[Announce] ANNOUNCE: strongswan-4.3.5 released

Andreas Steffen andreas.steffen at strongswan.org
Mon Nov 2 13:32:08 CET 2009

we are happy to announce strongswan-4.3.5, the first stable version
released according to our new 3 month development cycle, consisting
of several developer releases (dr) announced on the developer
mailing list only and followed by a release candidate (rc) announced
on the developer and users lists two weeks before the final release.

I was surprised how many new features went into the latest release
as you can readily see from the huge list added below. We also fixed
a couple of minor but rather nasty bugs so that I personally think
that 4.3.5 will be a very good and stable version.

- IKEv1 pluto daemon supports SQL-based virtual IP address pools

  The IKEv1 pluto daemon can now use SQL-based address pools to deal out
  virtual IP addresses as a Mode Config server. The pool capability has
  been migrated from charon's sql plugin to a new attr-sql plugin which
  is loaded by libstrongswan and which can be used by both daemons
  either with a SQLite or MySQL database and the corresponding plugin.
  Examples for the Mode Config Pull and Push modes can be found here:



- Simple key and certificate generation using the ipsec pki command

  The new 'ipsec pki' tool provides a set of commands to maintain a
  public key infrastructure. It currently supports operations to create
  RSA and ECDSA private/public keys, calculate fingerprints and issue or
  verify certificates. A HOWTO can be found on our wiki:


- Volume-based IPsec SA rekeying (IKEv2 only)

  In addition to time based rekeying, charon supports IPsec SA lifetimes
  based on processed volume or number of packets. They new ipsec.conf
  paramaters 'lifetime' (an alias to 'keylife'), 'lifebytes' and
  'lifepackets' handle SA timeouts, while the parameters 'margintime'
  (an alias to rekeymargin), 'marginbytes' and 'marginpackets' trigger
  the rekeying before a SA expires. The existing parameter 'rekeyfuzz'
  affects all margins.

- Modularisation of IKEv2 EAP-AKA plugin

  The EAP-AKA plugin can use different backends for USIM/quintuplet
  calculations, very similar to the EAP-SIM plugin. The existing 3GPP2
  software implementation has been migrated to a separate plugin.

- PGP support in IKEv2 charon daemon

  The IKEv2 daemon charon gained basic PGP support. It can use locally
  installed peer certificates and can issue signatures based on
  PGP RSA private keys.

- Default CA certificates for strongSwan NetworkManager plugin

  If no CA/Gateway certificate is specified in the NetworkManager
  plugin, charon uses a set of trusted root certificates preinstalled
  by distributions. The directory containing CA certificates can be
  specified using the --with-nm-ca-dir=path configure option.

- Modularisation of private/public key parsing and encoding

  The private/public key parsing and encoding has been split up into
  separate pkcs1, pgp, pem and dnskey libstrongswan plugins. The
  public key implementation plugins gmp, gcrypt and openssl can all
  make use of them. The existing pubkey plugin is needed for raw
  public keys only.

- IKEv1 fixes

  Fixed smartcard-based authentication in the pluto daemon which was
  broken by the ECDSA support introduced with the 4.3.2 release.

  Fixed the broken parsing of PKCS#7 wrapped certificates by the
  pluto daemon.

  A patch contributed by Heiko Hund fixes mixed IPv6 in IPv4 and IPv4
  in IPv6 tunnels established with the IKEv1 pluto daemon.

  The pluto daemon now uses the libstrongswan x509 plugin for
  the parsing of X.509 certificates and CRls.

- IKEv2 fixes

  Fixed the encoding of the Email relative distinguished name in
  left|rightid statements.

  Charon uses a monotonic time source for statistics and job queueing,
  behaving correctly if the system time changes (e.g. when using NTP).

  Plugin names have been streamlined: EAP plugins now have a dash after
  eap (e.g. eap-sim), as it is used with the --enable-eap-sim
  ./configure option. Plugin configuration sections in strongswan.conf
  now use the same name as the plugin itself (i.e. with a dash). Make
  sure to update "load" directives and the affected plugin sections in
  existing strongswan.conf files

Best regards

Martin Willi                Andreas Steffen
IKEv2 Software Architect    strongSwan Project Leader

Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)

More information about the Announce mailing list