate CMake cache after the change.
 ### OpenSSL
 The above instruction builds OpenSSL library statically in the SoftEther binaries. This means:
 - When you distribute the installer, users will not need to install OpenSSL separately
 - The OpenSSL library cannot be updated without a rebuild and reinstallation of SoftEther
 It's also possible to build OpenSSL library dynamically, but this requires additional configuration and is beyond the scope of this ARM64-specific guide. Refer to `BUILD_WINDOWS.md` for details on dynamic OpenSSL linking.
 ### Driver Signing
 For production deployments, you should sign the ARM64 driver with a valid code signing certificate:
 1. Obtain a code signing certificate from a trusted Certificate Authority
 2. Use the Windows Driver Kit (WDK) tools to sign the driver
 3. Distribute the signed driver to users
 Without driver signing, users will need to enable Test Mode which reduces system security.
 ### Tested Environments
 This ARM64 build process has been tested on:
 - Windows x64 host (cross-compiling ARM64)
 - Windows 10 ARM64 (VPN Client driver load and basic functionality)
 - Windows 11 ARM64 devices
 ## Troubleshooting
 ### Build Fails During hamcore.se2 Generation
 Make sure you have completed the x64-native build first. The ARM64 build requires the x64 `hamcorebuilder` executable.
 ### Driver Installation Fails
 Ensure you have:
 - Enabled Test Mode (for unsigned drivers)
 - Administrator privileges
 - Windows 10 or later ARM64
 ### VPN Client Doesn't Start
 Check that:
 - All ARM64 binaries are in the correct installation directory
 - The Neo6 ARM64 driver is properly installed
 - Windows Event Viewer for any error messages
 ## References
 - Main Windows build guide: `BUILD_WINDOWS.md`
 - Pull Request #2209: Windows ARM64 support
 - Issue #1331: Windows ARM64 support request
@@ -1,52 +0,0 @@
 # How to build and install SoftEther VPN on Windows ARM64
 This document describes how to build SoftEther VPN for Windows ARM64 and how to install the VPN Client and Neo6 virtual network adapter on Windows on ARM devices.
 ## Requirements
 - Build host: Windows x64
 - Target device: Windows 10 / Windows 11 ARM64
 ## Building 
    **Notes before building**: ARM64 builds are cross-compiled from an x64 Windows host. An existing x64-native build is required to generate hamcore.se2.
 1. Follow [BUILD_WINDOWS.md](BUILD_WINDOWS.md##Building)
 1. Build x64 (Native): From the build menu, select x64-on-x64. Complete the build successfully. This build is required to generate shared resources
 1. Build ARM64 (Cross-Compiled): From the same build menu, select arm64-on-x64. 
 Build the ARM64 version of SoftEther VPN.
 1. Building the Neo6 Virtual Network Adapter (ARM64)
    Open the following project in Visual Studio:
    ```
    .\src\Neo6\Neo6.vcxproj 
    ```
    SoftEther VPN Client uses the Neo6 virtual network adapter.
    Driver Output Files
    The ARM64 driver package includes:
    ```
    Neo6_arm64_VPN.sys
    Neo6_arm64_VPN.inf
    ```
    Driver Signing and Installation (Windows ARM64)
    ```
    Enable test-signing mode: bcdedit /set testsigning on
    Reboot the system.
    Testing signing:
    Install the Neo6 ARM64 driver.
    ```
 # Summary
 SoftEther VPN can be cross-compiled for Windows ARM64 on an x64 host
 VPN Client works natively on Windows on ARM
 Neo6 ARM64 driver requires Microsoft signing for production use
 Test-signing is suitable for local development only
@@ -8739,7 +8739,7 @@ UINT StSetHubRadius(ADMIN *a, RPC_RADIUS *t)
 	}
 	//SetRadiusServer(h, t->RadiusServerName, t->RadiusPort, t->RadiusSecret);
-	SetRadiusServerEx2(h, t->RadiusServerName, t->RadiusPort, t->RadiusSecret, t->RadiusRetryInterval, t->RadiusRetryTimeout);
+	SetRadiusServerEx(h, t->RadiusServerName, t->RadiusPort, t->RadiusSecret, t->RadiusRetryInterval);
 	ALog(a, h, "LA_SET_HUB_RADIUS");
@@ -8778,8 +8778,8 @@ UINT StGetHubRadius(ADMIN *a, RPC_RADIUS *t)
 	Zero(t, sizeof(RPC_RADIUS));
 	//GetRadiusServer(h, t->RadiusServerName, sizeof(t->RadiusServerName),
 	//	&t->RadiusPort, t->RadiusSecret, sizeof(t->RadiusSecret));
-	GetRadiusServerEx2(h, t->RadiusServerName, sizeof(t->RadiusServerName),
+	GetRadiusServerEx(h, t->RadiusServerName, sizeof(t->RadiusServerName),
-		&t->RadiusPort, t->RadiusSecret, sizeof(t->RadiusSecret), &t->RadiusRetryInterval, &t->RadiusRetryTimeout);
+		&t->RadiusPort, t->RadiusSecret, sizeof(t->RadiusSecret), &t->RadiusRetryInterval);
 	ReleaseHub(h);
@@ -13031,7 +13031,6 @@ void InRpcRadius(RPC_RADIUS *t, PACK *p)
 	PackGetStr(p, "HubName", t->HubName, sizeof(t->HubName));
 	PackGetStr(p, "RadiusSecret", t->RadiusSecret, sizeof(t->RadiusSecret));
 	t->RadiusRetryInterval = PackGetInt(p, "RadiusRetryInterval");
 	t->RadiusRetryTimeout = PackGetInt(p, "RadiusRetryTimeout");
 }
 void OutRpcRadius(PACK *p, RPC_RADIUS *t)
 {
@@ -13046,7 +13045,6 @@ void OutRpcRadius(PACK *p, RPC_RADIUS *t)
 	PackAddStr(p, "HubName", t->HubName);
 	PackAddStr(p, "RadiusSecret", t->RadiusSecret);
 	PackAddInt(p, "RadiusRetryInterval", t->RadiusRetryInterval);
 	PackAddInt(p, "RadiusRetryTimeout", t->RadiusRetryTimeout);
 }
 // RPC_HUB
@@ -259,7 +259,6 @@ struct RPC_RADIUS
 	UINT RadiusPort;					// Radius port number
 	char RadiusSecret[MAX_PASSWORD_LEN + 1];	// Secret key
 	UINT RadiusRetryInterval;			// Radius retry interval
 	UINT RadiusRetryTimeout;			// Radius retry timeout
 };
 // Specify the HUB
