Project

General

Profile

Roadmap

5.6.2

Due in 31 days (19.02.2018)

Minor Release

80%

5 issues   (4 closed1 open)

Version 5.6.2

This will be the next minor release, see Roadmap for updates on the release date.

5.6.1

17.11.2017

Minor Release

100%

13 issues   (13 closed — 0 open)

Version 5.6.1

  • Several algorithms were removed from the default ESP/AH and IKE proposals in compliance with
    RFC 8221 and RFC 8247, respectively. Removed from the default ESP/AH proposal were the
    3DES and Blowfish encryption algorithms and the HMAC-MD5 integrity algorithm. From the IKE default
    proposal the HMAC-MD5 integrity algorithm and the MODP-1024 Diffie-Hellman group were removed (the
    latter is significant for Windows clients in their default configuration).
    These algorithms may still be used in custom proposals.
  • Support for RSASSA-PSS signatures has been added. For compatibility with previous releases they are
    currently not used automatically, by default, to change that charon.rsa_pss may be enabled. To explicitly use
    or require such signatures during IKEv2 signature authentication (RFC 7427) ike:rsa/pss... authentication
    constraints may be used for specific connections (regardless of whether the strongswan.conf option above is
    enabled). Only the hash algorithm can be specified in such constraints, the MGF1 will be based on that hash
    and the salt length will equal the hash length (when verifying the salt length is not enforced).

    To enforce such signatures during PKI verification use rsa/pss... authentication constraints.

    All pki commands that create certificates/CRLs can be made to sign with RSASSA-PSS instead of the
    classing PKCS#1 scheme with the --rsa-padding pss option. As with signatures during authentication, only
    the hash algorithm is configurable (via --digest option), the MGF1 will be based on that and the salt length
    will equal the hash length.

    These signatures are supported by all RSA backends except pkcs11 (i.e. gmp, gcrypt, openssl). The gmp
    plugin requires the mgf1 plugin.

    Note that RSASSA-PSS algorithm identifiers and parameters in keys (public keys in certificates or private keys
    in PKCS#8 files) are currently not used as constraints.

  • The sec-updater tool checks for security updates in dpkg-based repositories (e.g. Debian/Ubuntu)
    and sets the security flags in the IMV policy database accordingly. Additionally for each new package
    version a SWID tag for the given OS and HW architecture is created and stored in the database.
    Using the sec-updater.sh script template the lookup can be automated (e.g. via an hourly cron job).
  • When restarting an IKEv2 negotiation after receiving an INVALID_KE_PAYLOAD notify (or due to other reasons
    like too many retransmits) a new initiator SPI is allocated. This prevents issues caused by retransmits for
    IKE_SA_INIT messages.

    Because the initiator SPI was previously reused when restarting the connection delayed responses for previous
    connection attempts were processed and might have caused fatal errors due to a failed DH negotiation or because
    of the internal retry counter in the ike-init task. For instance, if we proposed a DH group the responder rejected we
    might have later received delayed responses that either contained INVALID_KE_PAYLOAD notifies with the DH group
    we already switched to, or, if we retransmitted an IKE_SA_INIT with the requested group but then had to restart again,
    a KE payload with a group different from the one we proposed.

  • The introduction of file versions in the IMV database scheme broke file reference hash measurements.
    This has been fixed by creating generic product versions having an empty package name.
  • A new timeout option for the systime-fix plugin stops periodic system time checks after a while and enforces
    a certificate verification, closing or reauthenticating all SAs with invalid certificates.
  • The IKE event counters, previously only available via ipsec listcounters command, may now also be queried and
    reset via vici and the new swanctl --counters command. They are collected and provided by the optional
    counters plugin (enabled by default for backwards compatibility if the stroke plugin is built).
  • Class attributes received in RADIUS Access-Accept messages may optionally be added to RADIUS accounting
    messages (655924074b).
  • Basic support for systemd sockets has been added, which may be used for privilege separation (59db98fb94).
  • Inbound marks may optionally be installed in the SA again (was removed with 5.5.2) by enabling the mark_in_sa
    option in swanctl.conf.
  • The timeout of leases in pools configured via pool utility may be configured in other units than hours.
  • INITIAL_CONTACT notifies are now only omitted if never is configured as uniqueness policy.
  • Outbound FWD policies for shunts are not installed anymore, by default (as is the case for other policies since 5.5.1).
  • Don't consider a DH group mismatch during CHILD_SA rekeying as failure as responder (e7276f78aa).
  • Handling of fragmented IPv4 and IPv6 packets in libipsec has been improved (e138003de9).
  • Trigger expire events for the correct IPsec SA in libipsec (6e861947a0).
  • A crash in CRL verification via openssl plugin using OpenSSL 1.1 has been fixed (78acaba6a1).
  • No hard-coded default proposals are passed from starter to the stroke plugin anymore (the IKE proposal used
    curve25519 since 5.5.2, which is an optional plugin).
  • A workaround for an issue with virtual IPs on macOS 10.13 (High Sierra) has been added (039b85dd43).
  • Handling of IKE_SA rekey collisions in charon-tkm has been fixed.
  • Instead of failing or just silently doing nothing unit tests may now warn about certain conditions (e.g. if a test
    was not executed due to external dependencies).

5.6.0

14.08.2017

Major Release

100%

17 issues   (17 closed — 0 open)

