[Announce] ANNOUNCE: strongswan-4.1.4 released
Andreas Steffen
andreas.steffen at strongswan.org
Thu Jul 5 08:58:48 CEST 2007
IKEv2 - MOBIKE Support (RFC 4555)
---------------------------------
Partial support for MOBIKE in IKEv2. The initiator acts on
network interface or IP address configuration changes and
updates IKE and IPsec SAs dynamically by sending a MOBIKE
UPDATE_SA_ADDRESSES notification to the peer. This avoids
the IPsec tunnel connections of having to be renegotiated.
Two examples can be found under the links:
http://www.strongswan.org/uml/testresults4/ikev2/mobike/
http://www.strongswan.org/uml/testresults4/ikev2/mobike-nat/
IKEv1 - Better support of DynDNS hosts
--------------------------------------
- The new IKEv1 parameter right|leftallowany parameters helps to handle
the case where both peers possess dynamic IP addresses that are
usually resolved using DynDNS or a similar service. The configuration
right=peer.foo.bar
rightallowany=yes
can be used by the initiator to start up a connection to a peer
by resolving peer.foo.bar into the currently allocated IP address.
Thanks to the rightallowany flag the connection behaves later on
as
right=%any
so that the peer can rekey the connection as an initiator when his
IP address changes. An alternative notation is
right=%peer.foo.bar
which will implicitly set rightallowany=yes. Three examples can be
found under the links
http://www.strongswan.org/uml/testresults4/ikev1/dynamic-initiator/
http://www.strongswan.org/uml/testresults4/ikev1/dynamic-responder/
http://www.strongswan.org/uml/testresults4/ikev1/dynamic-two-peers/
- ipsec starter now fails more gracefully in the presence of parsing
errors. Flawed ca and conn section are discarded and pluto is started
if non-fatal errors only were encountered. If right=%peer.foo.bar
cannot be resolved by DNS then right=%any will be used so that passive
connections as a responder are still possible.
IKEv2 - Support of the NSS softoken
-----------------------------------
- The new pkcs11initargs parameter that can be placed in the
setup config section of /etc/ipsec.conf allows the definition
of an argument string that is used with the PKCS#11 C_Initialize()
function. This non-standard feature is required by the NSS softoken
library. This patch was contributed by Robert Varga.
The new release can be downloaded from
http://www.strongswan.org/
Best regards
Martin Willi & Andreas Steffen
P.S. Please contribute to our fastly expanding wiki found at
http://wiki.strongswan.org
======================================================================
Andreas Steffen andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
More information about the Announce
mailing list