@@ -11791,9 +11791,6 @@ UINT PsRadiusServerSet(CONSOLE *c, char *cmd_name, wchar_t *str, void *param)
 		{"[server_name:port]", CmdPrompt, _UU("CMD_RadiusServerSet_Prompt_Host"), CmdEvalNotEmpty, NULL},
 		{"SECRET", CmdPromptChoosePassword, _UU("CMD_RadiusServerSet_Prompt_Secret"), NULL, NULL},
 		{"RETRY_INTERVAL", CmdPrompt, _UU("CMD_RadiusServerSet_Prompt_RetryInterval"), CmdEvalMinMax, &minmax},
 		// Support for setting timeout through commandline not added
 		// {"RETRY_TIMEOUT", CmdPrompt, _UU("CMD_RadiusServerSet_Prompt_RetryTimeout"), CmdEvalMinMax, &minmax},
 	};
 	// If virtual HUB is not selected, it's an error
@@ -11818,7 +11815,6 @@ UINT PsRadiusServerSet(CONSOLE *c, char *cmd_name, wchar_t *str, void *param)
 		StrCpy(t.RadiusServerName, sizeof(t.RadiusServerName), host);
 		StrCpy(t.RadiusSecret, sizeof(t.RadiusSecret), GetParamStr(o, "SECRET"));
 		t.RadiusRetryInterval = GetParamInt(o, "RETRY_INTERVAL");
 		// t.RadiusRetryTimeout = GetParamInt(o, "RETRY_TIMEOUT");
 		Free(host);
@@ -11942,9 +11938,6 @@ UINT PsRadiusServerGet(CONSOLE *c, char *cmd_name, wchar_t *str, void *param)
 			UniToStri(tmp, t.RadiusRetryInterval);
 			CtInsert(ct, _UU("CMD_RadiusServerGet_RetryInterval"), tmp);
 			UniToStri(tmp, t.RadiusRetryTimeout);
 			CtInsert(ct, _UU("CMD_RadiusServerGet_RetryTimeout"), tmp);
 		}
 		CtFree(ct, c);
@@ -99,7 +99,6 @@ EAP_CLIENT *HubNewEapClient(CEDAR *cedar, char *hubname, char *client_ip_str, ch
 	char radius_servers[MAX_PATH] = {0};
 	UINT radius_port = 0;
 	UINT radius_retry_interval = 0;
 	UINT radius_retry_timeout = 0;
 	char radius_secret[MAX_PATH] = {0};
 	char radius_suffix_filter[MAX_PATH] = {0};
 	if (cedar == NULL || hubname == NULL || client_ip_str == NULL || username == NULL)
@@ -116,8 +115,8 @@ EAP_CLIENT *HubNewEapClient(CEDAR *cedar, char *hubname, char *client_ip_str, ch
 	if (hub != NULL)
 	{
-		if (GetRadiusServerEx3(hub, radius_servers, sizeof(radius_servers), &radius_port, radius_secret,
+		if (GetRadiusServerEx2(hub, radius_servers, sizeof(radius_servers), &radius_port, radius_secret,
-			sizeof(radius_secret), &radius_retry_interval, &radius_retry_timeout, radius_suffix_filter, sizeof(radius_suffix_filter)))
+			sizeof(radius_secret), &radius_retry_interval, radius_suffix_filter, sizeof(radius_suffix_filter)))
 		{
 			bool use_peap = hub->RadiusUsePeapInsteadOfEap;
@@ -6416,23 +6415,17 @@ void ReleaseHub(HUB *h)
 bool GetRadiusServer(HUB *hub, char *name, UINT size, UINT *port, char *secret, UINT secret_size)
 {
 	UINT interval;
 	return GetRadiusServerEx(hub, name, size, port, secret, secret_size, &interval);
 }
-bool GetRadiusServerEx(HUB *hub, char *name, UINT size, UINT *port, char *secret, UINT secret_size, UINT *interval) {
+bool GetRadiusServerEx(HUB *hub, char *name, UINT size, UINT *port, char *secret, UINT secret_size, UINT *interval)
 	UINT timeout;
 	return GetRadiusServerEx2(hub, name, size, port, secret, secret_size, interval, &timeout);
 }
 bool GetRadiusServerEx2(HUB *hub, char *name, UINT size, UINT *port, char *secret, UINT secret_size, UINT *interval, UINT *timeout)
 {
-	return GetRadiusServerEx3(hub, name, size, port, secret, secret_size, interval, timeout, NULL, 0);
+	return GetRadiusServerEx2(hub, name, size, port, secret, secret_size, interval, NULL, 0);
 }
-bool GetRadiusServerEx3(HUB *hub, char *name, UINT size, UINT *port, char *secret, UINT secret_size, UINT *interval, UINT *timeout, char *suffix_filter, UINT suffix_filter_size)
+bool GetRadiusServerEx2(HUB *hub, char *name, UINT size, UINT *port, char *secret, UINT secret_size, UINT *interval, char *suffix_filter, UINT suffix_filter_size)
 {
 	bool ret = false;
 	// Validate arguments
-	if (hub == NULL || name == NULL || port == NULL || secret == NULL || interval == NULL || timeout == NULL)
+	if (hub == NULL || name == NULL || port == NULL || secret == NULL || interval == NULL)
 	{
 		return false;
 	}
@@ -6446,7 +6439,6 @@ bool GetRadiusServerEx3(HUB *hub, char *name, UINT size, UINT *port, char *secre
 			StrCpy(name, size, hub->RadiusServerName);
 			*port = hub->RadiusServerPort;
 			*interval = hub->RadiusRetryInterval;
 			*timeout = hub->RadiusRetryTimeout;
 			tmp_size = hub->RadiusSecret->Size + 1;
 			tmp = ZeroMalloc(tmp_size);
@@ -6473,10 +6465,6 @@ void SetRadiusServer(HUB *hub, char *name, UINT port, char *secret)
 	SetRadiusServerEx(hub, name, port, secret, RADIUS_RETRY_INTERVAL);
 }
 void SetRadiusServerEx(HUB *hub, char *name, UINT port, char *secret, UINT interval)
 {
 	SetRadiusServerEx2(hub, name, port, secret, interval, RADIUS_RETRY_TIMEOUT);
 }
 void SetRadiusServerEx2(HUB *hub, char *name, UINT port, char *secret, UINT interval, UINT timeout)
 {
 	// Validate arguments
 	if (hub == NULL)
@@ -6496,28 +6484,19 @@ void SetRadiusServerEx2(HUB *hub, char *name, UINT port, char *secret, UINT inte
 			hub->RadiusServerName = NULL;
 			hub->RadiusServerPort = 0;
 			hub->RadiusRetryInterval = RADIUS_RETRY_INTERVAL;
 			hub->RadiusRetryTimeout = RADIUS_RETRY_TIMEOUT;
 			FreeBuf(hub->RadiusSecret);
 		}
 		else
 		{
 			hub->RadiusServerName = CopyStr(name);
 			hub->RadiusServerPort = port;
 			if (timeout == 0) {
 				timeout = RADIUS_RETRY_TIMEOUT;
 			}
 			hub->RadiusRetryTimeout = timeout;
 			if (interval == 0)
 			{
-				hub->RadiusRetryInterval = RADIUS_RETRY_INTERVAL; ///What happens here is that RADIUS_RETRY_TIMEOUT is not configurable, and RADIUS_RETRY_INTERVAL is set to the timeout if it's larger.