Version 5.6.0

  • Fixed a DoS vulnerability in the gmp plugin that was caused by insufficient input validation
    when verifying RSA signatures, which requires decryption with the operation m^e mod n,
    where m is the signature, and e and n are the exponent and modulus of the public key.
    The value m is an integer between 0 and n-1, however, the gmp plugin did not verify this.
    So if m equals n the calculation results in 0, in which case mpz_export() returns NULL.
    This result wasn't handled properly causing a null-pointer dereference.
    This vulnerability has been registered as CVE-2017-11185.
    Please refer to our blog for details.
  • The IMV database template has been adapted to achieve full compliance with the
    ISO 19770-2:2015 SWID tag standard.
  • The sw-collector tool extracts software events from apt history logs and stores them
    in an SQLite database to be used by the SWIMA IMC. The tool can also generate SWID tags both
    for installed and removed package versions.
  • The pt-tls-client can attach and use TPM 2.0 protected private keys via the --keyid parameter.
  • libtpmtss supports Intel's TSS2 Architecture Broker and Resource Manager interface (tcti-tabrmd).
  • Adds the eap-aka-3gpp plugin, which implements the 3GPP MILENAGE algorithms in software.
    K (optionally concatenated with OPc) may be configured as binary EAP secret in ipsec.secrets
    or swanctl.conf.
  • The CHILD_SA rekeying was fixed in charon-tkm and the behavior is refined a bit more since 5.5.3:
    • On Linux the outbound policy now has the SPI of the corresponding SA set and the responder
      of a rekeying will install both IPsec SAs (in/out) immediately, but delay the update of the
      outbound policy until it received the delete for the replaced CHILD_SA.
    • The previous code temporarily installed an outbound IPsec SA/policy that was deleted
      immediately afterwards when a rekey collision was lost, which caused a slight chance for traffic loss.
  • The remote address must not be resolvable anymore when installing trap policies (at least not if the
    remote traffic selector is not %dynamic, 1a8226429a).
  • By default the /etc/swanctl/conf.d directory is created and *.conf files in it are included in the default
    swanctl.conf file.
  • The curl plugin now follows HTTP redirects (configurable via strongswan.conf).
  • The sha2 plugin was changed so that the last output is not stored in an internal buffer anymore (1a75514b76, #2388).
  • The encoding of nonces in OCSP requests was fixed in the x509 plugin (d7dc677ee5).
  • The handling of keyUsage extensions in X.509 certificates was fixed in the openssl plugin (e793d65acd).
  • pki loads the pubkey plugin to fix printing public keys (ef6b710f19).
  • Some changes were added to the TestingEnvironment:
    • do-tests supports running multiple tests via wildcards (e.g. do-tests ikev2/ocsp-*)
    • With the -v option do-tests will prefix each executed command with a timestamp in console.log
    • Tests in evaltest.dat can now easily match a specific number of lines (instead of [YES] or [NO]
      use e.g. [2] if exactly two matching lines - or packets for tcpdump matches - are expected)
    • Failed matches are now clearly marked in console.log

5.5.3

30.05.2017

Minor Release

100%

6 issues   (6 closed — 0 open)

Version 5.5.3

  • Fixed a DoS vulnerability in the gmp plugin that was caused by insufficient input
    validation when verifying RSA signatures. More specifically, mpz_powm_sec() has two
    requirements regarding the passed exponent and modulus that the plugin did not
    enforce, if these are not met the calculation will result in a floating point exception
    that crashes the whole process.
    This vulnerability has been registered as CVE-2017-9022.
    Please refer to our blog for details.
  • Fixed a DoS vulnerability in the x509 plugin that was caused because the ASN.1 parser
    didn't handle ASN.1 CHOICE types properly, which could result in an infinite loop when
    parsing X.509 extensions that use such types.
    This vulnerability has been registered as CVE-2017-9023.
    Please refer to our blog for details.
  • The behavior during IKEv2 CHILD_SA rekeying has been changed in order to avoid
    traffic loss. When responding to a CREATE_CHILD_SA request to rekey a CHILD_SA
    the responder already has everything available to install and use the new CHILD_SA.
    However, this could lead to lost traffic as the initiator won't be able to process
    inbound packets until it processed the CREATE_CHILD_SA response and updated the
    inbound SA. To avoid this the responder now only installs the new inbound SA and
    delays installing the outbound SA until it receives the DELETE for the replaced CHILD_SA.

    The messages transporting these DELETEs could reach the peer before packets sent
    with the deleted outbound SAs reach it. To reduce the chance of traffic loss due
    to this the inbound SA of the replaced CHILD_SA is not removed for a configurable
    amount of seconds (charon.delete_rekeyed_delay) after the DELETE has been processed.

  • The code base has been ported to Apple's ARM64 iOS platform, which required several
    changes regarding the use of variadic functions. This was necessary because the calling
    conventions for variadic and regular functions are different there.
    This means that assigning a non-variadic function to a variadic function pointer, as we
    did with our enumerator_t::enumerate() implementations and several callbacks, will
    result in crashes as the called function accesses the arguments differently than the
    caller provided them. To avoid this issue the enumerator_t interface has been changed
    and the signature of the callback functions for enumerator_create_filter() and two
    methods on linked_list_t have been changed. Refer to the developer notes below
    for details.
  • Adds support for fuzzing the certificate parser provided by the default plugins
    (x509, pem, gmp etc.) on Google's OSS-Fuzz infrastructure (or generally with
    libFuzzer). Several issues found while fuzzing these plugins were fixed.
  • Two new options have been added to charon's retransmission settings:
    retransmit_limit and retransmit_jitter. The former adds an upper limit to the
    calculated retransmission timeout, the latter randomly reduces it.
    Refer to Retransmission for details.
  • A bug in swanctl's --load-creds command was fixed that caused unencrypted
    private keys to get unloaded if the command was called multiple times.
    The load-key VICI command now returns the key ID of the loaded key on success.
  • The credential manager now enumerates local credential sets before global ones.
    This means certificates supplied by the peer will now be preferred over certificates
    with the same identity that may be locally stored (e.g. in the certificate cache).
  • Adds support for hardware offload of IPsec SAs as introduced by Linux 4.11 for
    specific hardware that supports this.
  • To announce support for IKE fragmentation but not actively fragment IKE messages
    the new accept option for the fragmentation setting may be used.
  • If charon.plugins.socket-default.set_sourceif is enabled the socket-default plugin
    sets the outbound interface via IP_PKTINFO/IN6_PKTINFO. This is usually not required
    but could be used in special scenarios, e.g. to use IPv6 link-local addresses as
    tunnel endpoints.
  • Add support for SADB_X_EXT_NEW_ADDRESS_SRC|DST extensions for PF_KEYv2's
    SADB_UPDATE message, which upcoming FreeBSD kernels will support for updating
    IP addresses of existing SAs.
  • The value of charon.plugins.kernel-netlink.xfrm_acq_expires is now determined
    automatically based on the configured retransmission settings.
  • If updating the inbound SA fails the kernel-netlink plugin now tries to add it, which
    could be useful if the SPI already expired after lots of retransmits of several exchanges.
  • charon-nm and the NetworkManager plugin now support customizing the IKE and
    ESP proposals.
  • With the sha256_96 compatibility option it's possible to locally configure 96-bit truncation
    for HMAC_SHA256 (the correct truncation is 128 bit) when negotiated using the official
    algorithm identifier (12). This is only useful for compatibility with peers that incorrectly
    use this shorter truncation as the actual truncation length is not negotiated.
  • The removal of all online leases by the attr-sql plugin at startup may now be disabled
    to share the database between multiple instances.
  • The pki tool loads the curve25519 plugin by default.
  • When building the libraries monolithically and statically the plugin constructors are now
    hard-coded in each library so the plugin code is not removed by the linker because it
    thinks none of their symbols are ever referenced. This allows building an almost stand-alone
    static version of e.g. charon when building with --enable-monolithic --enable-static
    --disable-shared
    (without --disable-shared libtool will build a version that still links
    the libraries dynamically, which might save some disk space if it's not necessary to link
    them statically, however, using --enable-monolithic might be enough in that case).
    External libraries (e.g. gmp or openssl) are not linked statically this way, though.
  • Notes for developers:
    • child_sa_t: The API used for installing policies and SAs has been changed (traffic
      selectors are now only set once, outbound SAs and policies may be installed/uninstalled
      separately).
    • enumerator_t: A new mandatory method, venumerate(), has been added that takes
      a va_list with the arguments provided while enumerating. enumerate() is replaced
      with a generic implementation that prepares a va_list and calls the enumerator's
      venumerate() implementation. As this allows passing the arguments of one enumerator
      to another it avoids the five pointer hack previously used by enumerator_create_nested()
      and enumerator_create_cleaner(). To simplify the implementation of venumerate() a
      helper macro is provided that assigns values from a given va_list to local variables.
    • enumerator_create_filter(): The signature of the callback has changed significantly.
      It's now required to enumerate over the original enumerator in the callback itself, as
      this avoids the previous in/out pointer hack. The arguments to the outer enumerator are
      provided in a va_list.
    • linked_list_t: To avoid the five pointer hack previously used the signatures of the
      callbacks for linked_list_t's invoke_function() and find_first() methods have been
      changed to take a va_list as second argument. For the latter method the return type also
      changed from status_t to bool, which is important as SUCCESS is defined as 0, so checks
      for == SUCCESS will now fail.

