[Announce] ANNOUNCE: strongswan-4.0.1 released

Andreas Steffen andreas.steffen at strongswan.org
Wed Jun 21 22:32:20 CEST 2006

We are happy to announce the latest release of the strongSwan 4.0
IKEv1 & IKEv2 development branch which offers the following
major improvements:

 Added algorithm selection to charon: New default algorithms for
  ike=aes128-sha-modp2048, as both daemons support it. The default
  for IPsec SAs is now esp=aes128-sha,3des-md5. charon handles
  the ike/esp parameter the same way as pluto. As this syntax does
  not allow specification of a pseudo random function, the same
  algorithm as for integrity is used (currently sha/md5). Supported
  algorithms for IKE:
    Encryption: aes128, aes192, aes256
    Integrity/PRF: md5, sha (using hmac)
    DH-Groups: modp768, 1024, 1536, 2048, 4096, 8192
  and for ESP:
    Encryption: aes128, aes192, aes256, 3des, blowfish128,
                blowfish192, blowfish256
    Integrity: md5, sha1
  More IKE encryption algorithms will come after porting libcrypto into

- initial support for rekeying CHILD_SAs using IKEv2. Currently no
  perfect forward secrecy is used. The rekeying parameters rekey,
  rekeymargin, rekeyfuzz and keylife from ipsec.conf are now supported
  when using IKEv2. WARNING: charon currently is unable to handle
  simultaneous rekeying. To avoid such a situation, use a large
  rekeyfuzz, or even better, set rekey=no on one peer.

- support for host2host, net2net, host2net (roadwarrior) tunnels
  using predefined RSA certificates (see uml scenarios for
  configuration examples).

- new build environment featuring autotools. Features such
  as HTTP, LDAP and smartcard support may be enabled using
  the ./configure script. Changing install directories
  is possible, too. See ./configure --help for more details.

- better integration of charon with ipsec starter, which allows
  (almost) transparent operation with both daemons. charon
  handles ipsec commands up, down, status, statusall, listall,
  listcerts and allows proper load, reload and delete of connections
  via ipsec starter.

strongswan-4.0.1 can be downloaded from


where you also find a couple of IKEv2 configuration examples:


Look for scenarios starting with ikev2-

Best regards

Martin Willi [main IKEv2 developer]
Andreas Steffen [strongSwan project leader]

Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute of Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)

More information about the Announce mailing list