Hello, the first release candidate of the forthcoming strongSwan 4.5.3 version is now available. The following new features have been included:
PASS and DROP shunt policies configurable by charon --------------------------------------------------- The IKEv2 charon daemon supports type=pass and type=drop shunt policies preventing specific traffic to go through IPsec connections. Installation of the shunt policies are possible either via the XFRM netfilter or PFKEYv2 IPsec kernel interfaces as the following two scenarios show: http://www.strongswan.org/uml/testresults45rc/ikev2/shunt-policies/ http://www.strongswan.org/uml/testresults45rc/pfkey/shunt-policies/ Tracking of IPsec policy histories ---------------------------------- The history of policies installed in the kernel is now tracked so that e.g. trap policies are correctly updated when reauthenticated SAs are terminated. New IKEv2 closaction keyword ---------------------------- The IKEv2 close action does not use the same value as the ipsec.conf dpdaction setting, but the value defined by its own closeaction keyword. The action is triggered if the remote peer closes a CHILD_SA unexpectedly. strongSwan libraries moved -------------------------- Heeding the request from several Linux Distributions, our private libraries (e.g. libstrongswan) are not installed directly in prefix/lib anymore. Instead a subdirectory is used (prefix/lib/ipsec/ by default). The plugins directory has also moved from prefix/libexec/ipsec/ to that directory. The dynamic IMC/IMV libraries were moved from the plugins directory to a new imcvs directory in the prefix/lib/ipsec/ subdirectory. IMC/IMV pairs implementing the RFC 5792 PA-TNC (IF-M) protocol -------------------------------------------------------------- - IMC/IMV Scanner pair: (--enable-imc-scanner/--enable-imv-scanner) Using "netstat -l" the Integrity Measurement Collector (IMC) scans open listening ports on the TNC client and sends a port list to the Integrity Measurement Verifier (IMV) which, based on a port policy decides if the client is admitted to the network. http://www.strongswan.org/uml/testresults45rc/tnc/tnccs-20/ - IMC/IMV Test pair: (--enable-imc-test/--enable-imv-test) Can be used to test the RFC 5793 PB-TNC (IF-TNCCS 2.0) protocol. http://www.strongswan.org/uml/testresults45rc/tnc/tnccs-20-client-retry/ ipsec statusall shows ESN ------------------------- ipsec statusall now show whether Extended Sequence Numbers (ESN) have been negotiated. ESN is supported by the Linux kernel starting with 2.6.39. http://www.strongswan.org/uml/testresults45rc/ikev2/net2net-esn/ Please test the release candidate and give us a feedback. ETA for the stable 4.5.3 release is end of July. Kind regards Andreas ====================================================================== Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]== _______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users