+				hub->RadiusRetryInterval = RADIUS_RETRY_INTERVAL;
 			}
-			
+			else if (interval > RADIUS_RETRY_TIMEOUT)
 			if (interval > timeout)
 			{
-				hub->RadiusRetryInterval = timeout;
+				hub->RadiusRetryInterval = RADIUS_RETRY_TIMEOUT;
 			}
 			else
 			{
@@ -341,7 +341,6 @@ struct HUB
 	char *RadiusServerName;				// Radius server name
 	UINT RadiusServerPort;				// Radius server port number
 	UINT RadiusRetryInterval;			// Radius retry interval
 	UINT RadiusRetryTimeout;			// Radius timeout, it will no longer retry
 	BUF *RadiusSecret;					// Radius shared key
 	char RadiusSuffixFilter[MAX_SIZE];	// Radius suffix filter
 	char RadiusRealm[MAX_SIZE];			// Radius realm (optional)
@@ -483,11 +482,9 @@ void GetAccessListStr(char *str, UINT size, ACCESS *a);
 void DeleteOldIpTableEntry(LIST *o);
 void SetRadiusServer(HUB *hub, char *name, UINT port, char *secret);
 void SetRadiusServerEx(HUB *hub, char *name, UINT port, char *secret, UINT interval);
 void SetRadiusServerEx2(HUB *hub, char *name, UINT port, char *secret, UINT interval, UINT timeout);
 bool GetRadiusServer(HUB *hub, char *name, UINT size, UINT *port, char *secret, UINT secret_size);
 bool GetRadiusServerEx(HUB *hub, char *name, UINT size, UINT *port, char *secret, UINT secret_size, UINT *interval);
-bool GetRadiusServerEx2(HUB *hub, char *name, UINT size, UINT *port, char *secret, UINT secret_size, UINT *interval, UINT *timeout);
+bool GetRadiusServerEx2(HUB *hub, char *name, UINT size, UINT *port, char *secret, UINT secret_size, UINT *interval, char *suffix_filter, UINT suffix_filter_size);
 bool GetRadiusServerEx3(HUB *hub, char *name, UINT size, UINT *port, char *secret, UINT secret_size, UINT *interval, UINT *timeout, char *suffix_filter, UINT suffix_filter_size);
 int CompareCert(void *p1, void *p2);
 void GetHubLogSetting(HUB *h, HUB_LOG *setting);
 void SetHubLogSetting(HUB *h, HUB_LOG *setting);
@@ -11,7 +11,6 @@
 #include "Connection.h"
 #include "Logging.h"
 #include "Proto_EtherIP.h"
 #include "Proto_IKEv2.h"
 #include "Proto_IPsec.h"
 #include "Proto_L2TP.h"
 #include "Server.h"
@@ -36,57 +35,40 @@ void ProcIKEPacketRecv(IKE_SERVER *ike, UDPPACKET *p)
 	if (p->Type == IKE_UDP_TYPE_ISAKMP)
 	{
-		IKE_HEADER *raw_hdr;
+		// ISAKMP (IKE) packet
 		IKE_PACKET *header;
-		// Check packet is large enough for the IKE header
+		header = ParseIKEPacketHeader(p);
-		if (p->Size < sizeof(IKE_HEADER))
+		if (header == NULL)
 		{
 			return;
 		}
-		raw_hdr = (IKE_HEADER *)p->Data;
+		//Debug("InitiatorCookie: %I64u, ResponderCookie: %I64u\n", header->InitiatorCookie, header->ResponderCookie);
-		// Dispatch IKEv2 packets by version field
+		switch (header->ExchangeType)
 		if (raw_hdr->Version == IKEv2_VERSION)
 		{
-			ProcIKEv2PacketRecv(ike, p);
+		case IKE_EXCHANGE_TYPE_MAIN:	// Main mode
-			return;
+			ProcIkeMainModePacketRecv(ike, p, header);
 			break;
 		case IKE_EXCHANGE_TYPE_AGGRESSIVE:	// Aggressive mode
 			if (ike->Cedar->Server->DisableIPsecAggressiveMode == false)
 			{
 				ProcIkeAggressiveModePacketRecv(ike, p, header);
 			}
 			break;
 		case IKE_EXCHANGE_TYPE_QUICK:	// Quick mode
 			ProcIkeQuickModePacketRecv(ike, p, header);
 			break;
 		case IKE_EXCHANGE_TYPE_INFORMATION:	// Information exchange
 			ProcIkeInformationalExchangePacketRecv(ike, p, header);
 			break;
 		}
-		// IKEv1 / ISAKMP packet
+		IkeFree(header);
 		{
 			IKE_PACKET *header;
 			header = ParseIKEPacketHeader(p);
 			if (header == NULL)
 			{
 				return;
 			}
 			switch (header->ExchangeType)
 			{
 			case IKE_EXCHANGE_TYPE_MAIN:	// Main mode
 				ProcIkeMainModePacketRecv(ike, p, header);
 				break;
 			case IKE_EXCHANGE_TYPE_AGGRESSIVE:	// Aggressive mode
 				if (ike->Cedar->Server->DisableIPsecAggressiveMode == false)
 				{
 					ProcIkeAggressiveModePacketRecv(ike, p, header);
 				}
 				break;
 			case IKE_EXCHANGE_TYPE_QUICK:	// Quick mode
 				ProcIkeQuickModePacketRecv(ike, p, header);
 				break;
 			case IKE_EXCHANGE_TYPE_INFORMATION:	// Information exchange
 				ProcIkeInformationalExchangePacketRecv(ike, p, header);
 				break;
 			}
 			IkeFree(header);
 		}
 	}
 	else if (p->Type == IKE_UDP_TYPE_ESP)
 	{
@@ -5663,9 +5645,6 @@ void ProcessIKEInterrupts(IKE_SERVER *ike)
 	}
 	while (ike->StateHasChanged);
 	// IKEv2 interrupt processing
 	ProcessIKEv2Interrupts(ike);
 	// Maintenance of the thread list
 	MaintainThreadList(ike->ThreadList);
 	/*Debug("ike->ThreadList: %u\n", LIST_NUM(ike->ThreadList));
@@ -5844,17 +5823,6 @@ void FreeIKEServer(IKE_SERVER *ike)
 	ReleaseList(ike->ClientList);
 	// Free IKEv2 SAs
 	{
 		UINT j;
 		for (j = 0; j < LIST_NUM(ike->IKEv2SaList); j++)
 		{
 			IKEv2_SA *sa2 = LIST_DATA(ike->IKEv2SaList, j);
 			IKEv2FreeSA(ike, sa2);
 		}
 	}
 	ReleaseList(ike->IKEv2SaList);
 	ReleaseSockEvent(ike->SockEvent);
 	IPsecLog(ike, NULL, NULL, NULL, "LI_STOP");
@@ -5901,8 +5869,6 @@ IKE_SERVER *NewIKEServer(CEDAR *cedar, IPSEC_SERVER *ipsec)
 	ike->ThreadList = NewThreadList();
