[strongSwan-dev] ANNOUNCE: strongswan-4.4.0rc1

Jan Willem Beusink jan.willem.beusink at ti-wmc.nl
Tue Apr 27 17:18:24 CEST 2010

Andreas Steffen wrote:
> Hi,
> we are happy to announce the first release candidate of the
> forthcoming strongSwan 4.4 release. This major version offers the
> following new features:
> * IKEv2 High Availability
>    -----------------------
>    The IKEv2 High Availability plugin has been integrated. It provides
>    load sharing and fail-over capabilities in a cluster of currently
>    two nodes, based on an extended ClusterIP kernel module. More
>    information is available at
>    http://wiki.strongswan.org/projects/strongswan/wiki/HighAvailability
>    The development of the High Availability functionality was sponsored
>    by secunet Security Networks AG.
> * Diffie-Hellman Groups 22, 23, 24 with prime order subgroups
>    -----------------------------------------------------------
>    Added support for Diffie-Hellman groups 22, 23 and 24 to the gmp,
>    gcrypt and openssl plugins, usable by both pluto and charon. The
>    new proposal keywords are
>      modp1024s160, modp2048s224, and modp2048s256
>    as the following IKEv1 and IKEv2 example scenarios show:
>    http://www.strongswan.org/uml/testresults44rc/ikev1/alg-modp-subgroup/
>    http://www.strongswan.org/uml/testresults44rc/ikev2/alg-modp-subgroup/
>    Thanks to Joy Latten from IBM for her contribution.
> * RAM-based virtual IP address pools for pluto
>    --------------------------------------------
>    The pluto daemon inherited the popular RAM-based virtual IP
>    address pool functionality from the charon daemon. The directive
>      rightsourceip=<subnet>
>    defines a subnet from which addresses dynamically are allocated
>    as the following example scenario shows
>    http://www.strongswan.org/uml/testresults44rc/ikev1/ip-pool/
> * DHCP and ARP Proxy support
>    --------------------------
>    The new dhcp plugin queries virtual IP addresses for clients from
>    a DHCP server using broadcasts or a defined server using the
>      charon.plugins.dhcp.server =
>    strongswan.conf option. Additionally DNS/WINS server information
>    is served to clients if the DHCP server provides such information.
>    The plugin is used in ipsec.conf configurations with the setting
>      rightsourceip=%dhcp.
>    A new plugin called farp handles ARP responses for virtual IP
>    addresses handed out to clients by the IKEv2 daemon charon.
>    The plugin lets a road-warrior act as a client on the local LAN
>    if it uses a virtual IP from the responders subnet, e.g. acquired
>    via the dhcp plugin. The following example scenarios show the use
>    of the dhcp and farp plugins:
>    http://www.strongswan.org/uml/testresults44rc/ikev2/dhcp-dynamic/
> http://www.strongswan.org/uml/testresults44rc/ikev2/dhcp-static-client-id/
>    http://www.strongswan.org/uml/testresults44rc/ikev2/dhcp-static-mac/
>    http://www.strongswan.org/uml/testresults44rc/ikev2/farp/
> * Arbitrary IKEv2 source and destination ports
>    --------------------------------------------
>    The existing IKEv2 socket implementations have been migrated to the
>    socket-default and the socket-raw plugins. The new socket-dynamic
>    plugin binds sockets dynamically to ports configured via the
>      left|rightikeport
>    ipsec.conf connection parameters.
> * Android Support
>    ---------------
>    The android plugin stores received DNS server information as
>    "net.dns" system properties, as used by the Android platform.
>    Thanks to the new libcharon library the IKEv2 charon daemon
>    can now be built monolithically. For more information on the
>    Android build see
>    http://wiki.strongswan.org/projects/strongswan/wiki/Android
> * Storage of public and private keys in PEM format
>    ------------------------------------------------
>    The ipsec pki --gen and --pub commands now allow the output of
>    private and public keys in PEM format using the --outform pem
>    command line option.
> Please give the new features a try and report any problems quickly.
> ETA for the stable strongSwan 4.4.0 release is the beginning of May.
> Best regards from the strongSwan team
> Andreas Steffen, Tobias Brunner & Martin Willi
> ======================================================================
> Andreas Steffen                         andreas.steffen at strongswan.org
> strongSwan - the Linux VPN Solution!                www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===========================================================[ITA-HSR]==
> _______________________________________________
> Dev mailing list
> Dev at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/dev

Hi all,

in respect to testing 4.4.0rc1 I found the following:

1. The ipsec pki --self command could use the --outform pem too imho.

2. Furthermore I found that after compiling strongswan for openwrt (see
below for ./configure) using 4.3.6 I get an error the first time
strongswan starts:
root at OpenWrt:/# ipsec start
Starting strongSwan 4.3.6 IPsec [starter]...
/usr/sbin/ipsec: unknown IPsec command `scepclient' (`ipsec --help' for
root at OpenWrt:/# ipsec start
Starting strongSwan 4.3.6 IPsec [starter]...
charon is already running (/var/run/charon.pid exists) -- skipping
charon start
starter is already running (/var/run/starter.pid exists) -- no fork done

4.4.0rc1 does not give the unknown command message, however it gives a
segfault instead...
Note that in this case I compiled 4.3.6 with --disable-tools, whereas I
did not disable tools with 4.4.0rc1.

recompiled 4.3.6 without --disable-tools and it did not give any errors
(although seemed to take a little longer to start up the first time).

3. After installation of 4.3.6, listalgs works:
root at OpenWrt:/# ipsec listalgs

List of registered IKEv2 Algorithms:

  integrity:  AES_XCBC_96 HMAC_SHA1_96 HMAC_SHA1_128 HMAC_SHA1_160
HMAC_SHA2_256_128 HMAC_MD5_96 HMAC_MD5_128 HMAC_SHA2_384_192
  prf:        PRF_AES128_XCBC PRF_HMAC_SHA2_256 PRF_HMAC_SHA1
  dh-group:   MODP_2048 MODP_1536 ECP_256 ECP_384 ECP_521 ECP_224
ECP_192 MODP_3072 MODP_4096 MODP_6144 MODP_8192 MODP_1024 MODP_768

However this stays blank in 4.4.0rc1. (as the --disable-tools should not
interfere with this and the /etc/strongswan.conf seems the same, I do
not understand why the openssl plugin is not loaded.)

Kind regards,

Jan Willem Beusink

4.3.6: $ ./configure --target=mipsel-openwrt-linux
--host=mipsel-openwrt-linux --build=i486-linux-gnu --program-prefix=
--program-suffix= --prefix=/usr --exec-prefix=/usr --bindir=/usr/bin
--sbindir=/usr/sbin --libexecdir=/usr/lib --sysconfdir=/etc
--datadir=/usr/share --localstatedir=/var --mandir=/usr/man
--infodir=/usr/info --disable-nls --disable-ipv6
--with-random-device=/dev/random --with-urandom-device=/dev/urandom
--enable-curl --disable-aes --disable-des --disable-md5 --disable-sha1
--disable-sha2 --disable-fips-prf --disable-gmp --disable-pubkey
--disable-pluto --disable-tools --enable-openssl --disable-pkcs1
--with-routing-prio=220 --with-routing-table=220 --disable-static

More information about the Dev mailing list