[Announce] ANNOUNCE: strongswan-4.5.0 released

Andreas Steffen andreas.steffen at strongswan.org
Sun Oct 31 14:22:03 CET 2010


we are proud to release the the major strongSwan 4.5 release.
As you will see, a lot of new features made it into the new version:

- IMPORTANT: IKEv2 becomes the default key exchange mode !!!

  In 2010 we commemorate the five year anniversary of the original
  IKEv2 RFC 4306. Actually the RFC was replaced in September by
  its mature successor RFC 5996 which specifies the protocol in much
  more detail. We started the development of the strongSwan IKEv2
  daemon in October 2005 and gave the VPN community five years to
  migrate to the new version. With strongSwan 4.5 the default
  keyexchange=ike option will now be equivalent to keyexchange=ikev2.
  If you still like to use the old IKEv1 protocol then you must
  explicitly define keyexchange=ikev1. We think that the time has
  definitively come for IKEv1 to go into retirement and to cede its
  place to the much more robust, powerful and versatile IKEv2 protocol!
  IKEv2 solutions are also available from CheckPoint, Cisco, Juniper,
  Microsoft, SonicWall and others, with the possibility to
  interoperate with strongSwan.

- IKEv2 AEAD ciphersuites supported by new ctr, ccm and gcm plugins

  The new plugins provide Counter Mode (CTR), Counter Mode with CBC-MAC
  (CCM) and Galois/Counter Mode (GCM) based on existing CBC encryption
  implementations. CTR and CCM can be used with either AES or Camellia
  and GCM with AES. On overview of all supported algorithms can be
  found on our wiki:


- IKEv2 smartcard support

  The new pkcs11 plugin brings full smartcard support to the IKEv2
  daemon and the "ipsec pki" utility using one or more PKCS#11
  libraries. It currently supports RSA private and public key
  operations and loads X.509 certificates from tokens.

- EAP-TLS support

  Implemented a general purpose TLS stack based on crypto and credential
  primitives of libstrongswan. libtls supports TLS versions 1.0, 1.1
  and 1.2, ECDHE-ECDSA/RSA, DHE-RSA and RSA key exchange algorithms and
  RSA/ECDSA based client authentication.

  Based on libtls, the eap-tls plugin brings certificate-based EAP
  authentication for client and server. It is compatible to Windows 7
  IKEv2 Smartcard authentication and the OpenSSL based FreeRADIUS
  EAP-TLS backend.

  Example with FreeRADIUS AAA server:

  Example with a strongSwan gateway doing EAP-TLS only authentication:

- EAP-TTLS support

  EAP-TTLS uses strong EAP-TLS authentication for the server and
  potentially weak password-based client authentication (EAP-MD5, etc.)
  over a secure TLS tunnel:

  Example with FreeRADIUS AAA server:

  Example with a strongSwan gateway doing EAP-TLS only authentication:

- Trusted Network Connect support

  Implemented the TNCCS 1.1 Trusted Network Connect protocol using the
  libtnc library on the strongSwan client and server side via the
  tnccs_11 plugin and optionally connecting to a TNC at FHH-enhanced
  FreeRADIUS AAA server. Depending on the resulting TNC Recommendation,
  strongSwan clients are granted access to a network behind a
  strongSwan gateway (allow), are put into a remediation zone (isolate)
  or are blocked (none), respectively.

  Example with TNC at FHH-enhanced FreeRADIUS AAA server:

  Example with a strongSwan gateway doing EAP-TLS only authentication:

  Group membership attributes are used to assign clients either to the
  'rw-allow' or 'rw-isolate' subnets, respectively. As an alternative
  non-complying clients can be blocked from access:

  Example with TNC at FHH-enhanced FreeRADIUS AAA server:

  Example with a strongSwan gateway doing EAP-TLS only authentication:

  Any number of Integrity Measurement Collector/Verifier pairs can be
  attached via the tnc-imc and tnc-imv charon plugins.

- Multiple RADIUS servers

  The RADIUS plugin eap-radius now supports multiple RADIUS servers for
  redundant setups. Servers are selected by a defined priority, server
  load and availability.


- strongSwan VPN applets for Maemo 5

  Applets for Maemo 5 (Nokia) allow to easily configure and control
  IKEv2 based VPN connections with EAP authentication on supported

- LED plugin

  If you plan to throw a party, you can now dance to the beat of your
  IKEv2 packets. The simple led plugin controls hardware LEDs through
  the Linux LED subsystem. It currently shows activity of the IKE
  daemon and is a good example how to implement a simple event listener.

- Pluto uses kernel-netlink plugin

  The pluto now uses the kernel-netlink plugin to configure and monitor
  IPsec policies and security associations in the Linux 2.6 kernel.
  This allows the e.g. the use of XFRM marks and pre-defined reqids
  with IKEv1 connections.

- Created man page for strongswan.conf

  The increasing number of strongswan.conf options which up to now were
  only listed on our wiki:


  are now also documented by man strongswan.conf

Enjoy the new release!

Andreas Steffen, Tobias Brunner, Martin Willi

The strongSwan Team

Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)

More information about the Announce mailing list