[Announce] ANNOUNCE: strongswan-4.5.3 released

Andreas Steffen andreas.steffen at strongswan.org
Thu Aug 4 12:34:20 CEST 2011


strongSwan 4.5.3 is now available for download.
The following new features have been included:

PASS and DROP shunt policies configurable by charon

  The IKEv2 charon daemon supports type=pass and type=drop shunt
  policies preventing specific traffic to go through IPsec connections.
  Installation of the shunt policies are possible either via the XFRM
  netfilter or PFKEYv2 IPsec kernel interfaces as the following two
  scenarios show:



Job priority management

Job priorities were introduced in order to prevent thread starvation
caused by too many threads handling blocking operations (such as CRL
fetching). For details see our new HOWTO


Tracking of IPsec policy histories
  The history of policies installed in the kernel is now tracked so
  that e.g. trap policies are correctly updated when re-authenticated
  SAs are terminated.

New IKEv2 closaction keyword

  The IKEv2 close action does not use the same value as the ipsec.conf
  dpdaction setting, but the value defined by its own closeaction
  keyword. The action is triggered if the remote peer closes a CHILD_SA

strongSwan libraries moved

  Heeding the request from several Linux Distributions, our private
  libraries (e.g. libstrongswan) are not installed directly in
  prefix/lib anymore.  Instead a subdirectory is used
  (prefix/lib/ipsec/ by default). The plugins directory has also moved
  from prefix/libexec/ipsec/ to that directory.

  The dynamic IMC/IMV libraries were moved from the plugins directory
  to a new imcvs directory in the prefix/lib/ipsec/ subdirectory.

IMC/IMV pairs implementing the RFC 5792 PA-TNC (IF-M) protocol

- IMC/IMV Scanner pair: (--enable-imc-scanner/--enable-imv-scanner)

  Using "netstat -l" the Integrity Measurement Collector (IMC) scans
  open listening ports on the  TNC client and sends a port list to
  the Integrity Measurement Verifier (IMV) which, based on a port
  policy decides if the client is admitted to the network.


- IMC/IMV Test pair: (--enable-imc-test/--enable-imv-test)

  Can be used to test the RFC 5793 PB-TNC (IF-TNCCS 2.0) protocol.


  Since the new IMC/IMV pairs are now used in most of our example
  scenarios, the TNC HOWTO has been updated accordingly:


ipsec statusall shows ESN

  ipsec statusall now show whether Extended Sequence Numbers (ESN)
  have been negotiated. ESN is supported by the Linux kernel
  starting with 2.6.39.


Best regards

Andreas Steffen, Tobias Brunner, Martin Willi

The strongSwan Team

Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)

More information about the Announce mailing list