[strongSwan-dev] ANNOUNCE: strongswan-4.4.0rc1

Tue Apr 27 17:18:24 CEST 2010

Andreas Steffen wrote:
> Hi,
> 
> we are happy to announce the first release candidate of the
> forthcoming strongSwan 4.4 release. This major version offers the
> following new features:
> 
> * IKEv2 High Availability
>    -----------------------
> 
>    The IKEv2 High Availability plugin has been integrated. It provides
>    load sharing and fail-over capabilities in a cluster of currently
>    two nodes, based on an extended ClusterIP kernel module. More
>    information is available at
> 
>    http://wiki.strongswan.org/projects/strongswan/wiki/HighAvailability
> 
>    The development of the High Availability functionality was sponsored
>    by secunet Security Networks AG.
> 
> 
> * Diffie-Hellman Groups 22, 23, 24 with prime order subgroups
>    -----------------------------------------------------------
> 
>    Added support for Diffie-Hellman groups 22, 23 and 24 to the gmp,
>    gcrypt and openssl plugins, usable by both pluto and charon. The
>    new proposal keywords are
> 
>      modp1024s160, modp2048s224, and modp2048s256
> 
>    as the following IKEv1 and IKEv2 example scenarios show:
> 
>    http://www.strongswan.org/uml/testresults44rc/ikev1/alg-modp-subgroup/
> 
>    http://www.strongswan.org/uml/testresults44rc/ikev2/alg-modp-subgroup/
> 
>    Thanks to Joy Latten from IBM for her contribution.
> 
> 
> * RAM-based virtual IP address pools for pluto
>    --------------------------------------------
> 
>    The pluto daemon inherited the popular RAM-based virtual IP
>    address pool functionality from the charon daemon. The directive
> 
>      rightsourceip=<subnet>
> 
>    defines a subnet from which addresses dynamically are allocated
>    as the following example scenario shows
> 
>    http://www.strongswan.org/uml/testresults44rc/ikev1/ip-pool/
> 
> 
> * DHCP and ARP Proxy support
>    --------------------------
> 
>    The new dhcp plugin queries virtual IP addresses for clients from
>    a DHCP server using broadcasts or a defined server using the
> 
>      charon.plugins.dhcp.server =
> 
>    strongswan.conf option. Additionally DNS/WINS server information
>    is served to clients if the DHCP server provides such information.
>    The plugin is used in ipsec.conf configurations with the setting
> 
>      rightsourceip=%dhcp.
> 
>    A new plugin called farp handles ARP responses for virtual IP
>    addresses handed out to clients by the IKEv2 daemon charon.
>    The plugin lets a road-warrior act as a client on the local LAN
>    if it uses a virtual IP from the responders subnet, e.g. acquired
>    via the dhcp plugin. The following example scenarios show the use
>    of the dhcp and farp plugins:
> 
>    http://www.strongswan.org/uml/testresults44rc/ikev2/dhcp-dynamic/
> 
> http://www.strongswan.org/uml/testresults44rc/ikev2/dhcp-static-client-id/
> 
>    http://www.strongswan.org/uml/testresults44rc/ikev2/dhcp-static-mac/
> 
>    http://www.strongswan.org/uml/testresults44rc/ikev2/farp/
> 
> 
> * Arbitrary IKEv2 source and destination ports
>    --------------------------------------------
> 
>    The existing IKEv2 socket implementations have been migrated to the
>    socket-default and the socket-raw plugins. The new socket-dynamic
>    plugin binds sockets dynamically to ports configured via the
> 
>      left|rightikeport
> 
>    ipsec.conf connection parameters.
> 
> 
> * Android Support
>    ---------------
> 
>    The android plugin stores received DNS server information as
>    "net.dns" system properties, as used by the Android platform.
>    Thanks to the new libcharon library the IKEv2 charon daemon
>    can now be built monolithically. For more information on the
>    Android build see
> 
>    http://wiki.strongswan.org/projects/strongswan/wiki/Android
> 
> 
> * Storage of public and private keys in PEM format
>    ------------------------------------------------
> 
>    The ipsec pki --gen and --pub commands now allow the output of
>    private and public keys in PEM format using the --outform pem
>    command line option.
> 
> Please give the new features a try and report any problems quickly.
> ETA for the stable strongSwan 4.4.0 release is the beginning of May.
> 
> Best regards from the strongSwan team
> 
> Andreas Steffen, Tobias Brunner & Martin Willi
> 
> ======================================================================
> Andreas Steffen                         andreas.steffen at strongswan.org
> strongSwan - the Linux VPN Solution!                www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===========================================================[ITA-HSR]==
> 
> _______________________________________________
> Dev mailing list
> Dev at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/dev

