[strongSwan] ANNOUNCE: strongswan-4.5.0 released
Andreas Steffen
andreas.steffen at strongswan.org
Sun Oct 31 14:22:03 CET 2010
Hi,
we are proud to release the the major strongSwan 4.5 release.
As you will see, a lot of new features made it into the new version:
- IMPORTANT: IKEv2 becomes the default key exchange mode !!!
----------------------------------------------------------
In 2010 we commemorate the five year anniversary of the original
IKEv2 RFC 4306. Actually the RFC was replaced in September by
its mature successor RFC 5996 which specifies the protocol in much
more detail. We started the development of the strongSwan IKEv2
daemon in October 2005 and gave the VPN community five years to
migrate to the new version. With strongSwan 4.5 the default
keyexchange=ike option will now be equivalent to keyexchange=ikev2.
If you still like to use the old IKEv1 protocol then you must
explicitly define keyexchange=ikev1. We think that the time has
definitively come for IKEv1 to go into retirement and to cede its
place to the much more robust, powerful and versatile IKEv2 protocol!
IKEv2 solutions are also available from CheckPoint, Cisco, Juniper,
Microsoft, SonicWall and others, with the possibility to
interoperate with strongSwan.
- IKEv2 AEAD ciphersuites supported by new ctr, ccm and gcm plugins
-----------------------------------------------------------------
The new plugins provide Counter Mode (CTR), Counter Mode with CBC-MAC
(CCM) and Galois/Counter Mode (GCM) based on existing CBC encryption
implementations. CTR and CCM can be used with either AES or Camellia
and GCM with AES. On overview of all supported algorithms can be
found on our wiki:
http://wiki.strongswan.org/projects/strongswan/wiki/CipherSuiteExamples
- IKEv2 smartcard support
-----------------------
The new pkcs11 plugin brings full smartcard support to the IKEv2
daemon and the "ipsec pki" utility using one or more PKCS#11
libraries. It currently supports RSA private and public key
operations and loads X.509 certificates from tokens.
- EAP-TLS support
---------------
Implemented a general purpose TLS stack based on crypto and credential
primitives of libstrongswan. libtls supports TLS versions 1.0, 1.1
and 1.2, ECDHE-ECDSA/RSA, DHE-RSA and RSA key exchange algorithms and
RSA/ECDSA based client authentication.
Based on libtls, the eap-tls plugin brings certificate-based EAP
authentication for client and server. It is compatible to Windows 7
IKEv2 Smartcard authentication and the OpenSSL based FreeRADIUS
EAP-TLS backend.
Example with FreeRADIUS AAA server:
http://www.strongswan.org/uml/testresults/ikev2/rw-eap-tls-radius/
Example with a strongSwan gateway doing EAP-TLS only authentication:
http://www.strongswan.org/uml/testresults/ikev2/rw-eap-tls-only/
- EAP-TTLS support
----------------
EAP-TTLS uses strong EAP-TLS authentication for the server and
potentially weak password-based client authentication (EAP-MD5, etc.)
over a secure TLS tunnel:
Example with FreeRADIUS AAA server:
http://www.strongswan.org/uml/testresults/ikev2/rw-eap-ttls-radius/
Example with a strongSwan gateway doing EAP-TLS only authentication:
http://www.strongswan.org/uml/testresults/ikev2/rw-eap-ttls-only/
- Trusted Network Connect support
-------------------------------
Implemented the TNCCS 1.1 Trusted Network Connect protocol using the
libtnc library on the strongSwan client and server side via the
tnccs_11 plugin and optionally connecting to a TNC at FHH-enhanced
FreeRADIUS AAA server. Depending on the resulting TNC Recommendation,
strongSwan clients are granted access to a network behind a
strongSwan gateway (allow), are put into a remediation zone (isolate)
or are blocked (none), respectively.
Example with TNC at FHH-enhanced FreeRADIUS AAA server:
http://www.strongswan.org/uml/testresults/ikev2/rw-eap-tnc-radius/
Example with a strongSwan gateway doing EAP-TLS only authentication:
http://www.strongswan.org/uml/testresults/ikev2/rw-eap-tnc/
Group membership attributes are used to assign clients either to the
'rw-allow' or 'rw-isolate' subnets, respectively. As an alternative
non-complying clients can be blocked from access:
Example with TNC at FHH-enhanced FreeRADIUS AAA server:
http://www.strongswan.org/uml/testresults/ikev2/rw-eap-tnc-radius-block/
Example with a strongSwan gateway doing EAP-TLS only authentication:
http://www.strongswan.org/uml/testresults/ikev2/rw-eap-tnc-block/
Any number of Integrity Measurement Collector/Verifier pairs can be
attached via the tnc-imc and tnc-imv charon plugins.
- Multiple RADIUS servers
-----------------------
The RADIUS plugin eap-radius now supports multiple RADIUS servers for
redundant setups. Servers are selected by a defined priority, server
load and availability.
http://wiki.strongswan.org/projects/strongswan/wiki/EapRadius
- strongSwan VPN applets for Maemo 5
----------------------------------
Applets for Maemo 5 (Nokia) allow to easily configure and control
IKEv2 based VPN connections with EAP authentication on supported
devices.
- LED plugin
----------
If you plan to throw a party, you can now dance to the beat of your
IKEv2 packets. The simple led plugin controls hardware LEDs through
the Linux LED subsystem. It currently shows activity of the IKE
daemon and is a good example how to implement a simple event listener.
- Pluto uses kernel-netlink plugin
--------------------------------
The pluto now uses the kernel-netlink plugin to configure and monitor
IPsec policies and security associations in the Linux 2.6 kernel.
This allows the e.g. the use of XFRM marks and pre-defined reqids
with IKEv1 connections.
- Created man page for strongswan.conf
-----------------------------------
The increasing number of strongswan.conf options which up to now were
only listed on our wiki:
http://wiki.strongswan.org/projects/strongswan/wiki/StrongswanConf
are now also documented by man strongswan.conf
Enjoy the new release!
Andreas Steffen, Tobias Brunner, Martin Willi
The strongSwan Team
======================================================================
Andreas Steffen andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
More information about the Users
mailing list