X-Git-Url: https://git.strongswan.org/?p=strongswan.git;a=blobdiff_plain;f=NEWS;h=acd58383919d4810915de41cc0f9bfe45bb5d32b;hp=8595682d9f0436d0bca221907c7730e4b6e5c725;hb=ced0461cb9428663994d5c03ed3497c7e9e69c46;hpb=f2c2d395ff756505be10b9d3e8420af498f33cc2 diff --git a/NEWS b/NEWS index 8595682..acd5838 100644 --- a/NEWS +++ b/NEWS @@ -1,9 +1,130 @@ +strongswan-4.0.4 +---------------- + +- Implemented full support for IPv6-in-IPv6 tunnels. + +- Added configuration options for dead peer detection in IKEv2. dpd_action + types "clear", "hold" and "restart" are supported. The dpd_timeout + value is not used, as the normal retransmission policy applies to + detect dead peers. The dpd_delay parameter enables sending of empty + informational message to detect dead peers in case of inactivity. + +- Added support for preshared keys in IKEv2. PSK keys configured in + ipsec.secrets are loaded. The authby parameter specifies the authentication + method to authentificate ourself, the other peer may use PSK or RSA. + +- Changed retransmission policy to respect the keyingtries parameter. + +- Added private key decryption. PEM keys encrypted with AES-128/192/256 + or 3DES are supported. + +- Implemented DES/3DES algorithms in libstrongswan. 3DES can be used to + encrypt IKE traffic. + +- Implemented SHA-256/384/512 in libstrongswan, allows usage of certificates + signed with such a hash algorithm. + +- Added initial support for updown scripts. The actions up-host/client and + down-host/client are executed. The leftfirewall=yes parameter + uses the default updown script to insert dynamic firewall rules, a custom + updown script may be specified with the leftupdown parameter. + + +strongswan-4.0.3 +---------------- + +- Added support for the auto=route ipsec.conf parameter and the + ipsec route/unroute commands for IKEv2. This allows to set up IKE_SAs and + CHILD_SAs dynamically on demand when traffic is detected by the + kernel. + +- Added support for rekeying IKE_SAs in IKEv2 using the ikelifetime parameter. + As specified in IKEv2, no reauthentication is done (unlike in IKEv1), only + new keys are generated using perfect forward secrecy. An optional flag + which enforces reauthentication will be implemented later. + +- "sha" and "sha1" are now treated as synonyms in the ike= and esp= + algorithm configuration statements. + + +strongswan-4.0.2 +---------------- + +- Full X.509 certificate trust chain verification has been implemented. + End entity certificates can be exchanged via CERT payloads. The current + default is leftsendcert=always, since CERTREQ payloads are not supported + yet. Optional CRLs must be imported locally into /etc/ipsec.d/crls. + +- Added support for leftprotoport/rightprotoport parameters in IKEv2. IKEv2 + would offer more possibilities for traffic selection, but the Linux kernel + currently does not support it. That's why we stick with these simple + ipsec.conf rules for now. + +- Added Dead Peer Detection (DPD) which checks liveliness of remote peer if no + IKE or ESP traffic is received. DPD is currently hardcoded (dpdaction=clear, + dpddelay=60s). + +- Initial NAT traversal support in IKEv2. Charon includes NAT detection + notify payloads to detect NAT routers between the peers. It switches + to port 4500, uses UDP encapsulated ESP packets, handles peer address + changes gracefully and sends keep alive message periodically. + +- Reimplemented IKE_SA state machine for charon, which allows simultaneous + rekeying, more shared code, cleaner design, proper retransmission + and a more extensible code base. + +- The mixed PSK/RSA roadwarrior detection capability introduced by the + strongswan-2.7.0 release necessitated the pre-parsing of the IKE proposal + payloads by the responder right before any defined IKE Main Mode state had + been established. Although any form of bad proposal syntax was being correctly + detected by the payload parser, the subsequent error handler didn't check + the state pointer before logging current state information, causing an + immediate crash of the pluto keying daemon due to a NULL pointer. + + +strongswan-4.0.1 +---------------- + +- Added algorithm selection to charon: New default algorithms for + ike=aes128-sha-modp2048, as both daemons support it. The default + for IPsec SAs is now esp=aes128-sha,3des-md5. charon handles + the ike/esp parameter the same way as pluto. As this syntax does + not allow specification of a pseudo random function, the same + algorithm as for integrity is used (currently sha/md5). Supported + algorithms for IKE: + Encryption: aes128, aes192, aes256 + Integrity/PRF: md5, sha (using hmac) + DH-Groups: modp768, 1024, 1536, 2048, 4096, 8192 + and for ESP: + Encryption: aes128, aes192, aes256, 3des, blowfish128, + blowfish192, blowfish256 + Integrity: md5, sha1 + More IKE encryption algorithms will come after porting libcrypto into + libstrongswan. + +- initial support for rekeying CHILD_SAs using IKEv2. Currently no + perfect forward secrecy is used. The rekeying parameters rekey, + rekeymargin, rekeyfuzz and keylife from ipsec.conf are now supported + when using IKEv2. WARNING: charon currently is unable to handle + simultaneous rekeying. To avoid such a situation, use a large + rekeyfuzz, or even better, set rekey=no on one peer. + +- support for host2host, net2net, host2net (roadwarrior) tunnels + using predefined RSA certificates (see uml scenarios for + configuration examples). - new build environment featuring autotools. Features such as HTTP, LDAP and smartcard support may be enabled using the ./configure script. Changing install directories is possible, too. See ./configure --help for more details. +- better integration of charon with ipsec starter, which allows + (almost) transparent operation with both daemons. charon + handles ipsec commands up, down, status, statusall, listall, + listcerts and allows proper load, reload and delete of connections + via ipsec starter. + + strongswan-4.0.0 ----------------