[strongSwan-dev] ANNOUNCE: strongswan-5.1.1rc1 released

[Andreas Steffen]

Hi,

the release candidate for strongSwan 5.1.1 is available for download.
The following new features have been added:

* Trusted Network Connect (TNC)
   -----------------------------

   - The lean stand-alone pt-tls-client can set up a RFC 6876 PT-TLS
     session with a strongSwan policy enforcement point which uses the
     tnc-pdp charon plugin.

   - The new TCG TNC SWID IMC/IMV pair supports targeted SWID requests
     for either full SWID Tag or concise SWID Tag ID inventories.

* New EAP-RADIUS Features
   -----------------------

   - The XAuth backend in the eap-radius plugin now supports multiple
     XAuth exchanges for different credential types and display messages.
     All user input gets concatenated and verified with a single
     User-Password RADIUS attribute on the AAA. With an AAA supporting
     it, one for example can implement Password+Token authentication
     with proper dialogs on iOS and OS X clients.

   - The eap-radius plugin supports forwarding of several Cisco Unity
     specific RADIUS attributes in corresponding configuration payloads.

* IKEv1 Mode Config Push Mode
   ---------------------------

   - charon supports IKEv1 Mode Config exchange in push mode. The
     ipsec.conf modeconfig=push option enables it for both client
     and server, the same way as pluto used it.

* IPsec Authentication Header (AH) Support
   ----------------------------------------

   - Using the "ah" ipsec.conf keyword on both IKEv1 and IKEv2
     connections, charon can negotiate and install Security Associations
     integrity-protected by the Authentication Header protocol.

     http://www.strongswan.org/uml/testresults5rc/ikev1/host2host-ah/

     http://www.strongswan.org/uml/testresults5rc/ikev1/net2net-ah/

     http://www.strongswan.org/uml/testresults5rc/ikev2/host2host-ah

     http://www.strongswan.org/uml/testresults5rc/ikev2/net2net-ah/

     Supported are plain AH(+IPComp) SAs only, but not the deprecated
     RFC2401 style ESP+AH bundles.

* Multiple Address Ranges in left and right Options
   -------------------------------------------------

   - The left and right options in ipsec.conf can take multiple address
     ranges and subnets. This allows connection matching against a
     larger set of addresses, for example to use a different connection
     for clients connecting from a internal network.

* Support for Brainpool Elliptic Curve DH Groups
   ----------------------------------------------

    - For all those who have a queasy feeling about the NIST elliptic
      curve set, the Brainpool curves introduced for use with IKE by
      RFC 6932 might be a more trustworthy alternative.

 
http://www.strongswan.org/uml/testresults5rc/openssl-ikev2/alg-ecp-brainpool-high/

 
http://www.strongswan.org/uml/testresults5rc/openssl-ikev2/alg-ecp-brainpool-low/

* Correct Generation of IVs for AES-GCM Mode
   ------------------------------------------

   - The generation of initialization vectors for IKE and ESP (when
     using libipsec) is now modularized and IVs for e.g. AES-GCM are
     now correctly allocated sequentially, while other algorithms like
     AES-CBC still use random IVs.

* New Features supported by libipsec
   ----------------------------------

   - The kernel-libipsec userland IPsec backend now supports usage
     statistics, volume based rekeying and accepts ESPv3 style TFC
     padded packets.

   - With two new strongswan.conf options fwmarks can be used to
     implement host-to-host tunnels with kernel-libipsec.

     http://www.strongswan.org/uml/testresults5rc/libipsec/host2host-cert/

* CERT Resource Records protected by DNSSEC
   -----------------------------------------

   - The new dnscert plugin provides support for authentication via
     CERT RRs that are protected via DNSSEC.  The plugin was created by
     Ruslan N. Marchenko.

     http://www.strongswan.org/uml/testresults5rc/ikev2/net2net-dnscert/

* Miscellaneous
   -------------

   - Database transactions are now abstracted and implemented by the two
     backends. If you use MySQL make sure all tables use the InnoDB
     engine.

   - load-tester supports transport mode connections and more complex
     traffic selectors, including such using unique ports for each
     tunnel.

   - libstrongswan now can provide an experimental custom implementation
     of the printf family functions based on klibc if neither Vstr nor
     glibc style printf hooks are available. This can avoid the Vstr
     dependency on some systems at the cost of slower and less complete
     printf functions.

Please test the release candidate and give feedback if you are
running into any problems. ETA for the stable 5.1.1 release is
November 1, 2013.

Cheers

Andreas Steffen, Tobias Brunner & Martin Willi

The strongSwan Team

======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Open Source VPN Solution!          www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4255 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/dev/attachments/20131028/9e28c991/attachment.bin>