5.5.2

28.03.2017

Minor release

100%

26 issues   (26 closed — 0 open)

Version 5.5.2

  • Support of Diffie-Hellman group 31 using Curve25519 for IKE as defined by RFC 8031
    is provided by the new curve25519 plugin.
  • Support of Ed25519 digital signature algorithm for IKEv2 as defined by draft-ietf-ipsecme-eddsa
    is provided by the new curve25519 plugin. Ed25519-based public key pairs, X.509 certificates and CRLs
    can be generated and printed by the pki tool.
  • The new tpm libtpmtss plugin allows to use persistent private RSA and ECDSA keys bound
    to a TPM 2.0 for both IKE and TLS authentication. Using the TPM 2.0 object handle as keyid
    parameter, the pki --pub tool can extract the public key from the TPM thereby replacing the
    aikpub2 tool. In a similar fashion pki --req can generate a PKCS#10 certificate request signed
    with the TPM private key. Optionally the tpm plugin may be used as RNG.
  • The pki tool gained support for generating certificates with RFC 3779 addrblock extensions.
    The charon addrblock plugin now dynamically narrows traffic selectors based on the certificate's
    addrblocks instead of rejecting non-matching selectors completely. This allows generic connections,
    where the allowed selectors are defined by the used certificates only.
  • The optional bypass-lan plugin automatically installs and updates passthrough/bypass
    policies for locally attached subnets. This is useful for mobile hosts that are used in different
    networks that want to access local devices in these networks (e.g. printers or NAS) while
    connected to a VPN.
  • A command injection vulnerability in the ipsec script was fixed, which was exploitable if unprivileged
    users were allowed to run the script via sudo (2ec6372f5a).
    Thanks to Andrea Barisani for reporting this.
  • Several new features for the VICI interface and the swanctl utility were added:
    • Enumerating and unloading private keys and shared secrets (swanctl --load-creds now
      automatically unloads removed secrets)
    • Loading keys and certificates from PKCS#11 tokens or a TPM (refer to the documentation of
      cert<suffix> and token<suffix> sections in swanctl.conf)
    • The ability to initiate, install and uninstall connections and policies by their exact
      name (if multiple child sections in different connections share the same name)
    • Querying a specific pool
    • A command to initiate the rekeying of IKE and IPsec SAs
    • Public keys may be configured directly in swanctl.conf via 0x/0s prefix (actually works for
      certificates too)
    • The overhead of the VICI logger has been reduced as it now only does something if listeners
      are registered
    • Support for settings previously only supported by the old config files: DSCP, certificate
      policies, IPv6 Transport Proxy Mode, NT hash secrets, mediation extension
  • In-place update of cached base and delta CRLs does not leave dozens of stale copies in cache memory.
  • Support for handling IKEV2_MESSAGE_ID_SYNC notifies as responder (usually the original initiator
    of an IKE_SA) as defined in RFC 6311 was added. Some HA solutions use these notifies to set
    the new IKEv2 message IDs after a failover event (currently not our HA solution, though).
  • By default, the IKE daemon keeps SAs on the routing path with addresses it previously used if that
    path is still usable. Enabling charon.prefer_best_path changes that and it will try more aggressively
    to update SAs with MOBIKE on routing changes using the cheapest path. This adds more noise, but
    allows to dynamically adapt SAs to routing priority changes, for instance, if some paths actually
    generate more costs than others (597e8c9e00).
  • If MOBIKE is disabled and the local address is statically configured the daemon will now ignore any
    roaming events that might, otherwise, cause it to attempt to recreate the IKE_SA (be27e76869).
  • Trap policies now use priorities from the same range as regular policies, which allows installing
    overlapping trap policies (#1243).
  • When proposing transport mode the IKE daemon now always applies the hosts to the traffic selectors.
    It previously only did so if %dynamic was used as TS. However, that's not the case if wildcard trap
    policies are configured (no single remote address specified). Once traffic matched, the daemon proposed
    the configured remote TS as-as, which the responder then had to narrow down to its own local address.
    Some third-party implementations, however, reject such non-host TS for transport mode SAs (da82786b2d).
  • For AH the kernel-netlink plugin now enables the correct 4 byte alignment (by default, the kernel
    uses an 8 byte alignment, which is mandatory for IPv6 but prohibited for IPv4, 965daa1df3).
  • The kernel-netlink plugin now considers labels when selecting IPv6 addresses (#2138) and sets the
    NODAD flag for virtual IPv6 addresses to avoid issues with failing DAD (#2183).
  • The receive buffer size used by the kernel-netlink plugin is now configurable (8a91729dfe).
  • Large responses to Netlink requests are now concatenated more efficiently by the kernel-netlink
    plugin (6fe1d78a0d).
  • If route installation is disabled (charon.install_routes) the kernel-netlink plugin now uses a more
    efficient route lookup to determine source and next-hop addresses (558691b3b0).
  • No mark is installed anymore on inbound IPsec SAs. So explicitly marking inbound traffic before
    decryption is not necessary anymore (067fd2c69c).
  • The range from which SPIs for IPsec SAs are allocated by the kernel is now configurable.
  • PSKs for IKEv1 connections are now first looked up based on configured identities of connections
    that match the IPs, before falling back to searching for PSKs for the IPs (#2223).
  • The daemon now responds to DPDs for rekeyed IKEv1 SAs (#2090).
  • charon-systemd now reloads strongswan.conf, the loggers and the plugins (that support it)
    when it receives a SIGHUP. The same may be achieved via VICI's reload-settings command, which
    previously did not reload the loggers.
  • Validation via OCSP and CRLs can be disabled individually in the revocation plugin.
  • RFC 5114 DH groups were removed from the default proposal (649537ee8d), they may be used if
    configured explicitly.
  • A memory leak was fixed when CHILD_SA configs were updated via VICI (da1d5cd2e6).
  • The plugin loader now correctly hashes registered plugin features (ac4942c3c3).
  • Notes for developers:
    • Due to issues with VICI bindings that map sub-sections to dictionaries (e.g. Python)
      the CHILD_SA sections returned via list-sas now have a unique name. The original name
      of a CHILD_SA is returned in the name key of its section.
    • To simplify loading certificates via VICI when running on the same host as the daemon
      absolute paths to certificates (instead of their binary encoding) may be passed via
      cert<suffix> sections (file key).
    • The load-testconfig script now loads the configs from the source directory and pre-processes
      them properly (previously it was required to run do-tests once for the target scenario).