 	ike->IKEv2SaList = NewList(CmpIKEv2SA);
 	IPsecLog(ike, NULL, NULL, NULL, "LI_START");
 	return ike;
@@ -268,10 +268,6 @@ struct IKE_SERVER
 	// Setting data
 	char Secret[MAX_SIZE];						// Pre-shared key
 	// IKEv2 state
 	LIST *IKEv2SaList;							// IKEv2 SA list
 	UINT CurrentIKEv2SaId;						// IKEv2 SA ID counter
 };
@@ -1,292 +0,0 @@
 // SoftEther VPN Source Code - Developer Edition Master Branch
 // Cedar Communication Module
 // Proto_IKEv2.h
 // Header for IKEv2 (RFC 7296) implementation
 #ifndef PROTO_IKEV2_H
 #define PROTO_IKEV2_H
 #include "Proto_IKE.h"
 #include "Proto_IkePacket.h"
 //// IKEv2 Header Flags (RFC 7296 Section 3.1)
 #define IKEv2_FLAG_RESPONSE       0x20
 #define IKEv2_FLAG_VERSION        0x10
 #define IKEv2_FLAG_INITIATOR      0x08
 //// IKEv2 Payload Types (RFC 7296 Section 3.3)
 #define IKEv2_PAYLOAD_NONE        0
 #define IKEv2_PAYLOAD_SA          33
 #define IKEv2_PAYLOAD_KE          34
 #define IKEv2_PAYLOAD_IDi         35
 #define IKEv2_PAYLOAD_IDr         36
 #define IKEv2_PAYLOAD_CERT        37
 #define IKEv2_PAYLOAD_CERTREQ     38
 #define IKEv2_PAYLOAD_AUTH        39
 #define IKEv2_PAYLOAD_NONCE       40
 #define IKEv2_PAYLOAD_NOTIFY      41
 #define IKEv2_PAYLOAD_DELETE      42
 #define IKEv2_PAYLOAD_VENDOR      43
 #define IKEv2_PAYLOAD_TSi         44
 #define IKEv2_PAYLOAD_TSr         45
 #define IKEv2_PAYLOAD_SK          46
 #define IKEv2_PAYLOAD_CP          47
 #define IKEv2_PAYLOAD_EAP         48
 //// IKEv2 Transform Types
 #define IKEv2_TF_ENCR             1
 #define IKEv2_TF_PRF              2
 #define IKEv2_TF_INTEG            3
 #define IKEv2_TF_DH               4
 #define IKEv2_TF_ESN              5
 //// IKEv2 Encryption Algorithm IDs
 #define IKEv2_ENCR_3DES           3
 #define IKEv2_ENCR_AES_CBC        12
 //// IKEv2 PRF Algorithm IDs
 #define IKEv2_PRF_HMAC_MD5        1
 #define IKEv2_PRF_HMAC_SHA1       2
 #define IKEv2_PRF_HMAC_SHA2_256   5
 #define IKEv2_PRF_HMAC_SHA2_384   6
 #define IKEv2_PRF_HMAC_SHA2_512   7
 //// IKEv2 Integrity Algorithm IDs
 #define IKEv2_INTEG_HMAC_MD5_96        1   // key=16,  icv=12
 #define IKEv2_INTEG_HMAC_SHA1_96       2   // key=20,  icv=12
 #define IKEv2_INTEG_HMAC_SHA2_256_128  12  // key=32,  icv=16
 #define IKEv2_INTEG_HMAC_SHA2_384_192  13  // key=48,  icv=24
 #define IKEv2_INTEG_HMAC_SHA2_512_256  14  // key=64,  icv=32
 //// IKEv2 DH Groups (same wire values as IKEv1)
 #define IKEv2_DH_1024_MODP        2
 #define IKEv2_DH_1536_MODP        5
 #define IKEv2_DH_2048_MODP        14
 #define IKEv2_DH_3072_MODP        15
 #define IKEv2_DH_4096_MODP        16
 //// IKEv2 ESN Values
 #define IKEv2_ESN_NO_ESN          0
 #define IKEv2_ESN_YES             1
 //// IKEv2 Notify Message Types (error types < 16384)
 #define IKEv2_NOTIFY_UNSUPPORTED_CRITICAL_PAYLOAD  1
 #define IKEv2_NOTIFY_INVALID_IKE_SPI               4
 #define IKEv2_NOTIFY_INVALID_MAJOR_VERSION         5
 #define IKEv2_NOTIFY_INVALID_SYNTAX                7
 #define IKEv2_NOTIFY_INVALID_MESSAGE_ID            9
 #define IKEv2_NOTIFY_INVALID_SPI                   11
 #define IKEv2_NOTIFY_NO_PROPOSAL_CHOSEN            14
 #define IKEv2_NOTIFY_INVALID_KE_PAYLOAD            17
 #define IKEv2_NOTIFY_AUTHENTICATION_FAILED         24
 #define IKEv2_NOTIFY_TS_UNACCEPTABLE               38
 //// IKEv2 Notify status types (>= 16384)
 #define IKEv2_NOTIFY_NAT_DETECTION_SOURCE_IP       16388
 #define IKEv2_NOTIFY_NAT_DETECTION_DESTINATION_IP  16389
 #define IKEv2_NOTIFY_USE_TRANSPORT_MODE            16391
 #define IKEv2_NOTIFY_ESP_TFC_PADDING_NOT_SUPPORTED 16394
 //// IKEv2 ID Types
 #define IKEv2_ID_IPV4_ADDR        1
 #define IKEv2_ID_FQDN             2
 #define IKEv2_ID_RFC822_ADDR      3
 #define IKEv2_ID_IPV6_ADDR        5
 #define IKEv2_ID_KEY_ID           11
 //// IKEv2 Authentication Methods
 #define IKEv2_AUTH_RSA_SIGN       1
 #define IKEv2_AUTH_PSK            2
 //// IKEv2 Traffic Selector Types
 #define IKEv2_TS_IPV4_ADDR_RANGE  7
 #define IKEv2_TS_IPV6_ADDR_RANGE  8
 //// IKEv2 Protocol IDs
 #define IKEv2_PROTO_IKE           1
 #define IKEv2_PROTO_AH            2
 #define IKEv2_PROTO_ESP           3
 //// SA states
 #define IKEv2_SA_STATE_HALF_OPEN  0
 #define IKEv2_SA_STATE_ESTABLISHED 1
 //// Sizes and limits
 #define IKEv2_MAX_KEYMAT_SIZE     128
 #define IKEv2_NONCE_SIZE          32
 #define IKEv2_NONCE_MIN_SIZE      16
 #define IKEv2_NONCE_MAX_SIZE      256
 #define IKEv2_PSK_PAD             "Key Pad for IKEv2"
 #define IKEv2_PSK_PAD_LEN         17
 //// Timeouts
 #define IKEv2_SA_TIMEOUT_HALF_OPEN    30000
 #define IKEv2_SA_TIMEOUT_ESTABLISHED  (86400ULL * 1000)
 #define IKEv2_SA_RESEND_INTERVAL      2000
 #define IKEv2_CHILD_SA_LIFETIME_SECS  3600
 //// Structures
 // Negotiated IKE SA transform parameters
 struct IKEv2_IKETF
 {
    UINT EncrAlg;        // Encryption algorithm
    UINT EncrKeyLen;     // Encryption key length (bytes)
    UINT PrfAlg;         // PRF algorithm
    UINT IntegAlg;       // Integrity algorithm
