[strongSwan-dev] ANNOUNCE: strongswan-5.0.2rc1 released

Andreas Steffen andreas.steffen at strongswan.org
Mon Jan 21 07:38:19 CET 2013

many of you have been waiting for the 5.0.2 release. With our first
release candidate you get a preview of the many new features of our
next stable release expected at the end of this month:

New IKEv1 Features

- Support for the proprietary IKEv1 fragmentation extension has
   been added. Fragments are always handled on receipt but only
   sent if supported by the peer and if enabled with the new
   "fragmentation = yes" ipsec.conf option.

- IKEv1 in charon can now parse certificates received in PKCS#7
   containers and supports NAT traversal as used by Windows XP
   clients. Patches courtesy of Volker Ruemelin.

New IKEv2 Features

- IKEv2 proposals can now use a PRF algorithm different to that
   defined for integrity protection. If an algorithm with a "prf"
   prefix is defined explicitly (such as prfsha1 or prfsha256),
   no implicit PRF algorithm based on the integrity algorithm is
   added to the proposal.

New Trusted Network Connect Features

- Implemented all IETF RFC Standard 5792 PA-TNC attributes
   (Attribute Request, Product Information, Numeric/String Version,
   Operational Status, Port Filter, Installed Packages, Assessment
   Result, Remediation Instructions, Forwarding Enabled and Factory
   Default Password Enabled). A strongSwan OS IMC/IMV pair uses these
   attributes to transfer operating system information from a Linux
   or Android 4 client to a TNC server.

New Statistics Features

- The new "ipsec listcounters" command prints a list of global
   counter values about received and sent IKE messages and rekeyings.

- The new "lookip" plugin performs fast lookup of tunnel information
    using a   clients virtual IP and can send notifications about
    established or deleted tunnels. The "ipsec lookip" command can be
    used to query such information or receive notifications.

- The new "error-notify" plugin catches some common error conditions
   and allows an external application to receive notifications for
   them over a UNIX socket.

Performance Testing

- The load-tester plugin gained additional options for certificate
   generation and can load keys and multiple CA certificates from
   external files.

- It can install a dedicated outer IP address for each tunnel and
   tunnel initiation batches can be triggered and monitored externally
   using the "ipsec load-tester" tool.

Software Regression Testing and Simulation

- The integration and regression test environment was updated and
   now uses KVM and reproducible guest images based on the latest
   Debian packages.

Extended Smartcard Features

- The pkcs11 plugin can now load leftcert certificates from a
   smartcard for a specific ipsec.conf conn section and
   CA certificates for a specific ca section.


- PKCS#7 container parsing has been modularized, and the openssl
   plugin gained an alternative implementation to decrypt and verify
   such files. In contrast to our own DER parser, OpenSSL can handle
   BER files, which is required for interoperability of our scepclient
   with EJBCA PKI software.

- The new "rdrand" plugin provides a high quality / high performance
   random source using the Intel rdrand instruction found on Ivy
   Bridge processors.

Enjoy the release candidate and please report back any issues
encountered so that we can fix them before the final release.

Best regards


Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4468 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/dev/attachments/20130121/854f09a3/attachment.bin>

More information about the Dev mailing list