[strongSwan] ANNOUNCE: strongswan-4.5.0rc2 released

Andreas Steffen andreas.steffen at strongswan.org
Sun Oct 17 16:29:21 CEST 2010


as usual we are publishing a release candidate two weeks before the
final version of the major strongSwan 4.5 release. A lot of new features
made it into the new release:

- IKEv2 becomes the default key exchange mode

  In 2010 we commemorate the five year anniversary of the orignal
  IKEv2 RFC 4306. Actually it has been replaced in September by its
  mature successor RFC 5996 which specifies the protocol in much
  more detail. Therefore starting with strongSwan 4.5 the default
  keyexchange=ike option will be equivalent to keyexchange=ikev2.
  If you still want to use the old IKEv1 protocol then you must
  explicitly define keyexchange=ikev1. But we think that the time has
  definitively come for IKEv1 to go into retirement and to cede its
  place to the much more robust, powerful and versatile IKEv2 protocol!

- IKEv2 AEAD ciphersuites supported by new ctr, ccm and gcm plugins

  The new plugins provide Counter Mode (CTR), Counter Mode with CBC-MAC
  (CCM)   and Galois/Counter Mode (GCM) based on existing CBC
  encryption implementations. CTR and CCM can be used with either
  AES or Camellia and GCM with AES. On overview of all supported
  algorithms can be found on our wiki:


- IKEv2 smartcard support

  The new pkcs11 plugin brings full Smartcard support to the IKEv2
  daemon and the "ipsec pki" utility using one or more PKCS#11
  libraries. It currently supports RSA private and public key
  operations and loads X.509 certificates from tokens.

- EAP-TLS support

  Implemented a general purpose TLS stack based on crypto and credential
  primitives of libstrongswan. libtls supports TLS versions 1.0, 1.1
  and 1.2, ECDHE-ECDSA/RSA, DHE-RSA and RSA key exchange algorithms and
  RSA/ECDSA based client authentication.

  Based on libtls, the eap-tls plugin brings certificate-based EAP
  authentication for client and server. It is compatible to Windows 7
  IKEv2 Smartcard authentication and the OpenSSL based FreeRADIUS
  EAP-TLS backend.

  Example with FreeRADIUS AAA server:

  Example with a strongSwan gateway doing EAP-TLS only authentication:

- EAP-TTLS support

  EAP-TTLS uses strong EAP-TLS authentication for the server and
  potentially weak password-based client authentication (EAP-MD5, etc.)
  over a secure TLS tunnel:

  Example with FreeRADIUS AAA server:

  Example with a strongSwan gateway doing EAP-TLS only authentication:

- Trusted Network Connect support

  Implemented the TNCCS 1.1 Trusted Network Connect protocol using the
  libtnc library on the strongSwan client and server side via the
  tnccs_11 plugin and optionally connecting to a TNC at FHH-enhanced
  FreeRADIUS AAA server. Depending on the resulting TNC Recommendation,
  strongSwan clients are granted access to a network behind a
  strongSwan gateway (allow), are put into a remediation zone (isolate)
  or are blocked (none), respectively.

  Example with TNC at FHH-enhanced FreeRADIUS AAA server:

  Example with a strongSwan gateway doing EAP-TLS only authentication:

  Group membership attributes are used to assign clients either to the
  'rw-allow' or 'rw-isolate' subnets, respectively. As an alternative
  non-complying clients can be blocked from access:

  Example with TNC at FHH-enhanced FreeRADIUS AAA server:


  Example with a strongSwan gateway doing EAP-TLS only authentication:

  Any number of Integrity Measurement Collector/Verifier pairs can be
  attached via the tnc-imc and tnc-imv charon plugins.

- Multiple RADIUS servers

  The RADIUS plugin eap-radius now supports multiple RADIUS servers for
  redundant setups. Servers are selected by a defined priority, server
  load and availability.


- LED plugin

  If you plan to throw a party, you can now dance to the beat of your
  IKEv2 packets. The simple led plugin controls hardware LEDs through
  the Linux LED subsystem. It currently shows activity of the IKE
  daemon and is a good example how to implement a simple event listener.

- XAUTH with ModeConfig bug fix

  Fixed a bug not releasing a virtual IP address to a pool if the XAUTH
  identity was different from the IKE identity.

- Pluto uses kernel-netlink plugin

  The pluto now uses the kernel-netlink plugin to configure and monitor
  IPsec policies and security associations in the Linux 2.6 kernel

- Created man page for strongswan.conf

  The increasing number of strongswan.conf options which up to now were
  only listed on our wiki:


  are now also documented by man strongswan.conf

Enjoy the new release and please report back any problems or questions
that you might encounter.

Best regards

Andreas Steffen, Tobias Brunner, Martin Willi

The strongSwan Team

Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)

More information about the Users mailing list