[Announce] ANNOUNCE: strongswan-4.1.1 released

Andreas Steffen andreas.steffen at strongswan.org
Tue Apr 10 11:34:06 CEST 2007


already two weeks after the initial 4.1 release we are happy to
announce the addition of several new features plus an IKEv1 bug fix:


- Added the configuration options --enable-nat-transport which enables
   the potentially insecure NAT traversal for IPsec transport mode and
   --disable-vendor-id which disables the sending of the strongSwan
   vendor ID.

- Fixed a long-standing bug in the pluto IKEv1 daemon which caused
   a segmentation fault when a malformed payload was detected in the
   IKE MR2 message and pluto tried to send an encrypted notification

- Added the NATT_IETF_02_N Vendor ID in order to support IKEv1
   connections with Windows 2003 Server which uses a wrong VID hash.


- Server side cookie support. If to may IKE_SAs are in CONNECTING state,
   cookies are enabled and protect against DoS attacks with faked source
   addresses. Number of IKE_SAs in CONNECTING state is also limited per
   peer address to avoid resource exhaustion. IKE_SA_INIT messages are
   compared to properly detect retransmissions and incoming retransmits
   are detected even if the IKE_SA is blocked (e.g. doing OCSP fetches).

- The IKEv2 daemon charon now supports dynamic http- and ldap-based CRL
   fetching enabled by crlcheckinterval > 0 and caching fetched CRLs
   by storing them locally to a file enabled by cachecrls=yes.

The new release is available from


Best regards

Martin Willi & Andreas Steffen

Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org 

Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)

More information about the Announce mailing list