X-Git-Url: https://git.strongswan.org/?p=strongswan.git;a=blobdiff_plain;f=NEWS;h=acd58383919d4810915de41cc0f9bfe45bb5d32b;hp=0f92855b6c211dc69410d8670a1224fd8f4f25d2;hb=825a5631dd2a99f6807dcf0b61bb0e5f1387717d;hpb=cfd8b27f789a20ab29a61361af7ba6a43cb1001c diff --git a/NEWS b/NEWS index 0f92855..acd5838 100644 --- a/NEWS +++ b/NEWS @@ -1,6 +1,78 @@ +strongswan-4.0.4 +---------------- + +- Implemented full support for IPv6-in-IPv6 tunnels. + +- Added configuration options for dead peer detection in IKEv2. dpd_action + types "clear", "hold" and "restart" are supported. The dpd_timeout + value is not used, as the normal retransmission policy applies to + detect dead peers. The dpd_delay parameter enables sending of empty + informational message to detect dead peers in case of inactivity. + +- Added support for preshared keys in IKEv2. PSK keys configured in + ipsec.secrets are loaded. The authby parameter specifies the authentication + method to authentificate ourself, the other peer may use PSK or RSA. + +- Changed retransmission policy to respect the keyingtries parameter. + +- Added private key decryption. PEM keys encrypted with AES-128/192/256 + or 3DES are supported. + +- Implemented DES/3DES algorithms in libstrongswan. 3DES can be used to + encrypt IKE traffic. + +- Implemented SHA-256/384/512 in libstrongswan, allows usage of certificates + signed with such a hash algorithm. + +- Added initial support for updown scripts. The actions up-host/client and + down-host/client are executed. The leftfirewall=yes parameter + uses the default updown script to insert dynamic firewall rules, a custom + updown script may be specified with the leftupdown parameter. + + +strongswan-4.0.3 +---------------- + +- Added support for the auto=route ipsec.conf parameter and the + ipsec route/unroute commands for IKEv2. This allows to set up IKE_SAs and + CHILD_SAs dynamically on demand when traffic is detected by the + kernel. + +- Added support for rekeying IKE_SAs in IKEv2 using the ikelifetime parameter. + As specified in IKEv2, no reauthentication is done (unlike in IKEv1), only + new keys are generated using perfect forward secrecy. An optional flag + which enforces reauthentication will be implemented later. + +- "sha" and "sha1" are now treated as synonyms in the ike= and esp= + algorithm configuration statements. + + strongswan-4.0.2 ---------------- +- Full X.509 certificate trust chain verification has been implemented. + End entity certificates can be exchanged via CERT payloads. The current + default is leftsendcert=always, since CERTREQ payloads are not supported + yet. Optional CRLs must be imported locally into /etc/ipsec.d/crls. + +- Added support for leftprotoport/rightprotoport parameters in IKEv2. IKEv2 + would offer more possibilities for traffic selection, but the Linux kernel + currently does not support it. That's why we stick with these simple + ipsec.conf rules for now. + +- Added Dead Peer Detection (DPD) which checks liveliness of remote peer if no + IKE or ESP traffic is received. DPD is currently hardcoded (dpdaction=clear, + dpddelay=60s). + +- Initial NAT traversal support in IKEv2. Charon includes NAT detection + notify payloads to detect NAT routers between the peers. It switches + to port 4500, uses UDP encapsulated ESP packets, handles peer address + changes gracefully and sends keep alive message periodically. + +- Reimplemented IKE_SA state machine for charon, which allows simultaneous + rekeying, more shared code, cleaner design, proper retransmission + and a more extensible code base. + - The mixed PSK/RSA roadwarrior detection capability introduced by the strongswan-2.7.0 release necessitated the pre-parsing of the IKE proposal payloads by the responder right before any defined IKE Main Mode state had @@ -9,6 +81,7 @@ strongswan-4.0.2 the state pointer before logging current state information, causing an immediate crash of the pluto keying daemon due to a NULL pointer. + strongswan-4.0.1 ---------------- @@ -51,6 +124,7 @@ strongswan-4.0.1 listcerts and allows proper load, reload and delete of connections via ipsec starter. + strongswan-4.0.0 ----------------