[strongSwan-dev] ANNOUNCE: strongswan-4.5.3rc1 released

Andreas Steffen andreas.steffen at strongswan.org
Tue Jul 19 10:00:19 CEST 2011


Hello,
the first release candidate of the forthcoming strongSwan 4.5.3
version is now available. The following new features have been
included:

PASS and DROP shunt policies configurable by charon
---------------------------------------------------

  The IKEv2 charon daemon supports type=pass and type=drop shunt
  policies preventing specific traffic to go through IPsec connections.
  Installation of the shunt policies are possible either via the XFRM
  netfilter or PFKEYv2 IPsec kernel interfaces as the following two
  scenarios show:

  http://www.strongswan.org/uml/testresults45rc/ikev2/shunt-policies/

  http://www.strongswan.org/uml/testresults45rc/pfkey/shunt-policies/


Tracking of IPsec policy histories
----------------------------------
  The history of policies installed in the kernel is now tracked so
  that e.g. trap policies are correctly updated when reauthenticated
  SAs are terminated.


New IKEv2 closaction keyword
----------------------------

  The IKEv2 close action does not use the same value as the ipsec.conf
  dpdaction setting, but the value defined by its own closeaction
  keyword. The action is triggered if the remote peer closes a CHILD_SA
  unexpectedly.


strongSwan libraries moved
--------------------------

  Heeding the request from several Linux Distributions, our private
  libraries (e.g. libstrongswan) are not installed directly in
  prefix/lib anymore.  Instead a subdirectory is used
  (prefix/lib/ipsec/ by default). The plugins directory has also moved
  from prefix/libexec/ipsec/ to that directory.

  The dynamic IMC/IMV libraries were moved from the plugins directory
  to a new imcvs directory in the prefix/lib/ipsec/ subdirectory.


IMC/IMV pairs implementing the RFC 5792 PA-TNC (IF-M) protocol
--------------------------------------------------------------

- IMC/IMV Scanner pair: (--enable-imc-scanner/--enable-imv-scanner)

  Using "netstat -l" the Integrity Measurement Collector (IMC) scans
  open listening ports on the  TNC client and sends a port list to
  the Integrity Measurement Verifier (IMV) which, based on a port
  policy decides if the client is admitted to the network.

  http://www.strongswan.org/uml/testresults45rc/tnc/tnccs-20/

- IMC/IMV Test pair: (--enable-imc-test/--enable-imv-test)

  Can be used to test the RFC 5793 PB-TNC (IF-TNCCS 2.0) protocol.

  http://www.strongswan.org/uml/testresults45rc/tnc/tnccs-20-client-retry/


ipsec statusall shows ESN
-------------------------

  ipsec statusall now show whether Extended Sequence Numbers (ESN)
  have been negotiated. ESN is supported by the Linux kernel
  starting with 2.6.39.

  http://www.strongswan.org/uml/testresults45rc/ikev2/net2net-esn/


Please test the release candidate and give us a feedback.
ETA for the stable 4.5.3 release is end of July.

Kind regards

Andreas

======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==




More information about the Dev mailing list