[Announce] ANNOUNCE: strongswan-4.4.0 released
Andreas Steffen
andreas.steffen at strongswan.org
Mon May 3 09:53:01 CEST 2010
Hi,
we are happy to announce the major 4.4 strongSwan release which
offers the following new features:
* IKEv2 High Availability
-----------------------
The IKEv2 High Availability plugin has been integrated. It provides
load sharing and fail-over capabilities in a cluster of currently
two nodes, based on an extended ClusterIP kernel module. More
information is available at
http://wiki.strongswan.org/projects/strongswan/wiki/HighAvailability
The development of the High Availability functionality was sponsored
by secunet Security Networks AG.
* Diffie-Hellman Groups 22, 23, 24 with prime order subgroups
-----------------------------------------------------------
Added support for Diffie-Hellman groups 22, 23 and 24 to the gmp,
gcrypt and openssl plugins, usable by both pluto and charon. The
new proposal keywords are
modp1024s160, modp2048s224, and modp2048s256
as the following IKEv1 and IKEv2 example scenarios show:
http://www.strongswan.org/uml/testresults44rc/ikev1/alg-modp-subgroup/
http://www.strongswan.org/uml/testresults44rc/ikev2/alg-modp-subgroup/
Thanks to Joy Latten from IBM for her contribution.
* AES-GMAC ESP authentication-only mode
-------------------------------------
Added IKEv1 and IKEv2 configuration support for the AES-GMAC
authentication-only ESP cipher. Our aes_gmac kernel patch
http://download.strongswan.org/uml/aes_gmac.patch.bz2
or the forthcoming Linux 2.6.34 kernel is required to make
AES-GMAC available via the XFRM kernel interface. Configuration
examples for IKEv1 and IKEv2 can be found here:
http://www.strongswan.org/uml/testresults/ikev1/esp-alg-aes-gmac/
http://www.strongswan.org/uml/testresults/ikev2/esp-alg-aes-gmac/
* RAM-based virtual IP address pools for pluto
--------------------------------------------
The pluto daemon inherited the popular RAM-based virtual IP
address pool functionality from the charon daemon. The directive
rightsourceip=<subnet>
defines a subnet from which addresses dynamically are allocated
as the following example scenario shows
http://www.strongswan.org/uml/testresults44rc/ikev1/ip-pool/
* DHCP and ARP Proxy support
--------------------------
The new dhcp plugin queries virtual IP addresses for clients from
a DHCP server using broadcasts or a defined server using the
charon.plugins.dhcp.server =
strongswan.conf option. Additionally DNS/WINS server information
is served to clients if the DHCP server provides such information.
The plugin is used in ipsec.conf configurations with the setting
rightsourceip=%dhcp.
A new plugin called farp handles ARP responses for virtual IP
addresses handed out to clients by the IKEv2 daemon charon.
The plugin lets a road-warrior act as a client on the local LAN
if it uses a virtual IP from the responders subnet, e.g. acquired
via the dhcp plugin. The following example scenarios show the use
of the dhcp and farp plugins:
http://www.strongswan.org/uml/testresults44rc/ikev2/dhcp-dynamic/
http://www.strongswan.org/uml/testresults44rc/ikev2/dhcp-static-client-id/
http://www.strongswan.org/uml/testresults44rc/ikev2/dhcp-static-mac/
http://www.strongswan.org/uml/testresults44rc/ikev2/farp/
* Arbitrary IKEv2 source and destination ports
--------------------------------------------
The existing IKEv2 socket implementations have been migrated to the
socket-default and the socket-raw plugins. The new socket-dynamic
plugin binds sockets dynamically to ports configured via the
left|rightikeport
ipsec.conf connection parameters.
* Android Support
---------------
The android plugin stores received DNS server information as
"net.dns" system properties, as used by the Android platform.
Thanks to the new libcharon library the IKEv2 charon daemon
can now be built monolithically. For more information on the
Android build see
http://wiki.strongswan.org/projects/strongswan/wiki/Android
* Storage of public and private keys in PEM format
------------------------------------------------
The ipsec pki --gen and --pub commands now allow the output of
private and public keys in PEM format using the --outform pem
command line option.
Enjoy our new release!
Best regards
Andreas Steffen, Tobias Brunner & Martin Willi
the strongSwan team
======================================================================
Andreas Steffen andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
More information about the Announce
mailing list