[Announce] ANNOUNCE: strongswan-4.2.1 released

Andreas Steffen andreas.steffen at strongswan.org
Mon Apr 21 16:26:33 CEST 2008

shortly after the major 4.2.0 release we are happy to announce the
follow-up version 4.2.1 which offers more than just a bunch of
bug fixes:

- Support for "Hash and URL" encoded certificate payloads
   has been implemented in the IKEv2 daemon charon. Using the
   "certuribase" option of a CA section allows to assign a base URL
   to all certificates issued by the specified CA. The final URL is
   then built by concatenating that base and the hex encoded SHA1 hash
   of the DER encoded certificate. Note that this feature is disabled
   by default and must be enabled using the option "charon.hash_and_url".
   For details see our sample scenario:


- The IKEv2 daemon charon now supports the "uniqueids" option to close
   multiple IKE_SAs with the same peer. The option value "keep" prefers
   an existing connection over a new one, whereas the value "replace"
   which is equivalent to "yes" replaces an existing connection.

- The crypto factory in libstrongswan additionally supports random
   number generators. Plugins may provide other sources of randomness.
   The default plugin reads raw random data from /dev/(u)random.

- Extended the credential framework by a caching option to allow plugins
   persistent caching of fetched credentials. The "cachecrl" option has
   been re-implemented.

- The new trust chain verification introduced in 4.2.0 has been
   parallelized. Threads fetching CRL or OCSP information no longer
   block other threads.

- A new IKEv2 configuration attribute framework has been introduced
   allowing plugins to provide virtual IP addresses, and in the future,
   other configuration attribute services (e.g. DNS/WINS servers).

- The stroke plugin has been extended to provide virtual IP addresses
   from a simple pool defined in ipsec.conf. The "rightsourceip"
   parameter now accepts address pools in CIDR notation (e.g. The parameter also accepts the value "%poolname", where
   "poolname" identifies a pool provided by a separate plugin.

- Fixed compilation on uClibc and a couple of other minor bugs.

- Set DPD defaults in ipsec starter to dpd_delay=30s and

- The IKEv1 pluto daemon now supports the ESP encryption algorithm
   CAMELLIA with key lengths of 128, 192, and 256 bits, as well as the
   authentication algorithm AES_XCBC_MAC.
   For configuration examples see:


Best regards

Martin Willi                Andreas Steffen
IKEv2 Software Architect    strongSwan Project Leader

Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)

More information about the Announce mailing list