Hi, after three months of heavy development we are happy to announce the strongSwan 4.3.6 release available from
http://www.strongswan.org/download.htm The following new features are supported: * RFC 3779 IP address block constraints ------------------------------------- The IKEv2 daemon supports RFC 3779 IP address block constraints carried as a critical X.509v3 extension in the peer certificate. See the following example scenarios: http://www.strongswan.org/uml/testresults/ikev2/net2net-rfc3779/ http://www.strongswan.org/uml/testresults/ipv6/net2net-rfc3779-ikev2/ * DNS and NBNS servers stored in SQL Database ------------------------------------------- The ipsec pool --add|del dns|nbns command manages DNS and NBNS name server entries that are sent via the IKEv1 Mode Config or IKEv2 Configuration Payload to remote clients. See the following example scenarios: http://www.strongswan.org/uml/testresults/ikev1/ip-pool-db/ http://www.strongswan.org/uml/testresults/ikev2/ip-pool-db/ * Camellia as IKEv1, IKEv2, and ESP encryption algorithm ------------------------------------------------------ IKEv1 now also supports Camellia encryption. See the following example scenarios: http://www.strongswan.org/uml/testresults/openssl-ikev1/alg-camellia/ http://www.strongswan.org/uml/testresults/openssl-ikev2/alg-camellia/ * Support of Certificate path length constraints ---------------------------------------------- The IKEv1 and IKEV2 daemons now check certificate path length constraints. See the following example scenarios: http://www.strongswan.org/uml/testresults/ikev1/multi-level-ca-pathlen/ http://www.strongswan.org/uml/testresults/ikev2/multi-level-ca-pathlen/ * IKEv2 inactivity timeout ------------------------ The new ipsec.conf conn option "inactivity" closes a CHILD_SA if no traffic was sent or received within the given interval. To close the complete IKE_SA if its only CHILD_SA was inactive, set the global strongswan.conf option "charon.inactivity_close_ike" to yes. See the following example scenario: http://www.strongswan.org/uml/testresults/ikev2/inactivity-timeout/ * Support of SHA2 HMAC ESP data integrity algorithms -------------------------------------------------- Added required userland changes for proper SHA256 and SHA384/512 in ESP that will be introduced with Linux 2.6.33. The "sha256" /"sha2_256" keyword now configures the kernel with 128 bit truncation, not the non-standard 96 bit truncation used by previous releases. To use the old 96 bit truncation scheme, the new "sha256_96" proposal keyword has been introduced. See the following example scenarios: http://www.strongswan.org/uml/testresults/ikev1/alg-sha256-96/ http://www.strongswan.org/uml/testresults/ikev1/alg-sha256/ http://www.strongswan.org/uml/testresults/ikev1/alg-sha384/ http://www.strongswan.org/uml/testresults/ikev1/alg-sha512/ http://www.strongswan.org/uml/testresults/ikev2/alg-sha256-96/ http://www.strongswan.org/uml/testresults/ikev2/alg-sha256/ http://www.strongswan.org/uml/testresults/ikev2/alg-sha384/ http://www.strongswan.org/uml/testresults/ikev2/alg-sha512/ If you want to use the SHA2 HMAC with older Linux 2.6 kernels please apply the following kernel patch: http://download.strongswan.org/uml/sha2.patch.bz2 * Fixed IPComp in ESP tunnel mode (IKEv2 daemon only) --------------------------------------------------- Fixed IPComp in tunnel mode, stripping out the duplicated outer header. This change makes IPcomp tunnel mode connections incompatible with previous releases; disable compression on such tunnels. * Fixed BEET mode --------------- Fixed BEET mode connections on recent kernels by installing SAs with appropriate traffic selectors, based on a patch by Michael Rossberg. * Use of strongSwan IKEv2 Vendor ID --------------------------------- Using extensions (such as BEET mode) and crypto algorithms (such as twofish, serpent, sha256_96) allocated in the private use space now require that we know its meaning, i.e. we are talking to strongSwan. Use the new "charon.send_vendor_id" option in strongswan.conf to let the remote peer know this is the case. The same strongSwan Vendor ID hash is now also used by the IKEv1 pluto daemon. * Support of EAP_ONLY authentication ---------------------------------- Experimental support for draft-eronen-ipsec-ikev2-eap-auth, where the responder omits public key authentication in favor of a mutual authentication method. To enable EAP-only authentication, set rightauth=eap on the responder to rely only on the MSK constructed AUTH payload. This not-yet standardized extension requires the strongSwan vendor ID introduced above. See the following example scenario: http://www.strongswan.org/uml/testresults/ikev2/rw-eap-sim-only-radius/ * IKEv1 interoperability with Juniper SRX --------------------------------------- The IKEv1 daemon ignores the Juniper SRX notification type 40001, thus allowing interoperability. * IKEv2 charon daemon ported to Android platform ---------------------------------------------- strongSwan team member Tobias Brunner ported the IKEv2 charon daemon to the Android 1.6 platform. Details on the cross-compilation will follow. Enjoy the new release! Andreas Steffen, Martin Willi, Tobias Brunner ====================================================================== Andreas Steffen [email protected] strongSwan - the Linux VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]== _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
