[strongSwan-dev] ANNOUNCE: strongswan-4.5.0dr2 released
Andreas Steffen
andreas.steffen at strongswan.org
Fri Sep 10 14:23:25 CEST 2010
Hi developers,
here is our latest developers release for the major strongSwan 4.5.0
version which is going to offer tons of new features:
- PKCS #11 smartcard support for IKEv2
------------------------------------
The new "pkcs11" plugin brings full smartcard support to the IKEv2
daemon and the "ipsec pki" utility using one or more PKCS #11
libraries. It currently supports RSA private and public key
operations and loads X.509 certificates from tokens.
- General Purpose TLS stack
-------------------------
We implemented a general purpose TLS stack based on crypto and
credential primitives of libstrongswan. "libtls" supports TLS
versions 1.0, 1.1, and 1.2, ECDHE-ECDSA/RSA, DHE-RSA and RSA key
exchange algorithms and RSA/ECDSA based client authentication.
- IKEv2 EAP-TLS support
---------------------
Based on "libtls", the "eap-tls" plugin brings certificate based EAP
authentication for client and server. It is compatible to Windows 7
IKEv2 smartcard authentication and the OpenSSL based FreeRADIUS
EAP-TLS backend. Example scenarios:
http://www.strongswan.org/uml/testresults45dr/ikev2/rw-eap-tls-only/
http://www.strongswan.org/uml/testresults45dr/ikev2/rw-eap-tls-radius/
- IKEv2 EAP-TTLS support
----------------------
Based on "libtls" and the "eap-tls" plugin, the "eap-ttls" plugin
brings certificate based EAP-TLS server authentication combined
with tunneled EAP-MD5 client authentication. Alternative EAP client
authentication methods can be configured via the strongswan.conf
option charon.plugins.eap-ttls.phase2_method. A strongSwan EAP-TTLS
client can interoperate with a FreeRADIUS AAA server.
http://www.strongswan.org/uml/testresults45dr/ikev2/rw-eap-ttls-only/
http://www.strongswan.org/uml/testresults45dr/ikev2/rw-eap-ttls-radius/
- Future support of Trusted Network Connect (TNC)
-----------------------------------------------
As a preparation for the full support of Trusted Network Connect (TNC)
using the EAP-TTLS protected EAP-TNC transport protocol (IF-T), a
proof-of-concept version of the IF-TNCCS 1.1 broker protocol was
created that interoperates with a Trust at FHH 0.7.0 enhanced FreeRADIUS
server. (For info on the TNC at FHH project see
http://trust.inform.fh-hannover.de/joomla/index.php/projects/tncfhh
Example EAP-TNC scenario:
http://www.strongswan.org/uml/testresults45dr/ikev2/rw-eap-tnc-radius/
Full TNC support will become available with the strongSwan 4.6.0
release sometime next year.
- Pluto supports fixed reqids and xfrm marks
------------------------------------------
The pluto IKEv1 daemon now uses the kernel-netlink plugin to
configure and monitor IPsec policies and security associations in
the Linux 2.6 kernel. Therefore the fixed reqid and xfrm features
introduced some time ago in the kernel-netlink plugin are now
available to pluto. Example scenarios:
http://www.strongswan.org/uml/testresults45dr/ikev1/nat-two-rw-mark/
http://www.strongswan.org/uml/testresults45dr/ikev1/net2net-same-nets/
http://www.strongswan.org/uml/testresults45dr/ikev1/rw-mark-in-out/
- IKEv2 CTR, CCM and GCM mode support
-----------------------------------
Added new "ctr", "ccm" and "gcm" plugins providing Counter, Counter
with CBC-MAC and Galois/Counter Modes based on existing CBC
implementations. These new plugins bring support for AES and Camellia
Counter and CCM algorithms and the AES GCM algorithms for use in
IKEv2.
http://wiki.strongswan.org/projects/strongswan/wiki/CipherSuiteExamples
Please test the new features and give us feedback!
The strongSwan Team:
Tobias Brunner, Martin Willi and Andreas Steffen
======================================================================
Andreas Steffen andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
More information about the Dev
mailing list