[Announce] ANNOUNCE: strongswan-4.1.0 released
andreas.steffen at strongswan.org
Wed Mar 28 09:29:26 CEST 2007
with this announcement the strongSwan project officially switches
its default distribution from the 2.8 IKEv1 only branch to the
new joint IKEv1/IKEv2 4.1 branch. The 2.8 branch will be maintained
until the end of 2007 (bug fixes and some back-ports from the 4.1
What's new in the 4.1 branch? First of all the well-known GNU
autotools are now used to build the executables:
./configure --prefix=/usr --sysconfdir=/etc
make; make install
builds a minimal strongSwan version. Additional features can be
activated with the options
--enable-http # uses libcurl for http-based crl fetching and OCSP
--enable-ldap # uses openldap for ldap-based crl fetching
--enable-smartcard # allows you to load a PKCS#11 library
By default both the IKEv1 daemon pluto and the IKEv2 daemon charon
are started by the command "ipsec start". If you want to use IKEv1
only for the time being, you can disable IKEv2 by adding the line
in ipsec.conf. In the same way if you are interested in IKEv2 only
you can set
The 4.1.0 release also contains all our results from the third IKEv2
Interoperability Workshop that took place from March 5-9 in Orlando,
Florida where we were able to test against Certicom, CheckPoint,
Cisco, Furukawa, Ixia, Juniper, Lucent, Nokia, SafeNet, Secure
Computing, and SonicWall. Read also the press release by ICSAlabs
And here is a list of new features that were added since the
- Support of SHA2_384 hash function for protecting IKEv1
negotiations and support of SHA2 signatures in X.509 certificates.
- Fixed a serious bug in the computation of the SHA2-512 HMAC
function that we inherited from SuperFreeS/WAN. As a consequence
we introduced automatic self-tests of all IKEv1 hash and hmac
functions during pluto startup. Failure of a self-test
currently issues a warning only but does not exit pluto [yet].
- Support for SHA2-256/384/512 PRF and HMAC functions in IKEv2.
- Full support of CA information sections. ipsec listcainfos
now shows all collected crlDistributionPoints and OCSP
- Support of the Online Certificate Status Protocol (OCSP) for IKEv2.
This feature requires the HTTP fetching capabilities of the libcurl
library which must be enabled by setting the --enable-http configure
- Refactored core of the IKEv2 message processing code, allowing better
code reuse and separation.
- Virtual IP support in IKEv2 using INTERNAL_IP4/6_ADDRESS configuration
payload. Additionally, the INTERNAL_IP4/6_DNS attribute is interpreted
by the requestor and installed in a resolv.conf file.
- The IKEv2 daemon charon installs a route for each IPsec policy to use
the correct source address even if an application does not explicitly
- Integrated the EAP framework into charon which loads pluggable
EAP library modules. The ipsec.conf parameter authby=eap initiates
EAP authentication on the client side, while the "eap" parameter on
the server side defines the EAP method to use for client
authentication. A generic client side EAP-Identity module and an
EAP-SIM authentication module using a third party card reader
implementation are included.
- Added client side support for cookies.
- Integrated the fixes done at the IKEv2 interoperability bakeoff,
including strict payload order, correct INVALID_KE_PAYLOAD rejection
and other minor fixes to enhance interoperability with other
As always the latest strongSwan distribution can be downloaded from
Enjoy our new distribution!
Martin Willi Andreas Steffen
IKEv2 Architect strongSwan Project Leader
Andreas Steffen andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 3417 bytes
Desc: S/MIME Cryptographic Signature
Url : https://lists.strongswan.org/pipermail/announce/attachments/20070328/dc14241a/attachment.bin
More information about the Announce