[Announce] ANNOUNCE: strongswan-4.3.6 released

Andreas Steffen andreas.steffen at strongswan.org
Thu Feb 11 20:16:54 CET 2010


Hi,

after three months of heavy development we are happy to announce
the strongSwan 4.3.6 release available from

  http://www.strongswan.org/download.htm

The following new features are supported:


* RFC 3779 IP address block constraints
  -------------------------------------

  The IKEv2 daemon supports RFC 3779 IP address block constraints
  carried as a critical X.509v3 extension in the peer certificate.

  See the following example scenarios:

  http://www.strongswan.org/uml/testresults/ikev2/net2net-rfc3779/

  http://www.strongswan.org/uml/testresults/ipv6/net2net-rfc3779-ikev2/


* DNS and NBNS servers stored in SQL Database
  -------------------------------------------

  The ipsec pool --add|del dns|nbns command manages DNS and NBNS name
  server entries that are sent via the IKEv1 Mode Config or IKEv2
  Configuration Payload to remote clients.

  See the following example scenarios:

  http://www.strongswan.org/uml/testresults/ikev1/ip-pool-db/

  http://www.strongswan.org/uml/testresults/ikev2/ip-pool-db/


* Camellia as IKEv1, IKEv2, and ESP encryption algorithm
  ------------------------------------------------------

  IKEv1 now also supports Camellia encryption.

  See the following example scenarios:

  http://www.strongswan.org/uml/testresults/openssl-ikev1/alg-camellia/

  http://www.strongswan.org/uml/testresults/openssl-ikev2/alg-camellia/


* Support of Certificate path length constraints
  ----------------------------------------------

  The IKEv1 and IKEV2 daemons now check certificate path length
  constraints.

  See the following example scenarios:

 http://www.strongswan.org/uml/testresults/ikev1/multi-level-ca-pathlen/

 http://www.strongswan.org/uml/testresults/ikev2/multi-level-ca-pathlen/


* IKEv2 inactivity timeout
  ------------------------

  The new ipsec.conf conn option "inactivity" closes a CHILD_SA if
  no traffic was sent or received within the given interval. To close
  the complete IKE_SA  if its only CHILD_SA was inactive, set the
  global strongswan.conf option "charon.inactivity_close_ike" to yes.

  See the following example scenario:

  http://www.strongswan.org/uml/testresults/ikev2/inactivity-timeout/


* Support of SHA2 HMAC ESP data integrity algorithms
  --------------------------------------------------

  Added required userland changes for proper SHA256 and SHA384/512
  in ESP that will be introduced with Linux 2.6.33. The "sha256"
  /"sha2_256" keyword now configures the kernel with 128 bit truncation,
  not the non-standard 96 bit truncation used by previous releases.
  To use the old 96 bit truncation scheme, the new "sha256_96" proposal
  keyword has been introduced.

  See the following example scenarios:

  http://www.strongswan.org/uml/testresults/ikev1/alg-sha256-96/

  http://www.strongswan.org/uml/testresults/ikev1/alg-sha256/

  http://www.strongswan.org/uml/testresults/ikev1/alg-sha384/

  http://www.strongswan.org/uml/testresults/ikev1/alg-sha512/

  http://www.strongswan.org/uml/testresults/ikev2/alg-sha256-96/

  http://www.strongswan.org/uml/testresults/ikev2/alg-sha256/

  http://www.strongswan.org/uml/testresults/ikev2/alg-sha384/

  http://www.strongswan.org/uml/testresults/ikev2/alg-sha512/

  If you want to use the SHA2 HMAC with older Linux 2.6 kernels
  please apply the following kernel patch:

  http://download.strongswan.org/uml/sha2.patch.bz2


* Fixed IPComp in ESP tunnel mode (IKEv2 daemon only)
  ---------------------------------------------------

  Fixed IPComp in tunnel mode, stripping out the duplicated
  outer header. This change makes IPcomp tunnel mode connections
  incompatible with previous releases; disable compression on such
  tunnels.


* Fixed BEET mode
  ---------------

  Fixed BEET mode connections on recent kernels by installing SAs with
  appropriate traffic selectors, based on a patch by Michael Rossberg.


* Use of strongSwan IKEv2 Vendor ID
  ---------------------------------

  Using extensions (such as BEET mode) and crypto algorithms (such as
  twofish, serpent, sha256_96) allocated in the private use space now
  require that we know its meaning, i.e. we are talking to strongSwan.
  Use the new "charon.send_vendor_id" option in strongswan.conf to
  let the remote peer know this is the case.

  The same strongSwan Vendor ID hash is now also used by the IKEv1
  pluto daemon.


* Support of EAP_ONLY authentication
  ----------------------------------

  Experimental support for draft-eronen-ipsec-ikev2-eap-auth, where the
  responder omits public key authentication in favor of a mutual
  authentication method. To enable EAP-only authentication, set
  rightauth=eap on the responder to rely only on the MSK constructed
  AUTH payload. This not-yet standardized extension requires the
  strongSwan vendor ID introduced above.

  See the following example scenario:

 http://www.strongswan.org/uml/testresults/ikev2/rw-eap-sim-only-radius/


* IKEv1 interoperability with Juniper SRX
  ---------------------------------------

  The IKEv1 daemon ignores the Juniper SRX notification type 40001,
  thus  allowing interoperability.


* IKEv2 charon daemon ported to Android platform
  ----------------------------------------------

  strongSwan team member Tobias Brunner ported the IKEv2 charon daemon
  to the Android 1.6 platform. Details on the cross-compilation will
  follow.


Enjoy the new release!

Andreas Steffen, Martin Willi, Tobias Brunner

======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==


More information about the Announce mailing list