5.5.1

20.10.2016

Minor release

100%

10 issues   (10 closed — 0 open)

Version 5.5.1

  • The newhope plugin implements the post-quantum NewHope key exchange algorithm
    proposed in their 2015 paper by Erdem Alkim, Léo Ducas, Thomas Pöppelmann and
    Peter Schwabe.
  • The libstrongswan crypto factory now offers the registration of Extended
    Output Functions (XOFs). Currently supported XOFs are SHAKE128 and SHAKE256
    implemented by the sha3 plugin, ChaCHa20 implemented by the chapoly plugin
    and the more traditional MGF1 Mask Generation Functions based on the SHA-1,
    SHA-256 and SHA-512 hash algorithms implemented by the new mgf1 plugin.
  • By default, the "outbound" FWD policies, introduced with 5.5.0, are not installed anymore.
    They may be enabled via the policies_fwd_out setting in swanctl.conf/vici for a specific
    CHILD_SA if its traffic would otherwise get blocked by a drop policy.
    A bug in regards to updating reqids in the kernel-netlink plugin, that was particularly a problem
    with duplicate "outbound" FWD policies, has also been fixed (175d78df60).
  • XFRM policy hashing thresholds may be configured via strongswan.conf. This can significantly
    improve the performance on hosts where the number of flows exceeds the flow cache size of the
    Linux kernel. Policies covering more than a single address don't get hash-indexed by default,
    which results in wasting most of the cycles in xfrm_policy_lookup_bytype() and the called
    xfrm_policy_match(). Since Linux 3.18 the kernel can hash the first n-bit of a policy subnet to
    perform indexed lookups. With correctly chosen thresholds this can completely eliminate the
    performance impact of policy lookups.
    Note: Due to a bug in Linux 3.19 through 4.7, the kernel crashes with a NULL pointer dereference
    if a socket policy (used by strongSwan to exempt IKE traffic from IPsec tunnels) is installed while
    hash thresholds are changed. See ac9759a532 for details and a workaround.
  • The NetworkManager integration has been updated to support NM 1.2.
    The directory from which CA certificates are loaded if no certificate is configured in the GUI can
    now be configured via strongswan.conf using the new charon-nm.ca_dir setting.
  • IKE fragmentation is now enabled by default with the default fragment size set to 1280 bytes
    for both IP address families.
  • A DELETE is sent when a rekeyed IKEv1 SA is deleted. This fixes issues with peers that continue
    to send DPDs on the old SA and then delete all SAs if no response is received (see #2090).
    Also, when terminating IKEv1 SAs, DELETEs for all CHILD_SAs are now sent before sending one for
    the IKE_SA and destroying it.
  • The pki tool, with help of the pkcs1 or openssl plugins, can parse private keys in any of the
    supported formats without having to know the exact type. So instead of having to specify rsa or
    ecdsa explicitly the keyword priv may be used to indicate a private key of any type.
    Similarly, swanctl can load any type of private key from the swanctl/private directory.
  • The pki tool can handle RSASSA-PKCS1v1.5-with-SHA-3 signatures using the
    sha3 and gmp plugins.
  • The VICI flush-certs command flushes certificates from the volatile certificate cache.
    Optionally the type of the certificates to be flushed (e.g. type = x509_crl) can be specified.
  • When setting charon.cache_crls = yes in strongswan.conf the vici plugin saves regular,
    base and delta CRLs to disk.
    Fetched CRLs are now also cached if the checked certificate has been revoked.
  • The serial number for delta CRLs generated by pki --signcrl is now based on
    the given base CRL again (was broken since 4.6.3).
  • Delta CRLs are now properly cached in-memory (and on disk) together with their base. Before this
    the presence of a delta CRL might have required that the base be refetched every time.
  • When verifying trust chains with pki --verify local CRLs may now be specified with the
    new --crl argument.
  • IKE and ESP/AH proposals configured as strings in ipsec.conf and swanctl.conf (or VICI) are now
    checked to avoid invalid proposals. For instance, the presence of DH, PRF and encryption algorithms
    for IKE proposal are now enforced and AEAD and regular encryption algorithms are not allowed in
    the same proposal anymore. Also fixed is the mapping of the aes*gmac keywords to an integrity
    algorithm in AH proposals.
  • Unmarked packets may now be matched by setting 0/0xffffffff as XFRM mark (33d3ffde25).
  • The maximum registered log level is now determined correctly if loggers implementing only
    log or vlog are mixed (dac15e03c8).
  • In addition to the existing ike_keys and child_keys hooks on listener_t two new hooks
    allow listeners to receive the derived IKE and CHILD_SA keys (ike|child_derived_keys).
  • The check for libatomic has been improved (6e19a1f5f2).
  • The use of AES-GCM with BoringSSL has been fixed (c72c6e9225).
  • libtpmtss: In the TSS2 API the function TeardownSocketTcti() was replaced by
    tss2_tcti_finalize().
  • The results of leak-detective are now evaluated in our testing environment, which
    lead to the fixing of several memory leaks.
  • No key and self-signed certificate is generated by starter anymore if ipsec.secrets does not exist.
  • The long unmaintained Maemo plugin and frontend have been removed.

