[Announce] ANNOUNCE: strongswan-4.1.0 released

Andreas Steffen andreas.steffen at strongswan.org
Wed Mar 28 09:29:26 CEST 2007


with this announcement the strongSwan project officially switches
its default distribution from the 2.8 IKEv1 only branch to the
new joint IKEv1/IKEv2 4.1 branch. The 2.8 branch will be maintained
until the end of 2007 (bug fixes and some back-ports from the 4.1

What's new in the 4.1 branch? First of all the well-known GNU
autotools are now used to build the executables:

   ./configure --prefix=/usr  --sysconfdir=/etc

followed by

   make; make install

builds a minimal strongSwan version. Additional features can be
activated with the options

   --enable-http   # uses libcurl for http-based crl fetching and OCSP

   --enable-ldap   # uses openldap for ldap-based crl fetching

   --enable-smartcard  # allows you to load a PKCS#11 library

By default both the IKEv1 daemon pluto and the IKEv2 daemon charon
are started by the command "ipsec start". If you want to use IKEv1
only for the time being, you can disable IKEv2 by adding the line

   config setup

in ipsec.conf. In the same way if you are interested in IKEv2 only
you can set

   config setup

The 4.1.0 release also contains all our results from the third IKEv2
Interoperability Workshop that took place from March 5-9 in Orlando,
Florida where we were able to test against Certicom, CheckPoint,
Cisco, Furukawa, Ixia, Juniper, Lucent, Nokia, SafeNet, Secure
Computing, and SonicWall. Read also the press release by ICSAlabs


And here is a list of new features that were added since the
4.0.7 release:

IKEv1 features

- Support of SHA2_384 hash function for protecting IKEv1
   negotiations and support of SHA2 signatures in X.509 certificates.

- Fixed a serious bug in the computation of the SHA2-512 HMAC
   function that we inherited from SuperFreeS/WAN. As a consequence
   we introduced automatic self-tests of all IKEv1 hash and hmac
   functions during pluto startup. Failure of a self-test
   currently issues a warning only but does not exit pluto [yet].

IKEv2 features

- Support for SHA2-256/384/512 PRF and HMAC functions in IKEv2.

- Full support of CA information sections. ipsec listcainfos
   now shows all collected crlDistributionPoints and OCSP

- Support of the Online Certificate Status Protocol (OCSP) for IKEv2.
   This feature requires the HTTP fetching capabilities of the libcurl
   library which must be enabled by setting the --enable-http configure

- Refactored core of the IKEv2 message processing code, allowing better
   code reuse and separation.

- Virtual IP support in IKEv2 using INTERNAL_IP4/6_ADDRESS configuration
   payload. Additionally, the INTERNAL_IP4/6_DNS attribute is interpreted
   by the requestor and installed in a resolv.conf file.

- The IKEv2 daemon charon installs a route for each IPsec policy to use
   the correct source address even if an application does not explicitly
   specify it.

- Integrated the EAP framework into charon which loads pluggable
   EAP library modules. The ipsec.conf parameter authby=eap initiates
   EAP authentication on the client side, while the "eap" parameter on
   the server side defines the EAP method to use for client
   authentication. A generic client side EAP-Identity module and an
   EAP-SIM authentication module using a third party card reader
   implementation are included.

- Added client side support for cookies.

- Integrated the fixes done at the IKEv2 interoperability bakeoff,
   including strict payload order, correct INVALID_KE_PAYLOAD rejection
   and other minor fixes to enhance interoperability with other

As always the latest strongSwan distribution can be downloaded from


Enjoy our new distribution!

Martin Willi          Andreas Steffen
IKEv2 Architect       strongSwan Project Leader

Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org 

Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3417 bytes
Desc: S/MIME Cryptographic Signature
Url : https://lists.strongswan.org/pipermail/announce/attachments/20070328/dc14241a/attachment.bin 

More information about the Announce mailing list