X-Git-Url: https://git.strongswan.org/?p=strongswan.git;a=blobdiff_plain;f=NEWS;h=f63078fc4c66d09d9494ba852ef0aaa5bc1f90f7;hp=f07f95e2ce18d8696f7c69067b2714d24c286851;hb=e698dc4559a29ddce45738236ac43d484e80618a;hpb=c15c3d4be96336699b469b4c4045f1acd97201e8;ds=inline diff --git a/NEWS b/NEWS index f07f95e..f63078f 100644 --- a/NEWS +++ b/NEWS @@ -1,3 +1,58 @@ +strongswan-4.0.3 +---------------- + +- Added support for the auto=route ipsec.conf parameter and the + ipsec route/unroute commands for IKEv2. This allows to set up IKE_SAs and + CHILD_SAs dynamically on demand when traffic is detected by the + kernel. + +- Added support for rekeying IKE_SAs in IKEv2 using the ikelifetime parameter. + As specified in IKEv2, no reauthentication is done (unlike in IKEv1), only + new keys are generated using perfect forward secrecy. An optional flag + which enforces reauthentication will be implemented later. + +- "sha" and "sha1" are now treated as synonyms in the ike= and esp= + algorithm configuration statements. + + +strongswan-4.0.2 +---------------- + +- Full X.509 certificate trust chain verification has been implemented. + End entity certificates can be exchanged via CERT payloads. The current + default is leftsendcert=always, since CERTREQ payloads are not supported + yet. Optional CRLs must be imported locally into /etc/ipsec.d/crls. + +- Added support for leftprotoport/rightprotoport parameters in IKEv2. IKEv2 + would offer more possibilities for traffic selection, but the Linux kernel + currently does not support it. That's why we stick with these simple + ipsec.conf rules for now. + +- Added Dead Peer Detection (DPD) which checks liveliness of remote peer if no + IKE or ESP traffic is received. DPD is currently hardcoded (dpdaction=clear, + dpddelay=60s). + +- Initial NAT traversal support in IKEv2. Charon includes NAT detection + notify payloads to detect NAT routers between the peers. It switches + to port 4500, uses UDP encapsulated ESP packets, handles peer address + changes gracefully and sends keep alive message periodically. + +- Reimplemented IKE_SA state machine for charon, which allows simultaneous + rekeying, more shared code, cleaner design, proper retransmission + and a more extensible code base. + +- The mixed PSK/RSA roadwarrior detection capability introduced by the + strongswan-2.7.0 release necessitated the pre-parsing of the IKE proposal + payloads by the responder right before any defined IKE Main Mode state had + been established. Although any form of bad proposal syntax was being correctly + detected by the payload parser, the subsequent error handler didn't check + the state pointer before logging current state information, causing an + immediate crash of the pluto keying daemon due to a NULL pointer. + + +strongswan-4.0.1 +---------------- + - Added algorithm selection to charon: New default algorithms for ike=aes128-sha-modp2048, as both daemons support it. The default for IPsec SAs is now esp=aes128-sha,3des-md5. charon handles @@ -22,6 +77,10 @@ simultaneous rekeying. To avoid such a situation, use a large rekeyfuzz, or even better, set rekey=no on one peer. +- support for host2host, net2net, host2net (roadwarrior) tunnels + using predefined RSA certificates (see uml scenarios for + configuration examples). + - new build environment featuring autotools. Features such as HTTP, LDAP and smartcard support may be enabled using the ./configure script. Changing install directories @@ -33,6 +92,7 @@ listcerts and allows proper load, reload and delete of connections via ipsec starter. + strongswan-4.0.0 ----------------