[strongSwan-dev] ANNOUNCE: strongswan-4.5.3rc1 released
Andreas Steffen
andreas.steffen at strongswan.org
Tue Jul 19 10:00:19 CEST 2011
Hello,
the first release candidate of the forthcoming strongSwan 4.5.3
version is now available. The following new features have been
included:
PASS and DROP shunt policies configurable by charon
---------------------------------------------------
The IKEv2 charon daemon supports type=pass and type=drop shunt
policies preventing specific traffic to go through IPsec connections.
Installation of the shunt policies are possible either via the XFRM
netfilter or PFKEYv2 IPsec kernel interfaces as the following two
scenarios show:
http://www.strongswan.org/uml/testresults45rc/ikev2/shunt-policies/
http://www.strongswan.org/uml/testresults45rc/pfkey/shunt-policies/
Tracking of IPsec policy histories
----------------------------------
The history of policies installed in the kernel is now tracked so
that e.g. trap policies are correctly updated when reauthenticated
SAs are terminated.
New IKEv2 closaction keyword
----------------------------
The IKEv2 close action does not use the same value as the ipsec.conf
dpdaction setting, but the value defined by its own closeaction
keyword. The action is triggered if the remote peer closes a CHILD_SA
unexpectedly.
strongSwan libraries moved
--------------------------
Heeding the request from several Linux Distributions, our private
libraries (e.g. libstrongswan) are not installed directly in
prefix/lib anymore. Instead a subdirectory is used
(prefix/lib/ipsec/ by default). The plugins directory has also moved
from prefix/libexec/ipsec/ to that directory.
The dynamic IMC/IMV libraries were moved from the plugins directory
to a new imcvs directory in the prefix/lib/ipsec/ subdirectory.
IMC/IMV pairs implementing the RFC 5792 PA-TNC (IF-M) protocol
--------------------------------------------------------------
- IMC/IMV Scanner pair: (--enable-imc-scanner/--enable-imv-scanner)
Using "netstat -l" the Integrity Measurement Collector (IMC) scans
open listening ports on the TNC client and sends a port list to
the Integrity Measurement Verifier (IMV) which, based on a port
policy decides if the client is admitted to the network.
http://www.strongswan.org/uml/testresults45rc/tnc/tnccs-20/
- IMC/IMV Test pair: (--enable-imc-test/--enable-imv-test)
Can be used to test the RFC 5793 PB-TNC (IF-TNCCS 2.0) protocol.
http://www.strongswan.org/uml/testresults45rc/tnc/tnccs-20-client-retry/
ipsec statusall shows ESN
-------------------------
ipsec statusall now show whether Extended Sequence Numbers (ESN)
have been negotiated. ESN is supported by the Linux kernel
starting with 2.6.39.
http://www.strongswan.org/uml/testresults45rc/ikev2/net2net-esn/
Please test the release candidate and give us a feedback.
ETA for the stable 4.5.3 release is end of July.
Kind regards
Andreas
======================================================================
Andreas Steffen andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
More information about the Dev
mailing list