[Announce] ANNOUNCE: strongswan-4.3.6 released

Andreas Steffen andreas.steffen at strongswan.org
Thu Feb 11 20:16:54 CET 2010


after three months of heavy development we are happy to announce
the strongSwan 4.3.6 release available from


The following new features are supported:

* RFC 3779 IP address block constraints

  The IKEv2 daemon supports RFC 3779 IP address block constraints
  carried as a critical X.509v3 extension in the peer certificate.

  See the following example scenarios:



* DNS and NBNS servers stored in SQL Database

  The ipsec pool --add|del dns|nbns command manages DNS and NBNS name
  server entries that are sent via the IKEv1 Mode Config or IKEv2
  Configuration Payload to remote clients.

  See the following example scenarios:



* Camellia as IKEv1, IKEv2, and ESP encryption algorithm

  IKEv1 now also supports Camellia encryption.

  See the following example scenarios:



* Support of Certificate path length constraints

  The IKEv1 and IKEV2 daemons now check certificate path length

  See the following example scenarios:



* IKEv2 inactivity timeout

  The new ipsec.conf conn option "inactivity" closes a CHILD_SA if
  no traffic was sent or received within the given interval. To close
  the complete IKE_SA  if its only CHILD_SA was inactive, set the
  global strongswan.conf option "charon.inactivity_close_ike" to yes.

  See the following example scenario:


* Support of SHA2 HMAC ESP data integrity algorithms

  Added required userland changes for proper SHA256 and SHA384/512
  in ESP that will be introduced with Linux 2.6.33. The "sha256"
  /"sha2_256" keyword now configures the kernel with 128 bit truncation,
  not the non-standard 96 bit truncation used by previous releases.
  To use the old 96 bit truncation scheme, the new "sha256_96" proposal
  keyword has been introduced.

  See the following example scenarios:









  If you want to use the SHA2 HMAC with older Linux 2.6 kernels
  please apply the following kernel patch:


* Fixed IPComp in ESP tunnel mode (IKEv2 daemon only)

  Fixed IPComp in tunnel mode, stripping out the duplicated
  outer header. This change makes IPcomp tunnel mode connections
  incompatible with previous releases; disable compression on such

* Fixed BEET mode

  Fixed BEET mode connections on recent kernels by installing SAs with
  appropriate traffic selectors, based on a patch by Michael Rossberg.

* Use of strongSwan IKEv2 Vendor ID

  Using extensions (such as BEET mode) and crypto algorithms (such as
  twofish, serpent, sha256_96) allocated in the private use space now
  require that we know its meaning, i.e. we are talking to strongSwan.
  Use the new "charon.send_vendor_id" option in strongswan.conf to
  let the remote peer know this is the case.

  The same strongSwan Vendor ID hash is now also used by the IKEv1
  pluto daemon.

* Support of EAP_ONLY authentication

  Experimental support for draft-eronen-ipsec-ikev2-eap-auth, where the
  responder omits public key authentication in favor of a mutual
  authentication method. To enable EAP-only authentication, set
  rightauth=eap on the responder to rely only on the MSK constructed
  AUTH payload. This not-yet standardized extension requires the
  strongSwan vendor ID introduced above.

  See the following example scenario:


* IKEv1 interoperability with Juniper SRX

  The IKEv1 daemon ignores the Juniper SRX notification type 40001,
  thus  allowing interoperability.

* IKEv2 charon daemon ported to Android platform

  strongSwan team member Tobias Brunner ported the IKEv2 charon daemon
  to the Android 1.6 platform. Details on the cross-compilation will

Enjoy the new release!

Andreas Steffen, Martin Willi, Tobias Brunner

Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)

More information about the Announce mailing list