5.5.0

13.07.2016

Major Release

100%

34 issues   (34 closed — 0 open)

Version 5.5.0

  • The new libtpmtss library offers support for both TPM 1.2 and TPM 2.0 Trusted Platform Modules.
    This allows the Attestation IMC/IMV pair to do TPM 2.0 based attestation.
  • The behavior during IKEv2 exchange collisions has been improved/fixed in several corner cases
    and support for TEMPORARY_FAILURE and CHILD_SA_NOT_FOUND notifies, as defined by RFC 7296,
    has been added (#379, #464, #876, #1293). The behavior is tested with a series of new unit tests.
  • IPsec policy priorities can be set manually (e.g. for high-priority drop policies) and outbound
    policies may be restricted to a network interface. These options are only configurable via swanctl.conf.
    An example is provided in the swanctl/manual-prio scenario.
  • The scheme for the automatically calculated default priorities has been changed and now also
    considers port masks, which were added with 5.4.0 (for details see d3af3b799f).
  • FWD policies are now installed in both directions in regards to the traffic selectors (9c12635252).
    Because such "outbound" FWD policies could conflict with "inbound" FWD policies of other SAs (as, for
    example, in the swanctl/net2net-gw or the ikev2/ip-two-pools-db scenarios) they are installed
    with a lower priority and don't have a reqid set, which allows kernel plugins to distinguish between the
    two and prefer those with a reqid.
  • How the interface for routes installed with policies is determined has changed (96b1fab53c). In most
    cases the interface over which the other peer is reached is now used, not the interface on which the local
    address (or the source IP) is installed. However, that might be the same interface depending on the
    configuration (i.e. in practice there will often not be a change).
  • No routes are installed anymore for drop policies and policies with port/protocol selector (e7369a9dc5).
  • For outbound IPsec SAs no replay window is configured anymore.
  • When using unique marks (mark=%unique) the allocated mark is now correctly passed to the
    updown script (b210369314).
  • DNS servers installed by the resolve plugin are now refcounted, which should fix its use with
    make-before-break reauthentication. Any output written to stderr/stdout by resolvconf is now logged.
  • Negotiation of ESN with IKEv1 is supported (40bb4677f7).
  • The default plugin load list may now be modified by specifying the individual load setting of a plugin.
  • Fixed how mappings are stored in the eap-simaka-pseudonym plugin (5005325020).
  • Support for BoringSSL and OpenSSL 1.1.0 has been added.
  • Notes for developers:
    • The methods in the kernel interfaces have been changed to take structs instead of long lists of arguments.
    • Similarly the constructors for peer_cfg_t and child_cfg_t now take structs.
    • We now use the standard unsigned integer types (e.g. uint64_t instead of u_int64_t).
    • The testing environment now uses images based on Debian jessie (stable).

5.4.0

22.03.2016

Major Release

100%

15 issues   (15 closed — 0 open)

Version 5.4.0

  • Support for IKEv2 redirection (RFC 5685) has been added. Plugins may
    implement the redirect_provider_t interface (source:src/libcharon/sa/redirect_provider.h)
    to decide if and when to redirect connecting clients. It is also possible to
    redirect established IKE_SAs based on different selectors via vici/swanctl.
    Unless disabled in strongswan.conf the charon daemon will follow redirect
    requests received from servers.
  • The ike: prefix enables the explicit configuration of signature scheme
    constraints against IKEv2 authentication in rightauth, which allows the use
    of different signature schemes for trustchain verification and authentication.
    Configuration of such constraints via vici/swanctl is now also possible.
  • The initiator of an IKEv2 make-before-break reauthentication now suspends
    online certificate revocation checks (OCSP, CRLs) until the new IKE_SA and all
    CHILD_SAs are established. This is required if the checks are done over the
    CHILD_SA established with the new IKE_SA. This is not possible until the
    initiator installs this SA and that only happens after the authentication is
    completed successfully. So we suspend the checks during the reauthentication
    and do them afterwards, if they fail the IKE_SA is closed. This change has no
    effect on the behavior during the authentication of the initial IKE_SA.
  • For the vici plugin a Vici:Session Perl CPAN module has been added to allow
    Perl applications to control and/or monitor the IKE daemon using the VICI
    interface, similar to the existing Python egg or Ruby gem.
  • Traffic selectors with port ranges can now be configured in the Linux kernel:
    e.g. remote_ts = 10.1.0.0/16[tcp/20-23] and local_ts = dynamic[tcp/32768-65535].
    The port range must map to a port mask, though, since the kernel does not
    support arbitrary ranges.
  • The vici plugin allows the configuration of IPv4 and IPv6 address ranges
    in local and remote traffic selectors. Since both the Linux kernel and
    iptables cannot handle arbitrary ranges, address ranges are mapped to the
    next larger CIDR subnet by the kernel-netlink and updown plugins, respectively.
  • Implemented IKEv1 IPv4/IPv6 address subnet and range identities that can be
    used as owners of shared secrets.
  • The new p-cscf plugin can request P-CSCF server addresses from an ePDG via
    IKEv2 (RFC 7651). Addresses of the same families as that of requested virtual
    IPs are requested if enabled in strongswan.conf for a particular connection.
    The plugin currently writes received addresses to the log.
  • The default proposals now use a security strength of 128 bit. The default DH group
    for IKE is now either ecp256 or modp3072, depending on whether the openssl plugin
    is loaded or not. The default ESP proposal is aes128-sha256, which requires HMAC-SHA2-256
    support with 128 bit truncation, which the Linux kernel correctly implements since 2.6.33.
    But there are reports that other implementations might still not do so (#1353).
  • DH groups are now listed for CHILD_SAs in ipsec statusall. Note that for IKEv2 the
    first CHILD_SA is created without a separate DH exchange (the key material is derived
    from the IKE keys). Therefore any DH group will only be listed after the first rekeying
    of such a CHILD_SA. For CHILD_SAs created with a separate CREATE_CHILD_SA exchange
    and for IKEv1 a DH group will always be listed if PFS is used.
  • IKE SPIs are now printed in network byte order in log messages and status output.
  • Start actions configured via vici are reversed when configs are unloaded, unchanged
    child configs are not affected by this anymore. Any IKE_SA that ends up without CHILD_SAs
    after that is now closed.
  • Asynchronous initiation and termination is supported via vici by specifying a timeout of -1.
  • To distinguish child configs with the same name associated with different
    connection entries the name of the connection may be sent in the initiate/install
    vici commands using the ike parameter.
  • The vici plugin and swanctl now support authentication with raw public keys. Also,
    the commands used to manage and list certificates/keys have been extended.
  • Multiple authentication rounds sent via vici may now be ordered by the optional round
    parameter instead of by the order of the local/remote* sections in the request (required for
    the Perl bindings that don't use ordered dictionaries).
  • The vici plugin and swanctl are now enabled by default.
  • CHILD_SAs of IKEv1 SAs might now optionally (charon.delete_rekeyed in strongswan.conf)
    be deleted immediately after they got successfully rekeyed instead of waiting for the hard
    timeout, which could be problematic if traffic based limits are used.
  • The charon.reuse_ikesa option is now always enabled for IKEv1 (24ab8530e5).
  • IPv6 virtual IPs are now correctly sent for IKEv1 (91d80298f9). The incorrect encoding is
    still accepted but the new encoding might cause problems for older strongSwan clients.
  • No NAT keepalives are sent if a host has lost connectivity (i.e. no local address is found to
    reach the peer).
  • In the log threads may optionally be identified by their actual thread ID instead of a simple
    incremented value starting from 1 (--enable-log-thread-ids).
  • libhydra has been removed, all plugins and the kernel interface have been integrated
    into libcharon.

