[Announce] ANNOUNCE: strongswan-4.3.6 released
Andreas Steffen
andreas.steffen at strongswan.org
Thu Feb 11 20:16:54 CET 2010
Hi,
after three months of heavy development we are happy to announce
the strongSwan 4.3.6 release available from
http://www.strongswan.org/download.htm
The following new features are supported:
* RFC 3779 IP address block constraints
-------------------------------------
The IKEv2 daemon supports RFC 3779 IP address block constraints
carried as a critical X.509v3 extension in the peer certificate.
See the following example scenarios:
http://www.strongswan.org/uml/testresults/ikev2/net2net-rfc3779/
http://www.strongswan.org/uml/testresults/ipv6/net2net-rfc3779-ikev2/
* DNS and NBNS servers stored in SQL Database
-------------------------------------------
The ipsec pool --add|del dns|nbns command manages DNS and NBNS name
server entries that are sent via the IKEv1 Mode Config or IKEv2
Configuration Payload to remote clients.
See the following example scenarios:
http://www.strongswan.org/uml/testresults/ikev1/ip-pool-db/
http://www.strongswan.org/uml/testresults/ikev2/ip-pool-db/
* Camellia as IKEv1, IKEv2, and ESP encryption algorithm
------------------------------------------------------
IKEv1 now also supports Camellia encryption.
See the following example scenarios:
http://www.strongswan.org/uml/testresults/openssl-ikev1/alg-camellia/
http://www.strongswan.org/uml/testresults/openssl-ikev2/alg-camellia/
* Support of Certificate path length constraints
----------------------------------------------
The IKEv1 and IKEV2 daemons now check certificate path length
constraints.
See the following example scenarios:
http://www.strongswan.org/uml/testresults/ikev1/multi-level-ca-pathlen/
http://www.strongswan.org/uml/testresults/ikev2/multi-level-ca-pathlen/
* IKEv2 inactivity timeout
------------------------
The new ipsec.conf conn option "inactivity" closes a CHILD_SA if
no traffic was sent or received within the given interval. To close
the complete IKE_SA if its only CHILD_SA was inactive, set the
global strongswan.conf option "charon.inactivity_close_ike" to yes.
See the following example scenario:
http://www.strongswan.org/uml/testresults/ikev2/inactivity-timeout/
* Support of SHA2 HMAC ESP data integrity algorithms
--------------------------------------------------
Added required userland changes for proper SHA256 and SHA384/512
in ESP that will be introduced with Linux 2.6.33. The "sha256"
/"sha2_256" keyword now configures the kernel with 128 bit truncation,
not the non-standard 96 bit truncation used by previous releases.
To use the old 96 bit truncation scheme, the new "sha256_96" proposal
keyword has been introduced.
See the following example scenarios:
http://www.strongswan.org/uml/testresults/ikev1/alg-sha256-96/
http://www.strongswan.org/uml/testresults/ikev1/alg-sha256/
http://www.strongswan.org/uml/testresults/ikev1/alg-sha384/
http://www.strongswan.org/uml/testresults/ikev1/alg-sha512/
http://www.strongswan.org/uml/testresults/ikev2/alg-sha256-96/
http://www.strongswan.org/uml/testresults/ikev2/alg-sha256/
http://www.strongswan.org/uml/testresults/ikev2/alg-sha384/
http://www.strongswan.org/uml/testresults/ikev2/alg-sha512/
If you want to use the SHA2 HMAC with older Linux 2.6 kernels
please apply the following kernel patch:
http://download.strongswan.org/uml/sha2.patch.bz2
* Fixed IPComp in ESP tunnel mode (IKEv2 daemon only)
---------------------------------------------------
Fixed IPComp in tunnel mode, stripping out the duplicated
outer header. This change makes IPcomp tunnel mode connections
incompatible with previous releases; disable compression on such
tunnels.
* Fixed BEET mode
---------------
Fixed BEET mode connections on recent kernels by installing SAs with
appropriate traffic selectors, based on a patch by Michael Rossberg.
* Use of strongSwan IKEv2 Vendor ID
---------------------------------
Using extensions (such as BEET mode) and crypto algorithms (such as
twofish, serpent, sha256_96) allocated in the private use space now
require that we know its meaning, i.e. we are talking to strongSwan.
Use the new "charon.send_vendor_id" option in strongswan.conf to
let the remote peer know this is the case.
The same strongSwan Vendor ID hash is now also used by the IKEv1
pluto daemon.
* Support of EAP_ONLY authentication
----------------------------------
Experimental support for draft-eronen-ipsec-ikev2-eap-auth, where the
responder omits public key authentication in favor of a mutual
authentication method. To enable EAP-only authentication, set
rightauth=eap on the responder to rely only on the MSK constructed
AUTH payload. This not-yet standardized extension requires the
strongSwan vendor ID introduced above.
See the following example scenario:
http://www.strongswan.org/uml/testresults/ikev2/rw-eap-sim-only-radius/
* IKEv1 interoperability with Juniper SRX
---------------------------------------
The IKEv1 daemon ignores the Juniper SRX notification type 40001,
thus allowing interoperability.
* IKEv2 charon daemon ported to Android platform
----------------------------------------------
strongSwan team member Tobias Brunner ported the IKEv2 charon daemon
to the Android 1.6 platform. Details on the cross-compilation will
follow.
Enjoy the new release!
Andreas Steffen, Martin Willi, Tobias Brunner
======================================================================
Andreas Steffen andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
More information about the Announce
mailing list