[Announce] ANNOUNCE: strongswan-4.0.2 released

Andreas Steffen andreas.steffen at strongswan.org
Sun Jul 16 18:00:35 CEST 2006


we are happy to announce the latest release of our IKEv2
implementation. We have achieved a large leap forward with the
following new features:

- Full X.509 certificate trust chain verification has been implemented
  End entity certificates can be exchanged via CERT payloads. The
  current default is leftsendcert=always, since CERTREQ payloads are not
  supported yet. Optional CRLs must be imported locally into

- Added support for leftprotoport/rightprotoport parameters in IKEv2.
  The IKEv2 standard itself would offer more powerful possibilities for
  traffic selection, but the Linux kernel currently does not support it.
  That's why we stick with these simple ipsec.conf rules for now.

- Added Dead Peer Detection (DPD) which checks liveliness of remote peer
  if no IKE or ESP traffic is received. DPD is currently hardcoded
  (dpdaction=clear, dpddelay=60s).

- Initial NAT traversal support in IKEv2. Charon includes NAT detection
  notify payloads to detect NAT routers between the peers. It switches
  to port 4500, uses UDP encapsulated ESP packets, handles peer address
  changes gracefully and sends keep alive message periodically.

Thus strongSwan is currently the *only* Open Source IKEv2 implementation
with NAT traversal support.

strongSwan-4.0.2 is available from


and IKEv2 configuration examples can be found under the link


Best regards

Martin Willi and Andreas Steffen

Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute of Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)

More information about the Announce mailing list