5.3.5

26.11.2015

Minor Release

100%

2 issues   (2 closed — 0 open)

Version 5.3.5

  • Properly handle potential EINTR errors in sigwaitinfo(2) calls that replaced
    sigwait(3) calls with 5.3.4 (#1213).
  • RADIUS retransmission timeouts are now configurable via strongswan.conf,
    courtesy of Thom Troy.

5.3.4

16.11.2015

Minor Release

100%

20 issues   (20 closed — 0 open)

Version 5.3.4

  • Fixed an authentication bypass vulnerability in the eap-mschapv2 plugin that
    was caused by insufficient verification of the internal state when handling
    EAP-MSCHAPv2 Success messages received by the client.
    This vulnerability has been registered as CVE-2015-8023.
    Please refer to our blog for details.
  • The sha3 plugin implements the SHA3 Keccak-F1600 hash algorithm family.
    Within the strongSwan framework SHA3 is currently used for BLISS signatures
    only because the OIDs for other signature algorithms haven't been defined
    yet. Also the use of SHA3 for IKEv2 has not been standardized yet.
  • The EAP-MSCHAPv2 username now replaces the identity of any previous EAP-Identity
    exchange (#1182).
  • A bug with setting the source IP for IKE packets was fixed that caused problems with
    newer compilers (#1171).
  • Some VICI commands received updates: NAT information and virtual IPs are listed for
    IKE_SAs (04f22cdabc, bdb8b76515), IP address leases are optionally listed
    for pools defined via VICI (f4641f9e45).
  • Fetching CRLs in PEM format is now supported and using the curl plugin to fetch CRLs
    from file:// URIs has also been fixed (#1203).
  • CRLs added via VICI are now properly added to the credential set (e5e352e631).
  • IKEv2 NAT-D payloads are now created in a more static way, which ensures they stay the
    same when retrying to establish an IKE_SA (e.g. due to INVALID_KEY_PAYLOAD notifies, #1131).
  • Fixed compress=yes (IPComp) with IPv6 and leftfirewall=yes (382f8a334a).
  • The del_policy method of kernel_ipsec_t now receives the same information originally
    passed to add_policy (a6e0f14fd2).
  • The kernel-netlink plugin allows IPsec policies to replace shunt policies, which allows
    configuring matching type=drop policies along side auto=add connections.
  • To debug custom plugins they can now optionally be loaded with RTLD_NOW so missing
    symbols are revealed immediately (via charon.dlopen_use_rtld_now). The same applies
    for custom IMVs/IMCs.
  • The Android app has been updated to use the Gradle build system.

5.3.3

07.09.2015

Minor Release

100%

21 issues   (21 closed — 0 open)

Version 5.3.3

  • Added support for the ChaCha20/Poly1305 AEAD cipher specified in RFC 7539 and
    RFC 7634 using the chacha20poly1305 ike/esp proposal keyword.
    The new chapoly plugin implements the cipher, if possible SSE-accelerated on x86/x64
    architectures. It is usable both in IKEv2 and the strongSwan libipsec ESP backend.
    On Linux 4.2 or newer the kernel-netlink plugin can configure the cipher for ESP SAs.
  • The vici/swanctl interface now supports the configuration of auxiliary certification
    authority information as CRL and OCSP URIs.
  • In the bliss plugin the c_indices derivation using a SHA-512 based random oracle
    has been fixed, generalized and standardized by employing the MGF1 mask generation
    function with SHA-512. As a consequence BLISS signatures unsing the improved oracle
    are not compatible with the earlier implementation.
  • Support for auto=route with right=%any for transport mode connections has been
    added (refer to #196-6 for details and some examples).
  • The starter daemon does not flush IPsec policies and SAs anymore when it is stopped.
    Already existing duplicate policies are now overwritten by the IKE daemon when it
    installs its policies (695112d7b8, dc2fa791e4). Usually, there shouldn't be any
    leftovers after the IKE daemon has been properly terminated, but if it crashes the kernel
    state won't be cleaned up. Because earlier releases couldn't handle already existing
    duplicate policies in the kernel, the starter daemon flushed them during shutdown so
    the daemon would find a clean slate when was restarted. Since existing policies are not
    a problem anymore this is no longer necessary. And in situations where installpolicies=no
    is used policies shouldn't be flushed blindly anyway.
  • Init limits can now optionally be enforced when initiating SAs via VICI. For this IKE_SAs
    initiated by the daemon are now also counted as half-open SAs, which, as a side-effect,
    fixes the status output while connecting (e.g. in ipsec status).
  • Symmetric configuration of EAP methods in left|rightauth is now possible when mutual
    EAP-only authentication is used (previously, the client had to configure rightauth=eap
    or rightauth=any, which prevented it from using this same config as responder).
  • The initiator flag in the IKEv2 header is compared again (wasn't the case since 5.0.0) and
    packets that have the flag set incorrectly are again ignored (47a340e1f7, 5fee79d854).
  • Implemented a demo Hardcopy Device IMC/IMV pair based on the "Hardcopy Device Health
    Assessment Trusted Network Connect Binding" (HCD-TNC) document drafted by the IEEE
    Printer Working Group (PWG), see HCD-IMC and HCD-IMV.
  • Fixed IF-M segmentation which failed in the presence of multiple small attributes in front
    of a huge attribute to be segmented (10f25a3dd9).
  • Refcounting for allocated reqids has been fixed for situations where make-before-break
    reauthentication is used and CHILD_SAs have already been rekeyed (3665adef19).
  • Fixed a crash when retrying CHILD_SA rekeying due to a DH group mismatch (1729df9275).
  • If multiple CA certificates are set in swanctl.conf (connections.<conn>.remote<suffix>.cacerts)
    it is now enough if the certificate chain contains at least one of them, not all (774c8c3847).
  • Referring to a CA certificate in ipsec.d/cacerts in a ca section does not cause duplicate
    certificate requests anymore (was the case since 5.3.0, #842-10). CA certificates are
    now atomically reloaded by ipsec rereadcacerts so unchanged certificates are always
    available. The command now also reloads certificates referenced in CA sections.
  • Inbound IKEv1 messages are now handled with different job priorities (a5c07be058).
  • When strongSwan creates ASN.1 DN identities from strings, it now uses UTF8String
    instead of T61String to encode RDNs that contain characters outside the character set
    of PrintableString.
  • The new pki --dn command extracts subject DistinguishedNames from certificates,
    which is useful if the automatic identity parsing is unable to produce the correct
    binary ASN.1 encoding of the DN from its string representation.
  • To implement IPv6 NDP proxying via updown script (e.g. via ip -6 neigh add proxy)
    the virtual IPs assigned to a client are now passed to the script (#1008).
  • RADIUS Accounting Start messages are now correctly triggered for IKEv1 SAs when clients
    don't do any Mode Config or XAuth exchanges during reauthentication (#937).
  • Support for the Framed-IPv6-Address and DNS-Server-IPv6-Address RADIUS attributes has
    been added. Virtual IPv6 addresses are now sent in Framed-IPv6-Address attributes in
    RADIUS Accounting messages (#1001).
  • Some fixes went into the HA plugin and related code: The jhash() function was updated
    for Linux 4.1+ (93caf23e1b), NAT keepalives (edaba56ec7) and CHILD_SA rekeying
    (e095d87bb6) are now disabled for passive SAs, and the remote address is synced
    when an SA is first added (3434709460). Also, the use of AEAD algorithms in CHILD_SAs
    has been fixed (#1051) and the control FIFO is recreated if it is no FIFO (fffee7c759).
  • The buffer size for the Netlink receive buffer has been changed, the default is now the same
    as in the kernel (a6896b6149, 197de6e66b).
  • In particular for hosts with lots of routes an alternative faster source address lookup may be
    used by setting charon.plugins.kernel-netlink.fwmark=!<mark> (6bd1216e7a).
  • The kernel-pfkey plugin now can configure AES-GCM, which is supported on FreeBSD 11.
  • Fixed some potential race conditions during shutdown of the daemon (#1014).
  • Address resolution has been improved: If a local address is configured we use the same
    address family when resolving the remote address (#993). If the remote address resolves
    to %any during reauthentication or when reestablishing an SA we keep the current
    address (#1027).
  • A new option allows disabling the side-swapping based on the addresses/hostnames in
    left|right, when the stroke plugin loads a config from ipsec.conf.

