[strongSwan] ANNOUNCE: strongswan-5.0.3rc1 released

Andreas Steffen andreas.steffen at strongswan.org
Tue Mar 26 21:39:00 CET 2013


we are proud to announce the release candidate of strongSwan 5.0.3.
Again a lot of new features made it into our forthcoming release:

- Public Keys protected by DNSSEC stored in the Domain Name System

  The new ipseckey plugin enables authentication based on trustworthy
  public keys stored as IPSECKEY resource records in the DNS and
  protected by DNSSEC. To do so it uses a DNSSEC enabled resolver,
  like the one provided by the unbound plugin, which is based on
  libldns and libunbound.  Both plugins were created by Reto Guadagnini.


- Assignment of Virtual IPs by RADIUS Server

  The eap-radius plugin can now assign virtual IPs to IKE clients using
  the   Framed-IP-Address attribute by using the "%radius" named pool
  in the rightsourceip ipsec.conf option.


- Improved RADIUS Account Records

  charon now sends Interim Accounting updates if requested by the
  RADIUS server, reports sent/received packets in Accounting messages,
  and adds a Terminate-Cause to Accounting-Stops.


  Fri Mar 22 22:48:55 2013
	Acct-Status-Type = Stop
	Acct-Session-Id = "1363992527-1"
	NAS-Port-Type = Virtual
	Service-Type = Framed-User
	NAS-Port = 1
	NAS-Port-Id = "rw-eap"
	NAS-IP-Address =
	Called-Station-Id = "[4500]"
	Calling-Station-Id = "[4500]"
	User-Name = "carol"
	Framed-IP-Address =
	Framed-IPv6-Prefix = fec3::1/128
	Acct-Output-Octets = 7100
	Acct-Output-Packets = 5
	Acct-Input-Octets = 7100
	Acct-Input-Packets = 5
	Acct-Session-Time = 6
	Acct-Terminate-Cause = User-Request
	NAS-Identifier = "strongSwan"
	Acct-Unique-Session-Id = "b4a2d1ea2b30f92c"
	Timestamp = 1363992535

- Improved IKE Statistics

  The "ipsec listcounters" command can report connection specific
  counters by passing a connection name, and global or connection
  counters can be reset by the "ipsec resetcounters" command.

  ipsec listcounters hsr-v4

  List of IKE counters for 'hsr-v4':

  ikeInitRekey                  0
  ikeRspRekey                   0
  ikeChildSaRekey               0
  ikeInInvalid                  0
  ikeInInvalidSpi               0
  ikeInInitReq                  0
  ikeInInitRsp                  2
  ikeOutInitReq                 2
  ikeOutInitRsp                 0
  ikeInAuthReq                  0
  ikeInAuthRsp                  2
  ikeOutAuthReq                 2
  ikeOutAuthRsp                 0
  ikeInCrChildReq               0
  ikeInCrChildRsp               0
  ikeOutCrChildReq              0
  ikeOutCrChildRsp              0
  ikeInInfoReq                  1
  ikeInInfoRsp                  1
  ikeOutInfoReq                 1
  ikeOutInfoRsp                 1

- Trusted Key Manager (TKM)

  The new charon-tkm IKEv2 daemon delegates security critical
  operations to a separate process. This has the benefit that the
  network facing daemon has no knowledge of keying material used to
  protect child SAs. Thus subverting charon-tkm does not result in
  the compromise of cryptographic keys. The extracted functionality
  has been implemented from scratch in a minimal TCB (trusted computing
  base) in the Ada programming language. Further information can be
  found at http://www.codelabs.ch/tkm/ and in the following research


- New xauth-noauth Plugin

  The new xauth-noauth plugin allows to use basic RSA or PSK
  authentication with clients that cannot be configured without
  IKEv1 XAuth authentication.  The plugin simply concludes the XAuth
  exchange successfully without actually performing any
  authentication. To use this backend it has to be selected explicitly
  with rightauth2=xauth-noauth.

- New systime-fix Plugin

  The charon systime-fix plugin can disable certificate lifetime checks
  on embedded systems if the system time is obviously out of sync after
  bootup. Certificates lifetimes get checked once the system time gets
  sane, closing or reauthenticating connections using expired

- Hardware Acceleration of IKEv2 AES-GCM

  The openssl plugin now uses the AES-NI accelerated version of
  AES-GCM if the processor hardware supports it.

- Support of the RFC 6876 PT-TLS Protocol (TCG TNC IF-T for TLS 2.0)

  The strongSwan libpttls library provides an experimental
  implementation of PT-TLS (RFC 6876), a Posture Transport Protocol
  over TLS.

- TNC IF-IMV 1.4 Draft Version Support

  Implemented the TCG TNC IF-IMV 1.4 draft making access requestor
  identities available to an IMV. The OS IMV stores the AR identity
  together with the  device ID in the attest database.


  Mar 22 19:49:10 moon charon:

  14[IMV] IMV 1 "OS" created a state for IF-TNCCS 2.0 Connection ID 1:
+long +excl -soh
  14[IMV]   over IF-T for Tunneled EAP 1.1 with maximum PA-TNC message
size of 65490 bytes
  14[IMV]   user AR identity 'carol at strongswan.org' authenticated by

  Database query:

   ipsec attest --devices

   5: cf5e4cbcc6e6a2db
      Mar 12 21:41:04 2013,   22,   0,   0, 4, 'Android 4.1.1' john

- New ikedscp Configuration Option

  The "ikedscp" ipsec.conf option can set DiffServ code points as
  defined by RFC 2474 on outgoing IKE packets.

      ikedscp = 000000 | <DSCP field>

Please test our release candidate and report any problems. ETA for
the stable 5.0.3 release is end of March 2013.

Kind regards


Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4468 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130326/4af10b2f/attachment.bin>

More information about the Users mailing list