[strongSwan] ANNOUNCE: strongswan-5.0.3rc1 released
Andreas Steffen
andreas.steffen at strongswan.org
Tue Mar 26 21:39:00 CET 2013
Hi,
we are proud to announce the release candidate of strongSwan 5.0.3.
Again a lot of new features made it into our forthcoming release:
- Public Keys protected by DNSSEC stored in the Domain Name System
----------------------------------------------------------------
The new ipseckey plugin enables authentication based on trustworthy
public keys stored as IPSECKEY resource records in the DNS and
protected by DNSSEC. To do so it uses a DNSSEC enabled resolver,
like the one provided by the unbound plugin, which is based on
libldns and libunbound. Both plugins were created by Reto Guadagnini.
https://www.strongswan.org/uml/testresults5rc/ikev2/rw-dnssec/
- Assignment of Virtual IPs by RADIUS Server
------------------------------------------
The eap-radius plugin can now assign virtual IPs to IKE clients using
the Framed-IP-Address attribute by using the "%radius" named pool
in the rightsourceip ipsec.conf option.
https://www.strongswan.org/uml/testresults5rc/ikev2/rw-eap-framed-ip-radius/
- Improved RADIUS Account Records
-------------------------------
charon now sends Interim Accounting updates if requested by the
RADIUS server, reports sent/received packets in Accounting messages,
and adds a Terminate-Cause to Accounting-Stops.
https://www.strongswan.org/uml/testresults5rc/ikev2/rw-radius-accounting/
Fri Mar 22 22:48:55 2013
Acct-Status-Type = Stop
Acct-Session-Id = "1363992527-1"
NAS-Port-Type = Virtual
Service-Type = Framed-User
NAS-Port = 1
NAS-Port-Id = "rw-eap"
NAS-IP-Address = 192.168.0.1
Called-Station-Id = "192.168.0.1[4500]"
Calling-Station-Id = "192.168.0.100[4500]"
User-Name = "carol"
Framed-IP-Address = 10.3.0.1
Framed-IPv6-Prefix = fec3::1/128
Acct-Output-Octets = 7100
Acct-Output-Packets = 5
Acct-Input-Octets = 7100
Acct-Input-Packets = 5
Acct-Session-Time = 6
Acct-Terminate-Cause = User-Request
NAS-Identifier = "strongSwan"
Acct-Unique-Session-Id = "b4a2d1ea2b30f92c"
Timestamp = 1363992535
- Improved IKE Statistics
-----------------------
The "ipsec listcounters" command can report connection specific
counters by passing a connection name, and global or connection
counters can be reset by the "ipsec resetcounters" command.
ipsec listcounters hsr-v4
List of IKE counters for 'hsr-v4':
ikeInitRekey 0
ikeRspRekey 0
ikeChildSaRekey 0
ikeInInvalid 0
ikeInInvalidSpi 0
ikeInInitReq 0
ikeInInitRsp 2
ikeOutInitReq 2
ikeOutInitRsp 0
ikeInAuthReq 0
ikeInAuthRsp 2
ikeOutAuthReq 2
ikeOutAuthRsp 0
ikeInCrChildReq 0
ikeInCrChildRsp 0
ikeOutCrChildReq 0
ikeOutCrChildRsp 0
ikeInInfoReq 1
ikeInInfoRsp 1
ikeOutInfoReq 1
ikeOutInfoRsp 1
- Trusted Key Manager (TKM)
-------------------------
The new charon-tkm IKEv2 daemon delegates security critical
operations to a separate process. This has the benefit that the
network facing daemon has no knowledge of keying material used to
protect child SAs. Thus subverting charon-tkm does not result in
the compromise of cryptographic keys. The extracted functionality
has been implemented from scratch in a minimal TCB (trusted computing
base) in the Ada programming language. Further information can be
found at http://www.codelabs.ch/tkm/ and in the following research
report:
http://security.hsr.ch/mse/projects/2012_IKE-Separation.pdf
- New xauth-noauth Plugin
-----------------------
The new xauth-noauth plugin allows to use basic RSA or PSK
authentication with clients that cannot be configured without
IKEv1 XAuth authentication. The plugin simply concludes the XAuth
exchange successfully without actually performing any
authentication. To use this backend it has to be selected explicitly
with rightauth2=xauth-noauth.
- New systime-fix Plugin
----------------------
The charon systime-fix plugin can disable certificate lifetime checks
on embedded systems if the system time is obviously out of sync after
bootup. Certificates lifetimes get checked once the system time gets
sane, closing or reauthenticating connections using expired
certificates.
- Hardware Acceleration of IKEv2 AES-GCM
--------------------------------------
The openssl plugin now uses the AES-NI accelerated version of
AES-GCM if the processor hardware supports it.
- Support of the RFC 6876 PT-TLS Protocol (TCG TNC IF-T for TLS 2.0)
------------------------------------------------------------------
The strongSwan libpttls library provides an experimental
implementation of PT-TLS (RFC 6876), a Posture Transport Protocol
over TLS.
- TNC IF-IMV 1.4 Draft Version Support
------------------------------------
Implemented the TCG TNC IF-IMV 1.4 draft making access requestor
identities available to an IMV. The OS IMV stores the AR identity
together with the device ID in the attest database.
https://www.strongswan.org/uml/testresults5rc/tnc/tnccs-20-os/
Mar 22 19:49:10 moon charon:
14[IMV] IMV 1 "OS" created a state for IF-TNCCS 2.0 Connection ID 1:
+long +excl -soh
14[IMV] over IF-T for Tunneled EAP 1.1 with maximum PA-TNC message
size of 65490 bytes
14[IMV] user AR identity 'carol at strongswan.org' authenticated by
password
Database query:
ipsec attest --devices
5: cf5e4cbcc6e6a2db
Mar 12 21:41:04 2013, 22, 0, 0, 4, 'Android 4.1.1' john
- New ikedscp Configuration Option
--------------------------------
The "ikedscp" ipsec.conf option can set DiffServ code points as
defined by RFC 2474 on outgoing IKE packets.
ikedscp = 000000 | <DSCP field>
Please test our release candidate and report any problems. ETA for
the stable 5.0.3 release is end of March 2013.
Kind regards
Andreas
======================================================================
Andreas Steffen andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4468 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130326/4af10b2f/attachment.bin>
More information about the Users
mailing list