X-Git-Url: https://git.strongswan.org/?p=strongswan.git;a=blobdiff_plain;f=NEWS;h=36e42414d6ce20180816e4b68aaa445bb0330577;hp=8595682d9f0436d0bca221907c7730e4b6e5c725;hb=a846ffdb481dff60aecf6042c20f5924db87a591;hpb=f2c2d395ff756505be10b9d3e8420af498f33cc2 diff --git a/NEWS b/NEWS index 8595682..36e4241 100644 --- a/NEWS +++ b/NEWS @@ -1,9 +1,73 @@ +- added dead peer detection which checks aliveness of remote peer if no + IKE or ESP traffic is received. Support for dpdaction, dpddelay??? + +- Added support for leftprotoport/rightprotoport parameters in IKEv2. IKEv2 + would offer more possibilities for traffic selection, but the Linux kernel + currently does not support it. That's why we stick with these simple + ipsec.conf rules for now. + +- Initial NAT traversal support in IKEv2. Charon includes NAT detection + notify payloads to detect NAT routers between the peers. It switches + to port 4500, uses UDP encapsulated ESP packets, handles peer address + changes gracefully and sends keep alive message periodically. + +- Reimplemented IKE_SA state machine for charon, which allows simultaneous + rekeying, more shared code, cleaner design, proper retransmission + and a more extensible code base. + +strongswan-4.0.2 +---------------- + +- The mixed PSK/RSA roadwarrior detection capability introduced by the + strongswan-2.7.0 release necessitated the pre-parsing of the IKE proposal + payloads by the responder right before any defined IKE Main Mode state had + been established. Although any form of bad proposal syntax was being correctly + detected by the payload parser, the subsequent error handler didn't check + the state pointer before logging current state information, causing an + immediate crash of the pluto keying daemon due to a NULL pointer. + +strongswan-4.0.1 +---------------- + +- Added algorithm selection to charon: New default algorithms for + ike=aes128-sha-modp2048, as both daemons support it. The default + for IPsec SAs is now esp=aes128-sha,3des-md5. charon handles + the ike/esp parameter the same way as pluto. As this syntax does + not allow specification of a pseudo random function, the same + algorithm as for integrity is used (currently sha/md5). Supported + algorithms for IKE: + Encryption: aes128, aes192, aes256 + Integrity/PRF: md5, sha (using hmac) + DH-Groups: modp768, 1024, 1536, 2048, 4096, 8192 + and for ESP: + Encryption: aes128, aes192, aes256, 3des, blowfish128, + blowfish192, blowfish256 + Integrity: md5, sha1 + More IKE encryption algorithms will come after porting libcrypto into + libstrongswan. + +- initial support for rekeying CHILD_SAs using IKEv2. Currently no + perfect forward secrecy is used. The rekeying parameters rekey, + rekeymargin, rekeyfuzz and keylife from ipsec.conf are now supported + when using IKEv2. WARNING: charon currently is unable to handle + simultaneous rekeying. To avoid such a situation, use a large + rekeyfuzz, or even better, set rekey=no on one peer. + +- support for host2host, net2net, host2net (roadwarrior) tunnels + using predefined RSA certificates (see uml scenarios for + configuration examples). - new build environment featuring autotools. Features such as HTTP, LDAP and smartcard support may be enabled using the ./configure script. Changing install directories is possible, too. See ./configure --help for more details. +- better integration of charon with ipsec starter, which allows + (almost) transparent operation with both daemons. charon + handles ipsec commands up, down, status, statusall, listall, + listcerts and allows proper load, reload and delete of connections + via ipsec starter. + strongswan-4.0.0 ----------------