    UINT DhGroup;        // DH group number
    UINT BlockSize;      // Cipher block size (bytes)
    UINT PrfKeyLen;      // PRF key length (bytes)
    UINT PrfOutLen;      // PRF output length (bytes)
    UINT IntegKeyLen;    // Integrity key length (bytes)
    UINT IntegIcvLen;    // Integrity ICV length (bytes)
 };
 typedef struct IKEv2_IKETF IKEv2_IKETF;
 // Negotiated Child SA transform parameters
 struct IKEv2_CHILDTF
 {
    UINT EncrAlg;        // Encryption algorithm
    UINT EncrKeyLen;     // Encryption key length (bytes)
    UINT IntegAlg;       // Integrity algorithm
    UINT IntegKeyLen;    // Integrity key length (bytes)
    UINT IntegIcvLen;    // Integrity ICV length (bytes)
    UINT DhGroup;        // DH group (0 if none)
    bool UseTransport;   // True = transport mode
    UINT BlockSize;      // Cipher block size
 };
 typedef struct IKEv2_CHILDTF IKEv2_CHILDTF;
 // IKEv2 SA (one per IKEv2 connection attempt)
 struct IKEv2_SA
 {
    UINT         Id;
    UINT64       InitiatorSPI;
    UINT64       ResponderSPI;
    IP           ClientIP;
    UINT         ClientPort;
    IP           ServerIP;
    UINT         ServerPort;
    bool         IsNatT;
    UINT         State;
    bool         Deleting;
    UINT64       FirstCommTick;
    UINT64       LastCommTick;
    IKEv2_IKETF  Transform;
    // Nonces
    BUF         *Ni;
    BUF         *Nr;
    // DH
    DH_CTX      *Dh;
    BUF         *GxI;     // initiator KE value
    BUF         *GxR;     // responder KE value (our public key)
    // Derived IKE SA keys  (max 64 bytes each)
    UCHAR        SK_d [IKEv2_MAX_KEYMAT_SIZE];
    UCHAR        SK_ai[IKEv2_MAX_KEYMAT_SIZE];
    UCHAR        SK_ar[IKEv2_MAX_KEYMAT_SIZE];
    UCHAR        SK_ei[IKEv2_MAX_KEYMAT_SIZE];
    UCHAR        SK_er[IKEv2_MAX_KEYMAT_SIZE];
    UCHAR        SK_pi[IKEv2_MAX_KEYMAT_SIZE];
    UCHAR        SK_pr[IKEv2_MAX_KEYMAT_SIZE];
    // Crypto key objects for SK payload
    IKE_CRYPTO_KEY *EncKeyI;   // key for SK_ei (decrypt received)
    IKE_CRYPTO_KEY *EncKeyR;   // key for SK_er (encrypt sent)
    // Original IKE_SA_INIT messages for AUTH
    BUF         *InitMsg;   // IKE_SA_INIT request (from initiator)
    BUF         *RespMsg;   // IKE_SA_INIT response (from us)
    // Initiator identity from IKE_AUTH
    UCHAR        IDi_Type;
    BUF         *IDi_Data;
    // Responder identity (from initiator's optional IDr payload, echoed back)
    UCHAR        IDr_Type;
    BUF         *IDr_Data;
    // Message ID tracking
    UINT         NextExpectedMsgId;
    // Retransmission: cache last response
    BUF         *LastResponse;
    UINT         LastRespMsgId;
    UINT64       LastRespTick;
    UINT         NumResends;
    // Pointer to IKEv1 IKE_CLIENT created after AUTH
    IKE_CLIENT  *IkeClient;
 };
 typedef struct IKEv2_SA IKEv2_SA;
 //// Function prototypes
 void  ProcIKEv2PacketRecv(IKE_SERVER *ike, UDPPACKET *p);
 void  ProcessIKEv2Interrupts(IKE_SERVER *ike);
 IKEv2_SA *IKEv2NewSA(IKE_SERVER *ike);
 void  IKEv2FreeSA(IKE_SERVER *ike, IKEv2_SA *sa);
 void  IKEv2MarkDeleting(IKE_SERVER *ike, IKEv2_SA *sa);
 void  IKEv2PurgeDeleting(IKE_SERVER *ike);
 IKEv2_SA *IKEv2FindByInitSPI(IKE_SERVER *ike, UINT64 init_spi, IP *client_ip, UINT client_port);
 IKEv2_SA *IKEv2FindBySPIPair(IKE_SERVER *ike, UINT64 init_spi, UINT64 resp_spi);
 int   CmpIKEv2SA(void *p1, void *p2);
 void  IKEv2ProcSAInit(IKE_SERVER *ike, UDPPACKET *p, IKE_HEADER *hdr);
 void  IKEv2ProcAuth(IKE_SERVER *ike, UDPPACKET *p, IKE_HEADER *hdr, IKEv2_SA *sa,
                    void *payload_data, UINT payload_size, UCHAR first_payload);
 void  IKEv2ProcInformational(IKE_SERVER *ike, UDPPACKET *p, IKE_HEADER *hdr, IKEv2_SA *sa,
                              void *payload_data, UINT payload_size);
 bool  IKEv2DeriveKeys(IKE_SERVER *ike, IKEv2_SA *sa);
 void  IKEv2PRF(UINT prf_alg, void *key, UINT key_len,
               void *data, UINT data_len, void *out);
 void  IKEv2PRFPlus(UINT prf_alg, void *key, UINT key_len,
                   void *seed, UINT seed_len, void *out, UINT out_len);
 bool  IKEv2VerifyAuth(IKE_SERVER *ike, IKEv2_SA *sa,
                      UCHAR auth_method, void *auth_data, UINT auth_len);
 void  IKEv2ComputeOurAuth(IKE_SERVER *ike, IKEv2_SA *sa, void *out, UINT *out_len);
 bool  IKEv2CreateChildSAForClient(IKE_SERVER *ike, IKEv2_SA *sa,
                                   IKEv2_CHILDTF *ctf, UINT spi_i, UINT spi_r,
                                   BUF *ni, BUF *nr);
 bool  IKEv2ParseSAProposalIKE(void *data, UINT size, IKEv2_IKETF *out);
 bool  IKEv2ParseSAProposalChild(void *data, UINT size, IKEv2_CHILDTF *out, UINT *out_spi_i);
 UINT  IKEv2BuildSAProposalIKE(IKEv2_SA *sa, void *buf, UINT buf_size);
 UINT  IKEv2BuildSAProposalChild(IKEv2_CHILDTF *ctf, UINT spi_r, void *buf, UINT buf_size);
 void  IKEv2SendResponse(IKE_SERVER *ike, IKEv2_SA *sa, IKE_HEADER *req_hdr,
                        UCHAR exchange_type, void *payloads, UINT payloads_size,
