[strongSwan-dev] ANNOUNCE: strongswan-4.5.0dr2 released

Andreas Steffen andreas.steffen at strongswan.org
Fri Sep 10 14:23:25 CEST 2010

Hi developers,

here is our latest developers release for the major strongSwan 4.5.0
version which is going to offer tons of new features:

- PKCS #11 smartcard support for IKEv2
  The new "pkcs11" plugin brings full smartcard support to the IKEv2
  daemon and the "ipsec pki" utility using one or more PKCS #11
  libraries. It currently supports RSA private and public key
  operations and loads X.509 certificates from tokens.

- General Purpose TLS stack
  We implemented a general purpose TLS stack based on crypto and
  credential primitives of libstrongswan. "libtls" supports TLS
  versions 1.0, 1.1, and 1.2, ECDHE-ECDSA/RSA, DHE-RSA and RSA key
  exchange algorithms and RSA/ECDSA based client authentication.

- IKEv2 EAP-TLS support
  Based on "libtls", the "eap-tls" plugin brings certificate based EAP
  authentication for client and server. It is compatible to Windows 7
  IKEv2 smartcard authentication and the OpenSSL based FreeRADIUS
  EAP-TLS backend. Example scenarios:



- IKEv2 EAP-TTLS support
  Based on "libtls" and the "eap-tls" plugin, the "eap-ttls" plugin
  brings certificate based EAP-TLS server authentication combined
  with tunneled EAP-MD5 client authentication. Alternative EAP client
  authentication methods can be configured via the strongswan.conf
  option charon.plugins.eap-ttls.phase2_method. A strongSwan EAP-TTLS
  client can interoperate with a FreeRADIUS AAA server.



- Future support of Trusted Network Connect (TNC)
  As a preparation for the full support of Trusted Network Connect (TNC)
  using the EAP-TTLS protected EAP-TNC transport protocol (IF-T), a
  proof-of-concept version of the IF-TNCCS 1.1 broker protocol was
  created that interoperates with a Trust at FHH 0.7.0 enhanced FreeRADIUS
  server. (For info on the TNC at FHH project see


  Example EAP-TNC scenario:


  Full TNC support will become available with the strongSwan 4.6.0
  release sometime next year.

- Pluto supports fixed reqids and xfrm marks
  The pluto IKEv1 daemon now uses the kernel-netlink plugin to
  configure and monitor IPsec policies and security associations in
  the Linux 2.6 kernel. Therefore the fixed reqid and xfrm features
  introduced some time ago in the kernel-netlink plugin are now
  available to pluto. Example scenarios:




- IKEv2 CTR, CCM and GCM mode support
  Added new "ctr", "ccm" and "gcm" plugins providing Counter, Counter
  with CBC-MAC and Galois/Counter Modes based on existing CBC
  implementations. These new plugins bring support for AES and Camellia
  Counter and CCM algorithms and the AES GCM algorithms for use in


Please test the new features and give us feedback!

The strongSwan Team:
Tobias Brunner, Martin Willi and Andreas Steffen

Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)

More information about the Dev mailing list