[Announce] ANNOUNCE: strongswan-4.5.3 released
Andreas Steffen
andreas.steffen at strongswan.org
Thu Aug 4 12:34:20 CEST 2011
Hello,
strongSwan 4.5.3 is now available for download.
The following new features have been included:
PASS and DROP shunt policies configurable by charon
---------------------------------------------------
The IKEv2 charon daemon supports type=pass and type=drop shunt
policies preventing specific traffic to go through IPsec connections.
Installation of the shunt policies are possible either via the XFRM
netfilter or PFKEYv2 IPsec kernel interfaces as the following two
scenarios show:
http://www.strongswan.org/uml/testresults/ikev2/shunt-policies/
http://www.strongswan.org/uml/testresults/pfkey/shunt-policies/
Job priority management
-----------------------
Job priorities were introduced in order to prevent thread starvation
caused by too many threads handling blocking operations (such as CRL
fetching). For details see our new HOWTO
http://wiki.strongswan.org/projects/strongswan/wiki/JobPriority
Tracking of IPsec policy histories
----------------------------------
The history of policies installed in the kernel is now tracked so
that e.g. trap policies are correctly updated when re-authenticated
SAs are terminated.
New IKEv2 closaction keyword
----------------------------
The IKEv2 close action does not use the same value as the ipsec.conf
dpdaction setting, but the value defined by its own closeaction
keyword. The action is triggered if the remote peer closes a CHILD_SA
unexpectedly.
strongSwan libraries moved
--------------------------
Heeding the request from several Linux Distributions, our private
libraries (e.g. libstrongswan) are not installed directly in
prefix/lib anymore. Instead a subdirectory is used
(prefix/lib/ipsec/ by default). The plugins directory has also moved
from prefix/libexec/ipsec/ to that directory.
The dynamic IMC/IMV libraries were moved from the plugins directory
to a new imcvs directory in the prefix/lib/ipsec/ subdirectory.
IMC/IMV pairs implementing the RFC 5792 PA-TNC (IF-M) protocol
--------------------------------------------------------------
- IMC/IMV Scanner pair: (--enable-imc-scanner/--enable-imv-scanner)
Using "netstat -l" the Integrity Measurement Collector (IMC) scans
open listening ports on the TNC client and sends a port list to
the Integrity Measurement Verifier (IMV) which, based on a port
policy decides if the client is admitted to the network.
http://www.strongswan.org/uml/testresults/tnc/tnccs-20/
- IMC/IMV Test pair: (--enable-imc-test/--enable-imv-test)
Can be used to test the RFC 5793 PB-TNC (IF-TNCCS 2.0) protocol.
http://www.strongswan.org/uml/testresults/tnc/tnccs-20-client-retry/
Since the new IMC/IMV pairs are now used in most of our example
scenarios, the TNC HOWTO has been updated accordingly:
http://www.strongswan.org/tnc/
ipsec statusall shows ESN
-------------------------
ipsec statusall now show whether Extended Sequence Numbers (ESN)
have been negotiated. ESN is supported by the Linux kernel
starting with 2.6.39.
http://www.strongswan.org/uml/testresults/ikev2/net2net-esn/
Best regards
Andreas Steffen, Tobias Brunner, Martin Willi
The strongSwan Team
======================================================================
Andreas Steffen andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
More information about the Announce
mailing list