                        bool encrypt);
 void  IKEv2SendNotifyError(IKE_SERVER *ike, UDPPACKET *p, IKE_HEADER *hdr,
                            UINT64 resp_spi, USHORT notify_type);
 BUF  *IKEv2EncryptSK(IKE_SERVER *ike, IKEv2_SA *sa, UCHAR next_payload,
                      void *inner, UINT inner_size);
 BUF  *IKEv2DecryptSK(IKE_SERVER *ike, IKEv2_SA *sa, bool is_init_sending,
                      void *sk_data, UINT sk_size);
 UINT  IKEv2PrfKeyLen(UINT prf_alg);
 UINT  IKEv2PrfOutLen(UINT prf_alg);
 UINT  IKEv2IntegKeyLen(UINT integ_alg);
 UINT  IKEv2IntegIcvLen(UINT integ_alg);
 UINT  IKEv2EncrKeyLen(UINT encr_alg, UINT requested);
 UINT  IKEv2EncrBlockSize(UINT encr_alg);
 IKE_HASH   *IKEv2GetHashForPrf(IKE_SERVER *ike, UINT prf_alg);
 IKE_HASH   *IKEv2GetHashForInteg(IKE_SERVER *ike, UINT integ_alg);
 IKE_CRYPTO *IKEv2GetCrypto(IKE_SERVER *ike, UINT encr_alg);
 IKE_DH     *IKEv2GetDh(IKE_SERVER *ike, UINT dh_group);
 #endif // PROTO_IKEV2_H
@@ -2562,16 +2562,9 @@ void OvsRecvPacket(OPENVPN_SERVER *s, LIST *recv_packet_list, UINT protocol)
 								Debug("OpenVPN Channel %u Failed.\n", j);
 								OvsLog(s, se, c, "LO_CHANNEL_FAILED");
-								if ((se->IpcAsync->ErrorCode == ERR_AUTHTYPE_NOT_SUPPORTED) ||
+								// Return the AUTH_FAILED
-									(se->IpcAsync->ErrorCode == ERR_AUTH_FAILED) ||
+								str = "AUTH_FAILED";
-									(se->IpcAsync->ErrorCode == ERR_PROXY_AUTH_FAILED) ||
+								WriteFifo(c->SslPipe->SslInOut->SendFifo, str, StrSize(str));
 									(se->IpcAsync->ErrorCode == ERR_USER_AUTHTYPE_NOT_PASSWORD) ||
 									(se->IpcAsync->ErrorCode == ERR_NOT_SUPPORTED_AUTH_ON_OPENSOURCE))
 								{
 									// Return the AUTH_FAILED
 									str = "AUTH_FAILED";
 									WriteFifo(c->SslPipe->SslInOut->SendFifo, str, StrSize(str));
 								}
 								s->SessionEstablishedCount++;
@@ -5429,7 +5429,7 @@ void ClientUploadNoop(CONNECTION *c)
 	}
 	p = PackError(0);
-	PackAddInt(p, "noop", NOOP);
+	PackAddInt(p, "noop", 1);
 	(void)HttpClientSend(c->FirstSock, p);
 	FreePack(p);
@@ -5440,24 +5440,6 @@ void ClientUploadNoop(CONNECTION *c)
 	}
 }
 void ServerUploadNoop(CONNECTION *c)
 {
 	PACK *p;
 	// Validate arguments
 	if (c == NULL)
 	{
 		return;
 	}
 	p = PackError(0);
 	PackAddInt(p, "noop", NOOP_IGNORE);
 	(void)HttpServerSend(c->FirstSock, p);
 	FreePack(p);
 	// Client can't re-respond to an HTTP "response" 
 	// so we don't wait for it on the server side
 }
 // Add client version information to the PACK
 void PackAddClientVersion(PACK *p, CONNECTION *c)
 {
@@ -169,7 +169,6 @@ bool GetSessionKeyFromPack(PACK *p, UCHAR *session_key, UINT *session_key_32);
 void CreateNodeInfo(NODE_INFO *info, CONNECTION *c);
 UINT SecureSign(SECURE_SIGN *sign, UINT device_id, char *pin);
 void ClientUploadNoop(CONNECTION *c);
 void ServerUploadNoop(CONNECTION *c);
 bool ClientCheckServerCert(CONNECTION *c, bool *expired);
 void ClientCheckServerCertThread(THREAD *thread, void *param);
 bool ClientSecureSign(CONNECTION *c, UCHAR *sign, UCHAR *random, X **x);
@@ -7,7 +7,6 @@
 #include "Radius.h"
 #include "Protocol.h"
 #include "Connection.h"
 #include "IPC.h"
 #include "Server.h"
@@ -1768,7 +1767,7 @@ LABEL_ERROR:
 ////////// Classical implementation
 // Attempts Radius authentication (with specifying retry interval and multiple server)
-bool RadiusLogin(CONNECTION *c, char *server, UINT port, UCHAR *secret, UINT secret_size, wchar_t *username, char *password, UINT interval, UINT timeout, UCHAR *mschap_v2_server_response_20,
+bool RadiusLogin(CONNECTION *c, char *server, UINT port, UCHAR *secret, UINT secret_size, wchar_t *username, char *password, UINT interval, UCHAR *mschap_v2_server_response_20,
 				 RADIUS_LOGIN_OPTION *opt, char *hubname)
 {
 	UCHAR random[MD5_SIZE];
@@ -2073,22 +2072,14 @@ bool RadiusLogin(CONNECTION *c, char *server, UINT port, UCHAR *secret, UINT sec
 			// Transmission process start
 			start = Tick64();
 			// Limit timeout to be larger than hardcoded timeout
 			// Limit interval to be larger than the hardcoded interval and less than timeout
 			if (timeout < RADIUS_RETRY_TIMEOUT) {
 				timeout = RADIUS_RETRY_TIMEOUT;
 			}
 			if(interval < RADIUS_RETRY_INTERVAL)
 			{
 				interval = RADIUS_RETRY_INTERVAL;
 			}
-			else if(interval > timeout)
+			else if(interval > RADIUS_RETRY_TIMEOUT)
 			{
-				interval = timeout;
+				interval = RADIUS_RETRY_TIMEOUT;
 			}
 			next_send_time = start + (UINT64)interval;
 			while (true)
@@ -2108,8 +2099,6 @@ SEND_RETRY:
 				next_send_time = Tick64() + (UINT64)interval;
 RECV_RETRY:
 				ServerUploadNoop(c);				
 				now = Tick64();
 				if (next_send_time <= now)
 				{
@@ -2120,7 +2109,7 @@ RECV_RETRY:
 					goto SEND_RETRY;
 				}
-				if ((start + timeout) < now)
+				if ((start + RADIUS_RETRY_TIMEOUT) < now)
 				{
 					// Time-out
 					break;
@@ -283,7 +283,7 @@ struct RADIUS_LOGIN_OPTION
 };
 // Function prototype
