[strongSwan] ANNOUNCE: strongswan-4.4.0rc1

Andreas Steffen andreas.steffen at strongswan.org
Sat Apr 24 15:35:04 CEST 2010


we are happy to announce the first release candidate of the
forthcoming strongSwan 4.4 release. This major version offers the
following new features:

* IKEv2 High Availability

   The IKEv2 High Availability plugin has been integrated. It provides
   load sharing and fail-over capabilities in a cluster of currently
   two nodes, based on an extended ClusterIP kernel module. More
   information is available at


   The development of the High Availability functionality was sponsored
   by secunet Security Networks AG.

* Diffie-Hellman Groups 22, 23, 24 with prime order subgroups

   Added support for Diffie-Hellman groups 22, 23 and 24 to the gmp,
   gcrypt and openssl plugins, usable by both pluto and charon. The
   new proposal keywords are

     modp1024s160, modp2048s224, and modp2048s256

   as the following IKEv1 and IKEv2 example scenarios show:



   Thanks to Joy Latten from IBM for her contribution.

* RAM-based virtual IP address pools for pluto

   The pluto daemon inherited the popular RAM-based virtual IP
   address pool functionality from the charon daemon. The directive


   defines a subnet from which addresses dynamically are allocated
   as the following example scenario shows


* DHCP and ARP Proxy support

   The new dhcp plugin queries virtual IP addresses for clients from
   a DHCP server using broadcasts or a defined server using the

     charon.plugins.dhcp.server =

   strongswan.conf option. Additionally DNS/WINS server information
   is served to clients if the DHCP server provides such information.
   The plugin is used in ipsec.conf configurations with the setting


   A new plugin called farp handles ARP responses for virtual IP
   addresses handed out to clients by the IKEv2 daemon charon.
   The plugin lets a road-warrior act as a client on the local LAN
   if it uses a virtual IP from the responders subnet, e.g. acquired
   via the dhcp plugin. The following example scenarios show the use
   of the dhcp and farp plugins:





* Arbitrary IKEv2 source and destination ports

   The existing IKEv2 socket implementations have been migrated to the
   socket-default and the socket-raw plugins. The new socket-dynamic
   plugin binds sockets dynamically to ports configured via the


   ipsec.conf connection parameters.

* Android Support

   The android plugin stores received DNS server information as
   "net.dns" system properties, as used by the Android platform.
   Thanks to the new libcharon library the IKEv2 charon daemon
   can now be built monolithically. For more information on the
   Android build see


* Storage of public and private keys in PEM format

   The ipsec pki --gen and --pub commands now allow the output of
   private and public keys in PEM format using the --outform pem
   command line option.

Please give the new features a try and report any problems quickly.
ETA for the stable strongSwan 4.4.0 release is the beginning of May.

Best regards from the strongSwan team

Andreas Steffen, Tobias Brunner & Martin Willi

Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)

More information about the Users mailing list