Hi all,

in respect to testing 4.4.0rc1 I found the following:

1. The ipsec pki --self command could use the --outform pem too imho.

2. Furthermore I found that after compiling strongswan for openwrt (see
below for ./configure) using 4.3.6 I get an error the first time
strongswan starts:
root at OpenWrt:/# ipsec start
Starting strongSwan 4.3.6 IPsec [starter]...
/usr/sbin/ipsec: unknown IPsec command `scepclient' (`ipsec --help' for
list)
root at OpenWrt:/# ipsec start
Starting strongSwan 4.3.6 IPsec [starter]...
charon is already running (/var/run/charon.pid exists) -- skipping
charon start
starter is already running (/var/run/starter.pid exists) -- no fork done

4.4.0rc1 does not give the unknown command message, however it gives a
segfault instead...
Note that in this case I compiled 4.3.6 with --disable-tools, whereas I
did not disable tools with 4.4.0rc1.

recompiled 4.3.6 without --disable-tools and it did not give any errors
(although seemed to take a little longer to start up the first time).

3. After installation of 4.3.6, listalgs works:
root at OpenWrt:/# ipsec listalgs

List of registered IKEv2 Algorithms:

  encryption: AES_CBC CAMELLIA_CBC 3DES_CBC RC5_CBC IDEA_CBC CAST_CBC
BLOWFISH_CBC DES_CBC DES_ECB NULL
  integrity:  AES_XCBC_96 HMAC_SHA1_96 HMAC_SHA1_128 HMAC_SHA1_160
HMAC_SHA2_256_128 HMAC_MD5_96 HMAC_MD5_128 HMAC_SHA2_384_192
HMAC_SHA2_512_256
  hasher:     HASH_SHA1 HASH_MD2 HASH_MD4 HASH_MD5 HASH_SHA224
HASH_SHA256 HASH_SHA384 HASH_SHA512
  prf:        PRF_AES128_XCBC PRF_HMAC_SHA2_256 PRF_HMAC_SHA1
PRF_HMAC_MD5 PRF_HMAC_SHA2_384 PRF_HMAC_SHA2_512
  dh-group:   MODP_2048 MODP_1536 ECP_256 ECP_384 ECP_521 ECP_224
ECP_192 MODP_3072 MODP_4096 MODP_6144 MODP_8192 MODP_1024 MODP_768

However this stays blank in 4.4.0rc1. (as the --disable-tools should not
interfere with this and the /etc/strongswan.conf seems the same, I do
not understand why the openssl plugin is not loaded.)

Kind regards,

Jan Willem Beusink

----
4.3.6: $ ./configure --target=mipsel-openwrt-linux
--host=mipsel-openwrt-linux --build=i486-linux-gnu --program-prefix=
--program-suffix= --prefix=/usr --exec-prefix=/usr --bindir=/usr/bin
--sbindir=/usr/sbin --libexecdir=/usr/lib --sysconfdir=/etc
--datadir=/usr/share --localstatedir=/var --mandir=/usr/man
--infodir=/usr/info --disable-nls --disable-ipv6
--with-random-device=/dev/random --with-urandom-device=/dev/urandom
--enable-curl --disable-aes --disable-des --disable-md5 --disable-sha1
--disable-sha2 --disable-fips-prf --disable-gmp --disable-pubkey
--disable-pluto --disable-tools --enable-openssl --disable-pkcs1
--with-routing-prio=220 --with-routing-table=220 --disable-static