5.3.2

08.06.2015

Minor Release

100%

3 issues   (3 closed — 0 open)

Version 5.3.2

  • Fixed a vulnerability that allowed rogue servers with a valid certificate
    accepted by the client to trick it into disclosing its username and even
    password (if the client accepts EAP-GTC). This was caused because constraints
    against the responder's authentication were enforced too late.
    This vulnerability has been registered as CVE-2015-4171.
    Please refer to our blog for details.

5.3.1

01.06.2015

Minor Release

100%

4 issues   (4 closed — 0 open)

Version 5.3.1

  • Fixed a denial-of-service and potential remote code execution vulnerability
    triggered by IKEv1/IKEv2 messages that contain payloads for the respective
    other IKE version. Such payload are treated specially since 5.2.2 but because
    they were still identified by their original payload type they were used as
    such in some places causing invalid function pointer dereferences.
    The vulnerability has been registered as CVE-2015-3991.
    Please refer to our blog for details.
  • The new aesni plugin provides CBC, CTR, XCBC, CMAC, CCM and GCM crypto
    primitives for AES-128/192/256. The plugin requires AES-NI and PCLMULQDQ
    instructions and works on both x86 and x64 architectures. It provides
    superior crypto performance in userland without any external libraries.
  • Fixed an issue with IKEv2 fragmentation (introduced with 5.2.1) and encryption
    algorithms that use sequential IVs (e.g. AES-GCM). Previously the IKE message ID was
    used as IV, but with IKEv2 fragmentation this ID is not unique anymore, causing the
    same IV to get used for fragments of the same message. This was fixed by including
    the fragment identifier in the IV (62e0abe759).
  • The TLS client in libtls now rejects Diffie-Hellman groups with primes < 1024 bit (47e96391f2).
  • The accuracy of usage statistics reported via RADIUS Accounting has been
    increased in several situations (e.g. if interim updates occur while rekeying a CHILD_SA).
  • A constant time memory comparison utility function (chunk_equals_const) was
    added for cryptographic purposes (aa9b74931f).
  • The interface for DH implementations was extended to enable unit tests (44136bec94).
  • Fixed initialization of HMAC primitives in the openssl plugin for newer
    OpenSSL releases (c2906c8f21).
  • ike-updown and child-updown events are now relayed via VICI (a7e4a2d6c2).
  • The Ruby Gems and Python Eggs built with --enable-ruby-gems|--enable-python-eggs are
    not installed anymore during make install. To do so the options --enable-ruby-gems-install
    and/or --enable-python-eggs-install may be passed to ./configure (f16f792e17).

5.3.0

30.03.2015

Major Release

100%

31 issues   (31 closed — 0 open)

Version 5.3.0

  • Added support for IKEv2 make-before-break reauthentication. By using a global
    CHILD_SA reqid allocation mechanism, charon supports overlapping CHILD_SAs.
    This allows the use of make-before-break instead of the previously supported
    break-before-make reauthentication, avoiding connectivity gaps during that
    procedure. As the new mechanism may fail with peers not supporting it (such
    as any previous strongSwan release) it must be explicitly enabled using
    the charon.make_before_break strongswan.conf option.
  • Support for Signature Authentication in IKEv2 (RFC 7427) has been added.
    This allows the use of stronger hash algorithms for public key authentication.
    By default, signature schemes are chosen based on the strength of the
    signature key, but specific hash algorithms may be configured in leftauth.
  • Key types and hash algorithms specified in rightauth are now also checked
    against IKEv2 signature schemes. If such constraints are used for certificate
    chain validation in existing configurations, in particular with peers that
    don't support RFC 7427, it may be necessary to disable this feature with the
    charon.signature_authentication_constraints setting, because the signature
    scheme used in classic IKEv2 public key authentication may not be strong
    enough.
  • The new connmark plugin allows a host to bind conntrack flows to a specific
    CHILD_SA by applying and restoring the SA mark to conntrack entries. This
    allows a peer to handle multiple transport mode connections coming over the
    same NAT device for client-initiated flows (a common use case is to protect
    L2TP/IPsec). See ikev2/host2host-transport-connmark for an example.
  • The forecast plugin can forward broadcast and multicast messages between
    connected clients and a LAN. For CHILD_SA using unique marks, it sets up
    the required Netfilter rules and uses a multicast/broadcast listener that
    forwards such messages to all connected clients. This plugin is designed for
    Windows 7 IKEv2 clients, which announce their services over the tunnel if the
    negotiated IPsec policy allows it. See ikev2/forecast for an example.
  • For the vici plugin a Python Egg has been added to allow Python applications
    to control or monitor the IKE daemon using the VICI interface, similar to the
    existing ruby gem. The Python library has been contributed by Björn Schuberg.
  • EAP server methods now can fulfill public key constraints, such as rightcert
    or rightca. Additionally, public key and signature constraints can be
    specified for EAP methods in the rightauth keyword. Currently the EAP-TLS and
    EAP-TTLS methods provide verification details to constraints checking.
  • Upgrade of the BLISS post-quantum signature algorithm to the improved BLISS-B
    variant. Can be used in conjunction with the SHA256, SHA384 and SHA512 hash
    algorithms with SHA512 being the default.
  • The IF-IMV 1.4 interface now makes the IP address of the TNC access requestor
    as seen by the TNC server available to all IMVs. This information can be
    forwarded to policy enforcement points (e.g. firewalls or routers).
  • The new mutual tnccs-20 plugin parameter activates mutual TNC measurements
    in PB-TNC half-duplex mode between two endpoints over either a PT-EAP or
    PT-TLS transport medium.
  • SPIs in IKEv1 DELETE payloads are now compared to those of the current IKE SA.
    This is required for interoperability with OpenBSD's isakmpd, which always uses the
    latest IKE SA to delete other expired SAs.
  • The files plugin provides a simple fetcher for file:// URIs (1735d80f38).
  • Fixed CRL verification for PKIs that don't use SHA-1 hashes of the public key
    as subjectKeyIdentifier or authorityKeyIdentifier (6133770db4).
  • Route priorities are now considered when doing manual route lookups (6b57790270).
  • Policies are now removed from the kernel before IPsec SAs, to avoid acquires
    for untrapped policies (46188b0eb0).

