-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 The Libreswan Project has released libreswan 4.5 This is a bugfix release. The Labeled IPsec for IKEv2 now uses 1 set of SPD policies for all sets of SPD states. Libreswan now supports RFC 6023 (Childless SA) which is required for auto=start with Labeled IPsec when the kernel ACQUIRE is not yet present and also to continue the negotiation when the first subnet configured mismatches or is childless. The IKE SA is now no longer destroyed when a Child SA is mismatched, ensuring that all but the misconfigured subnets in a left/rightsubnets= line will come up. Initial Contact has been enabled by default, and will ensure that a replaced IKE/IPsec SA is done more quickly and will not take 60s for retransmit timeouts to take out the old Child SA. Previously, during this 60s, all traffic was dropped because it was using the old state's encryption key. This latest version of libreswan can be downloaded from: https://download.libreswan.org/libreswan-4.5.tar.gz https://download.libreswan.org/libreswan-4.5.tar.gz.asc The full changelog is available at: https://download.libreswan.org/CHANGES Please report bugs either via one of the mailinglists or at our github bug tracker: https://lists.libreswan.org/ https://github.com/libreswan/libreswan/issues Binary packages for RHEL/CentOS can be found at: https://download.libreswan.org/binaries/ Binary packages for Fedora and Debian should be available in their respective repositories a few days after this release. See also https://libreswan.org/ v4.5 (August 20, 2021) * IKEv1: multiple subnets could lead to crossed wires, failures [Paul/Andrew] * IKEv2: don't tear down IKE SA on TS_UNACCEPTABLE [Paul] * IKEv2: unpend/delete Child SA when rejected by IKE_AUTH response [Andrew] * IKEv2: mobike: resolve_defaultroute_one() updates [Andrew] * IKEv2: mobike: prevent sending duplicate mobike response [Andrew] * IKEv2: Support for Childless IKE SA [Andrew] * IKEv2: redirect: make peer redirecting in IKE_AUTH childless [Vukasin] * IKEv2: Labeled IPsec --up causes Childless IKE SA [Andrew/Paul] * IKEv2: Labeled IPsec conns share SPD policies (as IKEv1) [Andrew/Paul/Kavinda] * IKEv2: Performance; eliminate more O(#CONNECTIONS) code [Andrew] * IKEv2: Immediately delete replaced Child from new (IC) IKE SA [Andrew/Paul] * pluto: mismatched subnets= could take down all conns [Paul] * pluto: Don't delete existing IKE SA of connection instance [Paul] * pluto: fail better on parse errors in subnet= clause [Paul] * libswan: use getaddrinfo(3) instead of gethostbyname2(3) [Hugh] * libipsecconf: fail to load conn if no right= or left= set [Paul] * libipsecconf: change default of initial-contact= to yes [Paul] * X509: directly append new CRL requests to the fetch queue [Andrew] * whack: implement --impair trigger:<global-event> [Andrew] * ipsec.service: remove reload which did not work as expected [Tuomo] * portexcludes: update to use python3 [Kim] * building: fix NetBSD build [Andrew] * building: fix arm / aarch64 build [kekePower@github] * building: Remove support for RHEL6 USE_OLD_SELINUX [Paul] * packaging: handle properly rpm sysctl config [Tuomo] * packaging: rhel7: fix python2 shebang [Tuomo] -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEkH55DyXB6OVhzXO1hf9LQ7MPxvkFAmEjlGQACgkQhf9LQ7MP xvllHg//ScutN4VwW8lEKYsQnUkTfo9CBy69UU7jC0mAcycPn3ON7cj1GkTbIJwF XBCGOYQElwTL7l3EFKBy4+ix1Q7ivbvxzt1Q5TyclkhbS0yTe6V/XEIisgLxP1Px FSaORBeBS92tPRftnVAQJG1cZynLusFTPOmFMKEb1ddXve2WjzQz26qBgiQpN+zi CrVK7Ou73rkqkgvS8mcBVm6xbW8HWaE0n3x9FpH+OxwbFxf0cY//tE12st0LqeX8 P+JLUGiPPH9JAQn1m5P2EXvl8MSoMEWTeB98y52tg0NE2177y+x/pzrnanVxHWG1 EvHIRsxKxowoJTpMIsr1bUzauLNulQNlDA7cushMmUWFe5FVB7osuvrP4tMYdRU1 JvdCTNdIQModS02AsF7Sfjydb2t67l4e3L5sSJhzaK3T2WaYvUucyf4WRq27vK+q tvgJiFgZOgbeWfaqyJLqOkMi/0h7E3NGZ1Tk8OvHwy+p2peYa9WVzSdtzIeuD9LM Q8GrCt5E893sgOSbSjldkoLgmpz5wCnyqGoRwg9l3k1CJKeONxIbnULnNn+fBHar nV2B/y9Dlh2PzXW0Ku67/SuH3ERadIxdbY7BNedOFAqUXC8Y6byBKkLqMs70R0ew UmBuM17CvzDjECK1FK8jO/o/uSfgoTKnHlh9qwT2wr336AaLNYE= =VmJh -----END PGP SIGNATURE----- _______________________________________________ Swan-announce mailing list swan-annou...@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-announce _______________________________________________ Swan-dev mailing list Swan-dev@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-dev