-bool RadiusLogin(CONNECTION *c, char *server, UINT port, UCHAR *secret, UINT secret_size, wchar_t *username, char *password, UINT interval, UINT timeout, UCHAR *mschap_v2_server_response_20,
+bool RadiusLogin(CONNECTION *c, char *server, UINT port, UCHAR *secret, UINT secret_size, wchar_t *username, char *password, UINT interval, UCHAR *mschap_v2_server_response_20,
 				 RADIUS_LOGIN_OPTION *opt, char *hubname);
 BUF *RadiusEncryptPassword(char *password, UCHAR *random, UCHAR *secret, UINT secret_size);
 BUF *RadiusCreateUserName(wchar_t *username);
@@ -516,7 +516,6 @@ bool SamAuthUserByPlainPassword(CONNECTION *c, HUB *hub, char *username, char *p
 			char suffix_filter[MAX_SIZE];
 			wchar_t suffix_filter_w[MAX_SIZE];
 			UINT interval;
 			UINT timeout;
 			EAP_CLIENT *eap = NULL;
 			char password1[MAX_SIZE];
 			UCHAR client_challenge[16];
@@ -587,7 +586,7 @@ bool SamAuthUserByPlainPassword(CONNECTION *c, HUB *hub, char *username, char *p
 			}
 			// Get the Radius server information
-			if (GetRadiusServerEx3(hub, radius_server_addr, sizeof(radius_server_addr), &radius_server_port, radius_secret, sizeof(radius_secret), &interval, &timeout, suffix_filter, sizeof(suffix_filter)))
+			if (GetRadiusServerEx2(hub, radius_server_addr, sizeof(radius_server_addr), &radius_server_port, radius_secret, sizeof(radius_secret), &interval, suffix_filter, sizeof(suffix_filter)))
 			{
 				Unlock(hub->lock);
@@ -598,7 +597,7 @@ bool SamAuthUserByPlainPassword(CONNECTION *c, HUB *hub, char *username, char *p
 					// Attempt to login
 					b = RadiusLogin(c, radius_server_addr, radius_server_port,
 						radius_secret, StrLen(radius_secret),
-						name, password, interval, timeout, mschap_v2_server_response_20, opt, hub->Name);
+						name, password, interval, mschap_v2_server_response_20, opt, hub->Name);
 					if (b)
 					{
@@ -4855,7 +4855,6 @@ void SiWriteHubCfg(FOLDER *f, HUB *h)
 		}
 		CfgAddInt(f, "RadiusServerPort", h->RadiusServerPort);
 		CfgAddInt(f, "RadiusRetryInterval", h->RadiusRetryInterval);
 		CfgAddInt(f, "RadiusRetryTimeout", h->RadiusRetryTimeout);
 		CfgAddStr(f, "RadiusSuffixFilter", h->RadiusSuffixFilter);
 		CfgAddStr(f, "RadiusRealm", h->RadiusRealm);
@@ -5021,11 +5020,9 @@ void SiLoadHubCfg(SERVER *s, FOLDER *f, char *name)
 			BUF *secret;
 			UINT port;
 			UINT interval;
 			UINT timeout;
 			port = CfgGetInt(f, "RadiusServerPort");
 			interval = CfgGetInt(f, "RadiusRetryInterval");
 			timeout = CfgGetInt(f, "RadiusRetryTimeout");
 			CfgGetStr(f, "RadiusSuffixFilter", h->RadiusSuffixFilter, sizeof(h->RadiusSuffixFilter));
 			CfgGetStr(f, "RadiusRealm", h->RadiusRealm, sizeof(h->RadiusRealm));
@@ -5038,10 +5035,6 @@ void SiLoadHubCfg(SERVER *s, FOLDER *f, char *name)
 				interval = RADIUS_RETRY_INTERVAL;
 			}
 			if (timeout == 0) {
 				timeout = RADIUS_RETRY_TIMEOUT;
 			}
 			if (port != 0 && CfgGetStr(f, "RadiusServerName", name, sizeof(name)))
 			{
 				secret = CfgGetBuf(f, "RadiusSecret");
@@ -5055,7 +5048,7 @@ void SiLoadHubCfg(SERVER *s, FOLDER *f, char *name)
 					}
 					secret_str[sizeof(secret_str) - 1] = 0;
 					//SetRadiusServer(h, name, port, secret_str);
-					SetRadiusServerEx2(h, name, port, secret_str, interval, timeout);
+					SetRadiusServerEx(h, name, port, secret_str, interval);
 					FreeBuf(secret);
 				}
 			}
@@ -4761,7 +4761,7 @@ static void MY_SHA0_Transform(MY_SHA0_CTX* ctx) {
 	UCHAR* p = ctx->buf;
 	int t;
 	for(t = 0; t < 16; ++t) {
-		UINT tmp =  (UINT)*p++ << 24;
+		UINT tmp =  *p++ << 24;
 		tmp |= *p++ << 16;
 		tmp |= *p++ << 8;
 		tmp |= *p++;
@@ -1207,14 +1207,12 @@ PACK *HttpClientRecv(SOCK *s)
 	UINT size;
 	UCHAR *tmp;
 	HTTP_VALUE *v;
 	UINT num_noop = 0;
 	// Validate arguments
 	if (s == NULL)
 	{
 		return NULL;
 	}
 START:
 	h = RecvHttpHeader(s);
 	if (h == NULL)
 	{
@@ -1259,22 +1257,6 @@ START:
 	p = BufToPack(b);
 	FreeBuf(b);
 	// Client shouldn't receive a noop other than NOOP_IGNORE
 	// because it can't respond without a full new HTTP request
 	UINT noop = PackGetInt(p, "noop");
 	if (noop == NOOP_IGNORE) {
 		Debug("recv: noop ignore\n");
 		FreePack(p);
 		num_noop++;
 		if (num_noop > MAX_NOOP_PER_SESSION)
 		{
 			return NULL;
 		}
 		goto START;
 	}
 	return p;
 }
@@ -1383,14 +1365,13 @@ START:
 	FreeBuf(b);
 	// Determine whether it's a NOOP
-	UINT noop = PackGetInt(p, "noop");
+	if (PackGetInt(p, "noop") != 0)
 	if (noop == NOOP)
 	{
 		Debug("recv: noop\n");
 		FreePack(p);
 		p = PackError(0);
-		PackAddInt(p, "noop", NOOP_IGNORE);
+		PackAddInt(p, "noop", 1);
 		if (HttpServerSend(s, p) == false)
 		{
 			FreePack(p);
@@ -1406,11 +1387,6 @@ START:
 			return NULL;
 		}
 		goto START;
 	} else if (noop == NOOP_IGNORE) {
 		Debug("recv: noop ignore\n");
 		FreePack(p);
 		goto START;
 	}
@@ -63,7 +63,7 @@ static int ydays[] =
 	0, 31, 59, 90, 120, 151, 181, 212, 243, 273, 304, 334, 365
 };
-static COUNTER *current_num_thread = NULL;
+static UINT current_num_thread = 0;
 static UINT cached_number_of_cpus = 0;
@@ -776,7 +776,6 @@ void InitThreading()
 {
