[Announce] ANNOUNCE: strongswan-4.4.1 released

Andreas Steffen andreas.steffen at strongswan.org
Mon Aug 2 16:14:51 CEST 2010


we are happy to announce the strongSwan 4.4.1 release which
offers a couple of new features and fixes a major potential
vulnerability that was introduced with strongSwan 4.3.3:

- Support of XFRM marks

   The Linux 2.6.34 kernel introduced XFRM marks in IPsec SAs and
   IPsec policies introduced. We discovered two bugs, though, which
   are fixed by the following kernel patch


   This patch will be integrated into the forthcoming 2.6.35 kernel.

   XFRM marks can be used e.g. to differentiate between traffic coming
   from identical subnets hidden behind multiple roadwarriors using the
   Linux Netfilter mangle and nat chains. Details can be found in
   the following example scenarios:



   Another exotic case involves identical subnets behind the two peers
   of an IPsec connection where the MARK and NETMAP Netfilter targets
   are used to map the identical subnets to unique networks as shown
   in the following example:


   This example does all the Netfilter operations in a special updown


   As you can see the new environment variables PLUTO_MARK_IN,
   PLUTO_MARK_OUT and PLUTO_ESP_ENC are available in the updown scripts.
   Inbound and outbound marks are set by the new mark_in=, mark_out=, and
   mark= (same mark for inbound and outbound direction) ipsec.conf

- openssl plugin supports X.509 certificate and CRL functions

   Thus for X.509 trust chain verification and CRL lookup the x509
   plugin is not required any more if the openssl plugin is loaded
   instead. The use of the Online Certificate Status Protocol (OCSP)
   still requires the x509 plugin, though. X.509 attribute certificate
   handling rely on the x509 plugin as well.

- CRL and/or OCSP checking in IKEv2 moved to revocation plugin

   The revocation plugin is built and loaded by default. Please
   update any explicit load directives in strongswan.conf.

- RFC3779 ipAddrBlock constraint checking moved to addrblock plugin

   This rather exotic feature is disabled by default and is enabled
   by the --enable-addrblock configure option. Please update any
   explicit load directives in strongswan.conf.

- Issue warning if explicit load lists are used

   Since the number of pluto and charon plugins are increasing
   steadily with each release and explicit load lists might become
   obsoleted, a warning is now issued by ipsec starter if explicit
   load lists are found in strongswan.conf since we don't recommend
   their use for inexperienced users. Experts please read the
   following wiki entry:


- Extension of the ipsec pki utility

   ipsec pki --signcrl allows the generation and update of CRLs.
   For details see the following wiki entry:


   The ipsec pki --self, --issue and --req commands now support output
   in PEM format using the --outform pem option.

- Support of arbitrary IKEv1 Mode Config attributes

   A major refactoring of the IKEv1 Mode Config source code now
   allows the transport and handling of any Mode Config attribute.

   The ipsec pool tool manages arbitrary configuration attributes
   stored in an SQL database. ipsec pool --help gives the details.

- Multiple RADIUS servers supported by eap-radius plugin

- The RADIUS proxy plugin eap-radius now supports multiple servers.
   Configured servers are chosen randomly, with the option to prefer
   a specific server. Non-responding servers are automatically assigned
   lower priorities by the selection process. Configuration details
   can be found under


- eap-simaka-sql plugin

   The new eap-simaka-sql acts as a backend for EAP-SIM and EAP-AKA,
   reading triplets/quintuplets from an SQL database.

- High Availability (HA) extensions

   The High Availability plugin now supports a HA enabled in-memory
   address pool and Node re-integration without IKE_SA rekeying.
   The latter feature allows clients without IKE_SA rekeying support
   to keep connected during re-integration. Additionally many other
   issues have been fixed in the ha plugin.

- snprintf vulnerability

   A potential remote code execution vulnerability resulting from
   the misuse of snprintf() was fixed. The vulnerability was
   introduced with the strongswan-4.3.3 release and is exploitable
   by unauthenticated users. Patches for all releases starting with
   4.3.3 are available under the following link:


   Also a new 4.3.7 release has been made available for 4.3.x users


Best regards from the strongSwan team

Andreas Steffen, Tobias Brunner & Martin Willi

Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)

More information about the Announce mailing list