[Announce] ANNOUNCE: strongswan-2.7.0 released

Andreas Steffen andreas.steffen at strongswan.org
Thu Apr 27 13:46:23 CEST 2006 

Hi,

I'm happy to announce the major release strongswan-2.7.0 which is
available from

    http://www.strongswan.org

and which at last offers built-in iptables support for both
Linux 2.4 and 2.6 kernels and should make fully integrated
firewall solutions a piece of cake. Here are the details:


Re-activation of the left|rightfirewall parameter
-------------------------------------------------

The default _updown script now automatically inserts and deletes
dynamic iptables firewall rules upon the establishment or teardown, 
respectively, of an IPsec security association. This new feature is 
activated with the line

     leftfirewall=yes

and can be used when the following prerequisites are fulfilled:

     * Linux 2.4.x kernel, KLIPS IPsec stack, and arbitrary iptables
       version. Filtering of tunneled traffic is based on ipsecN
       interfaces.

     * Linux 2.6.16 kernel, native NETKEY IPsec stack, and
       iptables-1.3.5. Filtering of tunneled traffic is based
       on Patrick McHardy's iptables IPsec policy matching rules .

All UML scenarios shown under the link:

    http://www.strongswan.org/uml/testresults

have been converted to the new leftfirewall=yes scheme.

strongswan-2.7.0 is fully backwards compatible with earlier versions
(assuming that the ipfwadm is now obsolete and not used anymore).
Thus your personal firewall solution based on an updown script imported 
via leftupdown will still work. For Linux 2.6 kernels < 2.6.16 the
_updown_espmark template is recommended.


New left|righthostaccess parameter
----------------------------------

If you define a local client subnet with a netmask larger than /32 
behind the gateway then the automatically inserted FORWARD iptables 
rules will not allow you to access the internal IP address of the host 
although it is part of the client subnet definition. If you want 
additional INPUT and OUTPUT iptables rules to be inserted, so that the 
host itself can be accessed then add the following line:

     lefthostaccess=yes


Mixed PSK/RSA roadwarrior support
---------------------------------

The ISAKMP proposal payload is preparsed in order to find out whether
the roadwarrior requests PSK or RSA so that a matching connection
candidate can be found. Thanks go to Mathieu Lafon who wrote the
original patch. The following example shows the use of this new feature

   http://www.strongswan.org/uml/testresults/rw-psk-rsa-mixed/

Best regards

Andreas

======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute of Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

More information about the Announce mailing list