X-Git-Url: https://git.strongswan.org/?p=strongswan.git;a=blobdiff_plain;f=NEWS;h=f63078fc4c66d09d9494ba852ef0aaa5bc1f90f7;hp=8595682d9f0436d0bca221907c7730e4b6e5c725;hb=f983ec4dc53e3d3a89545097c120fa8c06afa62f;hpb=f2c2d395ff756505be10b9d3e8420af498f33cc2 diff --git a/NEWS b/NEWS index 8595682..f63078f 100644 --- a/NEWS +++ b/NEWS @@ -1,9 +1,98 @@ +strongswan-4.0.3 +---------------- + +- Added support for the auto=route ipsec.conf parameter and the + ipsec route/unroute commands for IKEv2. This allows to set up IKE_SAs and + CHILD_SAs dynamically on demand when traffic is detected by the + kernel. + +- Added support for rekeying IKE_SAs in IKEv2 using the ikelifetime parameter. + As specified in IKEv2, no reauthentication is done (unlike in IKEv1), only + new keys are generated using perfect forward secrecy. An optional flag + which enforces reauthentication will be implemented later. + +- "sha" and "sha1" are now treated as synonyms in the ike= and esp= + algorithm configuration statements. + + +strongswan-4.0.2 +---------------- + +- Full X.509 certificate trust chain verification has been implemented. + End entity certificates can be exchanged via CERT payloads. The current + default is leftsendcert=always, since CERTREQ payloads are not supported + yet. Optional CRLs must be imported locally into /etc/ipsec.d/crls. + +- Added support for leftprotoport/rightprotoport parameters in IKEv2. IKEv2 + would offer more possibilities for traffic selection, but the Linux kernel + currently does not support it. That's why we stick with these simple + ipsec.conf rules for now. + +- Added Dead Peer Detection (DPD) which checks liveliness of remote peer if no + IKE or ESP traffic is received. DPD is currently hardcoded (dpdaction=clear, + dpddelay=60s). + +- Initial NAT traversal support in IKEv2. Charon includes NAT detection + notify payloads to detect NAT routers between the peers. It switches + to port 4500, uses UDP encapsulated ESP packets, handles peer address + changes gracefully and sends keep alive message periodically. + +- Reimplemented IKE_SA state machine for charon, which allows simultaneous + rekeying, more shared code, cleaner design, proper retransmission + and a more extensible code base. + +- The mixed PSK/RSA roadwarrior detection capability introduced by the + strongswan-2.7.0 release necessitated the pre-parsing of the IKE proposal + payloads by the responder right before any defined IKE Main Mode state had + been established. Although any form of bad proposal syntax was being correctly + detected by the payload parser, the subsequent error handler didn't check + the state pointer before logging current state information, causing an + immediate crash of the pluto keying daemon due to a NULL pointer. + + +strongswan-4.0.1 +---------------- + +- Added algorithm selection to charon: New default algorithms for + ike=aes128-sha-modp2048, as both daemons support it. The default + for IPsec SAs is now esp=aes128-sha,3des-md5. charon handles + the ike/esp parameter the same way as pluto. As this syntax does + not allow specification of a pseudo random function, the same + algorithm as for integrity is used (currently sha/md5). Supported + algorithms for IKE: + Encryption: aes128, aes192, aes256 + Integrity/PRF: md5, sha (using hmac) + DH-Groups: modp768, 1024, 1536, 2048, 4096, 8192 + and for ESP: + Encryption: aes128, aes192, aes256, 3des, blowfish128, + blowfish192, blowfish256 + Integrity: md5, sha1 + More IKE encryption algorithms will come after porting libcrypto into + libstrongswan. + +- initial support for rekeying CHILD_SAs using IKEv2. Currently no + perfect forward secrecy is used. The rekeying parameters rekey, + rekeymargin, rekeyfuzz and keylife from ipsec.conf are now supported + when using IKEv2. WARNING: charon currently is unable to handle + simultaneous rekeying. To avoid such a situation, use a large + rekeyfuzz, or even better, set rekey=no on one peer. + +- support for host2host, net2net, host2net (roadwarrior) tunnels + using predefined RSA certificates (see uml scenarios for + configuration examples). - new build environment featuring autotools. Features such as HTTP, LDAP and smartcard support may be enabled using the ./configure script. Changing install directories is possible, too. See ./configure --help for more details. +- better integration of charon with ipsec starter, which allows + (almost) transparent operation with both daemons. charon + handles ipsec commands up, down, status, statusall, listall, + listcerts and allows proper load, reload and delete of connections + via ipsec starter. + + strongswan-4.0.0 ----------------