+strongswan-4.0.4
+----------------
+
+- Implemented full support for IPv6-in-IPv6 tunnels.
+
+- Added configuration options for dead peer detection in IKEv2. dpd_action
+ types "clear", "hold" and "restart" are supported. The dpd_timeout
+ value is not used, as the normal retransmission policy applies to
+ detect dead peers. The dpd_delay parameter enables sending of empty
+ informational message to detect dead peers in case of inactivity.
+
+- Added support for preshared keys in IKEv2. PSK keys configured in
+ ipsec.secrets are loaded. The authby parameter specifies the authentication
+ method to authentificate ourself, the other peer may use PSK or RSA.
+
+- Changed retransmission policy to respect the keyingtries parameter.
+
+- Added private key decryption. PEM keys encrypted with AES-128/192/256
+ or 3DES are supported.
+
+- Implemented DES/3DES algorithms in libstrongswan. 3DES can be used to
+ encrypt IKE traffic.
+
+- Implemented SHA-256/384/512 in libstrongswan, allows usage of certificates
+ signed with such a hash algorithm.
+
+- Added initial support for updown scripts. The actions up-host/client and
+ down-host/client are executed. The leftfirewall=yes parameter
+ uses the default updown script to insert dynamic firewall rules, a custom
+ updown script may be specified with the leftupdown parameter.
+
+
+strongswan-4.0.3
+----------------
+
+- Added support for the auto=route ipsec.conf parameter and the
+ ipsec route/unroute commands for IKEv2. This allows to set up IKE_SAs and
+ CHILD_SAs dynamically on demand when traffic is detected by the
+ kernel.
+
+- Added support for rekeying IKE_SAs in IKEv2 using the ikelifetime parameter.
+ As specified in IKEv2, no reauthentication is done (unlike in IKEv1), only
+ new keys are generated using perfect forward secrecy. An optional flag
+ which enforces reauthentication will be implemented later.
+
+- "sha" and "sha1" are now treated as synonyms in the ike= and esp=
+ algorithm configuration statements.
+
+
+strongswan-4.0.2
+----------------
+
+- Full X.509 certificate trust chain verification has been implemented.
+ End entity certificates can be exchanged via CERT payloads. The current
+ default is leftsendcert=always, since CERTREQ payloads are not supported
+ yet. Optional CRLs must be imported locally into /etc/ipsec.d/crls.
+
+- Added support for leftprotoport/rightprotoport parameters in IKEv2. IKEv2
+ would offer more possibilities for traffic selection, but the Linux kernel
+ currently does not support it. That's why we stick with these simple
+ ipsec.conf rules for now.
+
+- Added Dead Peer Detection (DPD) which checks liveliness of remote peer if no
+ IKE or ESP traffic is received. DPD is currently hardcoded (dpdaction=clear,
+ dpddelay=60s).
+
+- Initial NAT traversal support in IKEv2. Charon includes NAT detection
+ notify payloads to detect NAT routers between the peers. It switches
+ to port 4500, uses UDP encapsulated ESP packets, handles peer address
+ changes gracefully and sends keep alive message periodically.
+
+- Reimplemented IKE_SA state machine for charon, which allows simultaneous
+ rekeying, more shared code, cleaner design, proper retransmission
+ and a more extensible code base.
+
+- The mixed PSK/RSA roadwarrior detection capability introduced by the
+ strongswan-2.7.0 release necessitated the pre-parsing of the IKE proposal
+ payloads by the responder right before any defined IKE Main Mode state had
+ been established. Although any form of bad proposal syntax was being correctly
+ detected by the payload parser, the subsequent error handler didn't check
+ the state pointer before logging current state information, causing an
+ immediate crash of the pluto keying daemon due to a NULL pointer.
+
+
+strongswan-4.0.1
+----------------
+
+- Added algorithm selection to charon: New default algorithms for
+ ike=aes128-sha-modp2048, as both daemons support it. The default
+ for IPsec SAs is now esp=aes128-sha,3des-md5. charon handles
+ the ike/esp parameter the same way as pluto. As this syntax does
+ not allow specification of a pseudo random function, the same
+ algorithm as for integrity is used (currently sha/md5). Supported
+ algorithms for IKE:
+ Encryption: aes128, aes192, aes256
+ Integrity/PRF: md5, sha (using hmac)
+ DH-Groups: modp768, 1024, 1536, 2048, 4096, 8192
+ and for ESP:
+ Encryption: aes128, aes192, aes256, 3des, blowfish128,
+ blowfish192, blowfish256
+ Integrity: md5, sha1
+ More IKE encryption algorithms will come after porting libcrypto into
+ libstrongswan.
+
+- initial support for rekeying CHILD_SAs using IKEv2. Currently no
+ perfect forward secrecy is used. The rekeying parameters rekey,
+ rekeymargin, rekeyfuzz and keylife from ipsec.conf are now supported
+ when using IKEv2. WARNING: charon currently is unable to handle
+ simultaneous rekeying. To avoid such a situation, use a large
+ rekeyfuzz, or even better, set rekey=no on one peer.
+
+- support for host2host, net2net, host2net (roadwarrior) tunnels
+ using predefined RSA certificates (see uml scenarios for
+ configuration examples).
- new build environment featuring autotools. Features such
as HTTP, LDAP and smartcard support may be enabled using
the ./configure script. Changing install directories
is possible, too. See ./configure --help for more details.
+- better integration of charon with ipsec starter, which allows
+ (almost) transparent operation with both daemons. charon
+ handles ipsec commands up, down, status, statusall, listall,
+ listcerts and allows proper load, reload and delete of connections
+ via ipsec starter.
+
+
strongswan-4.0.0
----------------
projects / strongswan.git / blobdiff