 	thread_pool = NewSk();
 	thread_count = NewCounter();
 	current_num_thread = NewCounter();
 }
 // Release of thread pool
@@ -822,9 +821,6 @@ void FreeThreading()
 	DeleteCounter(thread_count);
 	thread_count = NULL;
 	DeleteCounter(current_num_thread);
 	current_num_thread = NULL;
 }
 // Thread pool procedure
@@ -1032,9 +1028,9 @@ THREAD *NewThreadNamed(THREAD_PROC *thread_proc, void *param, char *name)
 	Wait(pd->InitFinishEvent, INFINITE);
-	Inc(current_num_thread);
+	current_num_thread++;
-//	Debug("current_num_thread = %u\n", Count(current_num_thread));
+//	Debug("current_num_thread = %u\n", current_num_thread);
 	return ret;
 }
@@ -1059,8 +1055,8 @@ void CleanupThread(THREAD *t)
 	Free(t);
-	Dec(current_num_thread);
+	current_num_thread--;
-	//Debug("current_num_thread = %u\n", Count(current_num_thread));
+	//Debug("current_num_thread = %u\n", current_num_thread);
 }
 // Release thread (pool)
@@ -72,26 +72,11 @@ int PASCAL WinMain(HINSTANCE hInst, HINSTANCE hPrev, char *CmdLine, int CmdShow)
 // Compiler dependent
 #ifndef	OS_WIN32
-// GCC or Clang compiler
+// Gcc compiler
 #define	GCC_PACKED		__attribute__ ((__packed__))
 // Clang compiler
 #if defined(__has_feature)
 #if __has_feature(thread_sanitizer)
 #define ATTRIBUTE_NO_TSAN			__attribute__((no_sanitize("thread")))
 #endif	// __has_feature(thread_sanitizer)
 #endif	// __has_feature
 // GCC compiler
 #if defined(__SANITIZE_THREAD__) && !defined(ATTRIBUTE_NO_TSAN)
 #define ATTRIBUTE_NO_TSAN			__attribute__((no_sanitize("thread")))
 #endif	// __SANITIZE_THREAD__
 // Other or older Clang/GCC compiler
 #ifndef ATTRIBUTE_NO_TSAN
 #define ATTRIBUTE_NO_TSAN
 #endif	// ATTRIBUTE_NO_TSAN
 #else	// OS_WIN32
 // VC++ compiler
 #define	GCC_PACKED
 #define ATTRIBUTE_NO_TSAN
 #endif	// OS_WIN32
 // Macro that displays the current file name and line number
@@ -881,6 +881,8 @@ struct SSL_VERIFY_OPTION
 	X *SavedCert;					// Saved server certificate
 };
 #define	SSL_DEFAULT_CONNECT_TIMEOUT		(15 * 1000)		// SSL default timeout
 // Header for TCP Pair
 struct TCP_PAIR_HEADER
 {
@@ -38,8 +38,6 @@
 // The number of allowable NOOP
 #define	MAX_NOOP_PER_SESSION	30
 #define NOOP 1
 #define NOOP_IGNORE 2 // A noop, but don't send a response noop
 // VALUE object
 struct VALUE
@@ -470,7 +470,6 @@ LIST *LoadLangList()
 	b = ReadDump(filename);
 	if (b == NULL)
 	{
 		FreeLangList(o);
 		return NULL;
 	}
@@ -651,15 +651,6 @@ struct IKE_HEADER
 #define IKE_EXCHANGE_TYPE_INFORMATION		5	// Information exchange
 #define IKE_EXCHANGE_TYPE_QUICK				32	// Quick mode
 // IKEv2 version identifier (in the Version field of IKE_HEADER)
 #define IKEv2_VERSION					0x20	// 2.0
 // IKEv2 exchange types (RFC 7296)
 #define IKEv2_EXCHANGE_IKE_SA_INIT		34
 #define IKEv2_EXCHANGE_IKE_AUTH			35
 #define IKEv2_EXCHANGE_CREATE_CHILD_SA	36
 #define IKEv2_EXCHANGE_INFORMATIONAL	37
 // DHCPv4 data
 struct DHCPV4_DATA
 {
@@ -2140,13 +2140,9 @@ void UnixMemoryFree(void *addr)
 // SIGCHLD handler
 void UnixSigChldHandler(int sig)
 {
 	int old_errno = errno;
 	// Recall the zombie processes
 	while (waitpid(-1, NULL, WNOHANG) > 0);
 	signal(SIGCHLD, UnixSigChldHandler);
 	errno = old_errno;
 }
 // Disable core dump
@@ -1,28 +0,0 @@
 # This file contains suppressions for Thread Sanitizer.
 # For the specification, refer to: https://github.com/google/sanitizers/wiki/threadsanitizersuppressions
 ## Set/Wait
 # This provides synchronization equivalent to a lock, but Thread Sanitizer cannot recognize it.
 # Thread Sanitizer reports data race on Halt in TK64.
 # https://github.com/SoftEtherVPN/SoftEtherVPN/pull/2221
 race_top:FreeTick64
 # Thread Sanitizer reports data races on Finished and NoDelayFlag in CONNECT_SERIAL_PARAM,
 # shared between BindConnectThreadForIPv4, BindConnectThreadForIPv6, and BindConnectEx5.
 # https://github.com/SoftEtherVPN/SoftEtherVPN/pull/2222
 race_top:BindConnectThreadForIPv4
 race_top:BindConnectThreadForIPv6
 race_top:BindConnectEx5
 ## Manual PTHREAD_MUTEX_RECURSIVE
 # The Lock/Unlock mechanism on Unix is a manual, hand-coded implementation of PTHREAD_MUTEX_RECURSIVE.
 # We avoid using the PTHREAD_MUTEX_RECURSIVE directly because it exhibits critical bugs, such as deadlocks
 # on certain older systems(Linux, Solaris, or macOS). While Thread Sanitizer will report data races,
 # these warnings should be ignored as the logic has been carefully implemented to ensure thread safety.
 # https://github.com/SoftEtherVPN/SoftEtherVPN/pull/2219
 race_top:UnixLock
 race_top:UnixUnlockEx
Author	SHA1	Message	Date
copilot-swe-agent[bot]	c7d906c01c	Update README.md to reference Windows ARM64 build guide Co-authored-by: chipitsine <2217296+chipitsine@users.noreply.github.com>	2026-02-04 16:40:48 +00:00
copilot-swe-agent[bot]	66119d1303	Add Windows ARM64 build and installation documentation Co-authored-by: chipitsine <2217296+chipitsine@users.noreply.github.com>	2026-02-04 16:40:11 +00:00
copilot-swe-agent[bot]	486b9ed7c5	Initial plan	2026-02-04 16:37:45 +00:00