[Announce] ANNOUNCE: strongswan-4.2.1 released
andreas.steffen at strongswan.org
Mon Apr 21 16:26:33 CEST 2008
shortly after the major 4.2.0 release we are happy to announce the
follow-up version 4.2.1 which offers more than just a bunch of
- Support for "Hash and URL" encoded certificate payloads
has been implemented in the IKEv2 daemon charon. Using the
"certuribase" option of a CA section allows to assign a base URL
to all certificates issued by the specified CA. The final URL is
then built by concatenating that base and the hex encoded SHA1 hash
of the DER encoded certificate. Note that this feature is disabled
by default and must be enabled using the option "charon.hash_and_url".
For details see our sample scenario:
- The IKEv2 daemon charon now supports the "uniqueids" option to close
multiple IKE_SAs with the same peer. The option value "keep" prefers
an existing connection over a new one, whereas the value "replace"
which is equivalent to "yes" replaces an existing connection.
- The crypto factory in libstrongswan additionally supports random
number generators. Plugins may provide other sources of randomness.
The default plugin reads raw random data from /dev/(u)random.
- Extended the credential framework by a caching option to allow plugins
persistent caching of fetched credentials. The "cachecrl" option has
- The new trust chain verification introduced in 4.2.0 has been
parallelized. Threads fetching CRL or OCSP information no longer
block other threads.
- A new IKEv2 configuration attribute framework has been introduced
allowing plugins to provide virtual IP addresses, and in the future,
other configuration attribute services (e.g. DNS/WINS servers).
- The stroke plugin has been extended to provide virtual IP addresses
from a simple pool defined in ipsec.conf. The "rightsourceip"
parameter now accepts address pools in CIDR notation (e.g.
10.1.1.0/24). The parameter also accepts the value "%poolname", where
"poolname" identifies a pool provided by a separate plugin.
- Fixed compilation on uClibc and a couple of other minor bugs.
- Set DPD defaults in ipsec starter to dpd_delay=30s and
- The IKEv1 pluto daemon now supports the ESP encryption algorithm
CAMELLIA with key lengths of 128, 192, and 256 bits, as well as the
authentication algorithm AES_XCBC_MAC.
For configuration examples see:
Martin Willi Andreas Steffen
IKEv2 Software Architect strongSwan Project Leader
Andreas Steffen andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
More information about the Announce