[Announce] ANNOUNCE: strongswan-2.7.0 released

Andreas Steffen andreas.steffen at strongswan.org
Thu Apr 27 13:46:23 CEST 2006


I'm happy to announce the major release strongswan-2.7.0 which is
available from


and which at last offers built-in iptables support for both
Linux 2.4 and 2.6 kernels and should make fully integrated
firewall solutions a piece of cake. Here are the details:

Re-activation of the left|rightfirewall parameter

The default _updown script now automatically inserts and deletes
dynamic iptables firewall rules upon the establishment or teardown, 
respectively, of an IPsec security association. This new feature is 
activated with the line


and can be used when the following prerequisites are fulfilled:

     * Linux 2.4.x kernel, KLIPS IPsec stack, and arbitrary iptables
       version. Filtering of tunneled traffic is based on ipsecN

     * Linux 2.6.16 kernel, native NETKEY IPsec stack, and
       iptables-1.3.5. Filtering of tunneled traffic is based
       on Patrick McHardy's iptables IPsec policy matching rules .

All UML scenarios shown under the link:


have been converted to the new leftfirewall=yes scheme.

strongswan-2.7.0 is fully backwards compatible with earlier versions
(assuming that the ipfwadm is now obsolete and not used anymore).
Thus your personal firewall solution based on an updown script imported 
via leftupdown will still work. For Linux 2.6 kernels < 2.6.16 the
_updown_espmark template is recommended.

New left|righthostaccess parameter

If you define a local client subnet with a netmask larger than /32 
behind the gateway then the automatically inserted FORWARD iptables 
rules will not allow you to access the internal IP address of the host 
although it is part of the client subnet definition. If you want 
additional INPUT and OUTPUT iptables rules to be inserted, so that the 
host itself can be accessed then add the following line:


Mixed PSK/RSA roadwarrior support

The ISAKMP proposal payload is preparsed in order to find out whether
the roadwarrior requests PSK or RSA so that a matching connection
candidate can be found. Thanks go to Mathieu Lafon who wrote the
original patch. The following example shows the use of this new feature


Best regards


Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute of Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)

More information about the Announce mailing list