[Announce] ANNOUNCE: strongswan-4.2.9 released

Andreas Steffen andreas.steffen at strongswan.org
Thu Nov 20 02:43:41 CET 2008


we are happy to announce the release of strongswan-4.2.9 which
offers the following new features:

- Flexible configuration of logging subsystem

  Allows to log to multiple syslog facilities or to files using
  fine-grained log levels for each target.


- Load testing plugin

  Allows to do stress testing of the IKEv2 daemon against itself
  or another host.


- Improved performance on multi-core platforms

  Added profiling code to synchronization primitives to find bottlenecks
  when running on multiple cores (--enable-lock-profiler).

  Found and fixed issues during tests in the multi-threaded use of the
  OpenSSL plugin.

  Found and fixed an issue where parts of the Diffie-Hellman calculation
  acquired an exclusive lock. This greatly improves parallelization to
  multiple cores.

- Separate updown plugin

  The updown script invocation has been separated into a plugin of
  its own to further slim down the daemon core (--disable-updown).

- Encapsulated key derivation

  Separated IKE_SA/CHILD_SA key derivation process into a closed system,
  allowing future implementations to use a secured environment in e.g.
  kernel memory or hardware.

- Modularized IPsec kernel interface

  The kernel interface of charon has been modularized. XFRM NETLINK
  (the default) and PFKEY (--enable-kernel-pfkey) interface plugins for
  the native IPsec stack of the Linux 2.6 kernel as well as a PFKEY
  interface for the KLIPS IPsec stack (--enable-kernel-klips) are

- Mobile IPv6 support

  Basic Mobile IPv6 support has been introduced, securing Binding Update
  messages as well as tunneled traffic between Mobile Node and Home
  Agent. The installpolicy=no option allows peaceful cooperation with
  a dominant mip6d daemon and the new type=transport_proxy implements
  the special MIPv6 IPsec transport proxy mode where the IKEv2 daemon
  uses the Care-of-Address but the IPsec SA is set up for the Home


  Fully supports migration of Mobile IPv6 connections making use of the
  KMADDRESS field contained in XFRM_MSG_MIGRATE messages sent by the
  mip6d daemon via the Linux 2.6.28 (or appropriately patched) kernel.

As always any feedback on the new features is welcome!

Martin Willi               Andreas Steffen
IKEv2 Software Architect   strongSwan Project Leader

Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org

Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)

More information about the Announce mailing list