[strongSwan-dev] ANNOUNCE: strongswan-5.1.0rc1 released

Andreas Steffen andreas.steffen at strongswan.org
Mon Jul 22 09:45:47 CEST 2013


we are proud to present a lot of new features in our latest 5.1.0
release candidate:

* Easy-to-Use "charon-cmd" Command-Line IKE Client

   - The new charon-cmd command line IKE client can establish road
     warrior connections using IKEv1 or IKEv2 with different
     authentication profiles. It does not depend on any configuration
     files (no ipsec.conf nor ipsec.secrets but may use strongswan.conf
     options) and can be configured using a few simple command line
     options. More information is available via the man page

     man charon-cmd

* Support of PKCs#12 Private Key/Certificate Container Format

   - Extraction of certificates and private keys from PKCS#12 files is
     now provided by the new pkcs12 plugin


     or the openssl plugin


   - charon-cmd (--p12) as well as charon (via P12 token in
     ipsec.secrets) can make use of this new functionality.

* Support of ssh-agent and other Public Key Formats

   - The sshkey plugin parses SSH public keys, which, together with the
     --agent option for charon-cmd, allows the use of ssh-agent for

   - To configure SSH keys in ipsec.conf the left|rightrsasigkey options
     are replaced with left|rightsigkey, which now take public keys in
     one of three  formats:

     * SSH (RFC 4253,    ssh: prefix)

     * DNSKEY (RFC 3110, dns: prefix)


     * PKCS#1 (the default, no prefix).


* Trusted Network Connect (TNC) Policy Manager Interface

   - Using a SQL database interface, a TNC Policy Manager can generate
     specific measurement workitems for an arbitrary number of
     Integrity Measurement Verifiers (IMVs), based on the history of the
     individual VPN users and/or client devices.



  - We are currently working on the documentation and some demo examples
    for the new Python/Django-based strongTNC Policy Manager Tool
    implemented by the HSR students Stefan Rohner and Marco Tanner as
    part of their Bachelor Thesis:


* IPsec ESP Userland Encryption with libipsec

   - The new kernel-libipsec plugin uses TUN devices and libipsec to
     provide IPsec processing in userland on Linux, FreeBSD and Mac OS X:


   - At last people get back their cherished ipsec0 interface carrying
     plain text traffic whereas eth0 shows the IKE negotiation and
     encrypted ESP traffic:


   - libipsec now supports AES-GCM which will be automatically
     accelerated if the openssl plugin detect the Intel AES NI
     instruction set.


   - Thus libipsec is ideally suited für Suite B compliance on Mac OS X
     where the kernel does not offer EASP AES-GCM support.

* Improvements for Mac OS X and FreeBSD

    - The kernel-pfroute networking backend has been greatly improved.
      It now can install virtual IPs on TUN devices on OS X and FreeBSD,
      allowing these systems to act as a client in common road warrior

    - The new osx-attr plugin installs configuration attributes
      (currently DNS servers) via SystemConfiguration on Mac OS X.
      The keychain plugin provides certificates from the OS X keychain

* Miscellaneous Improvements

   - IKEv2 can now negotiate transport mode and IPComp in NAT situations.

   - IKEv2 exchange initiators now properly closes an established IKE or
     CHILD_SA on error conditions using an additional exchange, keeping
     state in sync between peers.

   - The leak-detective developer tool has been greatly improved. It
     works much faster and more stable with multiple threads, does not
     use deprecated malloc hooks anymore and has been ported to OS X.

   - chunk_hash() is now based on SipHash-2-4 with a random key. This
     provides better distribution and prevents hash flooding attacks
     when used with hashtables.

   - All default plugins implement the get_features() method to define
     features and their dependencies. The plugin loader has been
     improved, so that plugins in a custom load statement can be ordered
     freely or to express preferences without being affected by
     dependencies between plugin features.

   - A centralized thread can take care for watching multiple file
     descriptors concurrently. This removes the need for dedicated
     listener threads in various plugins. The number of "reserved"
     threads for such tasks has been reduced to about five, depending on
     the plugin configuration.

   - Plugins that can be controlled by a UNIX socket IPC mechanism
     gained network transparency. Third party applications querying these
     plugins now can use TCP connections from a different host.

* Unit Tests

   - Several core classes in libstrongswan are now tested with unit
     tests.  These can be enabled with --enable-unit-tests and run with

     make check

   - Coverage reports can be generated with --enable-coverage and

     make coverage

     make coverage disables any optimization, so it should not be
     enabled when building production releases.

Please test our manifold new features and report any issues.
ETA for the stable 5.1.0 release is approximately the end of July.

Best regards

Tobias Brunner, Martin Willi, Andreas Steffen

The strongSwan Team

Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4468 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/dev/attachments/20130722/f55174e6/attachment.bin>

More information about the Dev mailing list