[strongSwan] ANNOUNCE: strongswan-4.5.0rc2 released
Andreas Steffen
andreas.steffen at strongswan.org
Sun Oct 17 16:29:21 CEST 2010
Hi,
as usual we are publishing a release candidate two weeks before the
final version of the major strongSwan 4.5 release. A lot of new features
made it into the new release:
- IKEv2 becomes the default key exchange mode
-------------------------------------------
In 2010 we commemorate the five year anniversary of the orignal
IKEv2 RFC 4306. Actually it has been replaced in September by its
mature successor RFC 5996 which specifies the protocol in much
more detail. Therefore starting with strongSwan 4.5 the default
keyexchange=ike option will be equivalent to keyexchange=ikev2.
If you still want to use the old IKEv1 protocol then you must
explicitly define keyexchange=ikev1. But we think that the time has
definitively come for IKEv1 to go into retirement and to cede its
place to the much more robust, powerful and versatile IKEv2 protocol!
- IKEv2 AEAD ciphersuites supported by new ctr, ccm and gcm plugins
-----------------------------------------------------------------
The new plugins provide Counter Mode (CTR), Counter Mode with CBC-MAC
(CCM) and Galois/Counter Mode (GCM) based on existing CBC
encryption implementations. CTR and CCM can be used with either
AES or Camellia and GCM with AES. On overview of all supported
algorithms can be found on our wiki:
http://wiki.strongswan.org/projects/strongswan/wiki/CipherSuiteExamples
- IKEv2 smartcard support
-----------------------
The new pkcs11 plugin brings full Smartcard support to the IKEv2
daemon and the "ipsec pki" utility using one or more PKCS#11
libraries. It currently supports RSA private and public key
operations and loads X.509 certificates from tokens.
- EAP-TLS support
---------------
Implemented a general purpose TLS stack based on crypto and credential
primitives of libstrongswan. libtls supports TLS versions 1.0, 1.1
and 1.2, ECDHE-ECDSA/RSA, DHE-RSA and RSA key exchange algorithms and
RSA/ECDSA based client authentication.
Based on libtls, the eap-tls plugin brings certificate-based EAP
authentication for client and server. It is compatible to Windows 7
IKEv2 Smartcard authentication and the OpenSSL based FreeRADIUS
EAP-TLS backend.
Example with FreeRADIUS AAA server:
http://www.strongswan.org/uml/testresults45rc/ikev2/rw-eap-tls-radius/
Example with a strongSwan gateway doing EAP-TLS only authentication:
http://www.strongswan.org/uml/testresults45rc/ikev2/rw-eap-tls-only/
- EAP-TTLS support
----------------
EAP-TTLS uses strong EAP-TLS authentication for the server and
potentially weak password-based client authentication (EAP-MD5, etc.)
over a secure TLS tunnel:
Example with FreeRADIUS AAA server:
http://www.strongswan.org/uml/testresults45rc/ikev2/rw-eap-ttls-radius/
Example with a strongSwan gateway doing EAP-TLS only authentication:
http://www.strongswan.org/uml/testresults45rc/ikev2/rw-eap-ttls-only/
- Trusted Network Connect support
-------------------------------
Implemented the TNCCS 1.1 Trusted Network Connect protocol using the
libtnc library on the strongSwan client and server side via the
tnccs_11 plugin and optionally connecting to a TNC at FHH-enhanced
FreeRADIUS AAA server. Depending on the resulting TNC Recommendation,
strongSwan clients are granted access to a network behind a
strongSwan gateway (allow), are put into a remediation zone (isolate)
or are blocked (none), respectively.
Example with TNC at FHH-enhanced FreeRADIUS AAA server:
http://www.strongswan.org/uml/testresults45rc/ikev2/rw-eap-tnc-radius/
Example with a strongSwan gateway doing EAP-TLS only authentication:
http://www.strongswan.org/uml/testresults45rc/ikev2/rw-eap-tnc/
Group membership attributes are used to assign clients either to the
'rw-allow' or 'rw-isolate' subnets, respectively. As an alternative
non-complying clients can be blocked from access:
Example with TNC at FHH-enhanced FreeRADIUS AAA server:
http://www.strongswan.org/uml/testresults45rc/ikev2/rw-eap-tnc-radius-block/
Example with a strongSwan gateway doing EAP-TLS only authentication:
http://www.strongswan.org/uml/testresults45rc/ikev2/rw-eap-tnc-block/
Any number of Integrity Measurement Collector/Verifier pairs can be
attached via the tnc-imc and tnc-imv charon plugins.
- Multiple RADIUS servers
-----------------------
The RADIUS plugin eap-radius now supports multiple RADIUS servers for
redundant setups. Servers are selected by a defined priority, server
load and availability.
http://wiki.strongswan.org/projects/strongswan/wiki/EapRadius
- LED plugin
----------
If you plan to throw a party, you can now dance to the beat of your
IKEv2 packets. The simple led plugin controls hardware LEDs through
the Linux LED subsystem. It currently shows activity of the IKE
daemon and is a good example how to implement a simple event listener.
- XAUTH with ModeConfig bug fix
-----------------------------
Fixed a bug not releasing a virtual IP address to a pool if the XAUTH
identity was different from the IKE identity.
- Pluto uses kernel-netlink plugin
--------------------------------
The pluto now uses the kernel-netlink plugin to configure and monitor
IPsec policies and security associations in the Linux 2.6 kernel
- Created man page for strongswan.conf
-----------------------------------
The increasing number of strongswan.conf options which up to now were
only listed on our wiki:
http://wiki.strongswan.org/projects/strongswan/wiki/StrongswanConf
are now also documented by man strongswan.conf
Enjoy the new release and please report back any problems or questions
that you might encounter.
Best regards
Andreas Steffen, Tobias Brunner, Martin Willi
The strongSwan Team
======================================================================
Andreas Steffen andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
More information about the Users
mailing list