5.2.2

05.01.2015

Minor Release

100%

12 issues   (12 closed — 0 open)

Version 5.2.2

  • Fixed a denial-of-service vulnerability triggered by an IKEv2 Key Exchange
    payload that contains the Diffie-Hellman group 1025. This identifier was
    used internally for DH groups with custom generator and prime. Because
    these arguments are missing when creating DH objects based on the KE payload
    an invalid pointer dereference occurred. This allowed an attacker to crash
    the IKE daemon with a single IKE_SA_INIT message containing such a KE
    payload. The vulnerability has been registered as CVE-2014-9221.
    Please refer to our blog for details.
  • The left/rightid options in ipsec.conf, or any other identity in strongSwan,
    now accept prefixes to enforce an explicit type, such as email: or fqdn:.
    Note that no conversion is done for the remaining string, refer to the
    conn section reference (or the ipsec.conf(5) man page) for details.
  • Fixed mapping of integrity algorithms negotiated for AH via IKEv1. This could
    cause interoperability issues when connecting to older versions of charon (#771).
  • Support to configure IP address pools as ranges (<from IP>-<to IP>) in
    ipsec.conf and swanctl.conf has been added.
  • The first and last addresses in subnet based pools are now skipped properly and
    the pools' sizes are adjusted accordingly. Which is also the case if pools are
    configured with an offset, e.g. 192.168.0.100/24, which reduces the number of
    available addresses from 254 to 155 and assignment now starts at .100 not .101,
    that is, .100-.254 are assignable to clients.
  • Many uses of select(2) have been replaced by call to poll(2), which avoids problems
    with more than 1024 open file descriptors (see #757).
  • Only payloads with payload types defined for the currently handled IKE version are now parsed,
    all other payloads are ignored (see mailing list).
  • On Windows ALE layer WFP rules are introduced to accept tunnel mode packets in
    stateful packet filtering if default-drop policies are used (e61841a211).
  • The new --pkcs12 command for pki provides basic support for PKCS#12
    containers, namely listing and exporting credentials.
  • Correctly configure replay window size on FreeBSD and Mac OS X (d21b01462e).
  • Accept IPComp proposals with 4 octet long CPI values (4141f01671).

5.2.1

20.10.2014

Minor Release

100%

14 issues   (14 closed — 0 open)

Version 5.2.1

  • The new charon-systemd IKE daemon implements an IKE daemon tailored
    for use with systemd. It avoids the dependency on ipsec starter and
    uses swanctl as configuration backend, building a simple and
    lightweight solution. Native systemd journal logging is supported.
  • Support for the new IKEv2 Fragmentation mechanism as defined by
    RFC 7383 has been added, which avoids IP fragmentation of
    IKEv2 UDP datagrams exceeding the network's MTU size. This feature is
    activated by setting fragmentation=yes in ipsec.conf and optionally
    setting the maximum IP packet size with the charon.fragment_size
    parameter in strongswan.conf.
  • Support of the TCG TNC IF-M Attribute Segmentation specification proposal,
    which allows to transfer potentially huge attributes amounting to several
    megabytes of measurement data like the TCG/SWID Tag [ID] Inventory
    or IETF/Installed Packages attributes via the PA-TNC, PB-TNC and
    either PT-EAP or PT-TLS NEA protocol stack. By default segmented attributes
    are just reconstructed on the receiving side from the individual segments
    with the exeception of the three attribute types mentioned above which can
    be parsed and processed incrementally as the segments arrive one-by-one.
    A commented example can be found under PT-EAP-SWID.
  • For the vici plugin a ruby gem has been added to allow ruby applications
    to control or monitor the IKE daemon. The vici documentation has been
    updated to include a description of the available operations and some simple
    examples using both the libvici C interface and the ruby gem (see README.md).
  • The new ext-auth plugin calls an external script to implement custom IKE_SA
    authorization logic, courtesy of Vyronas Tsingaras.
  • Support for IKEv1 fragmentation has been extended to Windows XP/7 clients,
    courtesy of Volker Rümelin.
  • A static interval for interim RADIUS accounting updates can be configured for
    the eap-radius plugin. It's overridden by any interval the RADIUS server returns
    in the Access-Accept message, but it can be useful if RADIUS is only used for accounting.
  • Fixed re-authentication when using IKEv1 Mode Config in push mode (cb98380fe9e4).
  • Handle Quick Mode DELETES during a Quick Mode rekeying (cd9bba508bba).
  • Fixed some Cisco Unity corner cases (rekeying and situations where no split-include attributes
    are received), one fix didn't made it into this release though (#737).
  • Fixed some IKEv1 interoperability issues (e.g. with proposal numbering and IPComp), see #661.
  • Fixed a crash during reauthentication with multiple authentication rounds caused by the
    incorrect use of array_remove_at() in auth_cfg_t (8ca9a67fac59).
    Also added a comment regarding the used of that function (see c641974de001).
  • The kernel-pfkey plugin now reports packet counts (25fcbab6789c).
  • If available the kernel-pfroute plugin uses RTM_IFANNOUNCE/IFAN_DEPARTURE events to
    delete cached interfaces (see f80093e2ee65).
  • The kernel-netlink plugin can set MTU and MSS on installed routes via settings in
    strongswan.conf (these are global and affect all SAs).
  • The kernel-netlink plugin optionally installs protocol and ports on transport mode
    SAs (90e6675a657c) to enforce policies for inbound traffic. Enabling this prevents the use
    of a single IPsec SA by more than one traffic selectors though.

5.2.0

09.07.2014

Major Release

100%

21 issues   (21 closed — 0 open)

Version 5.2.0

  • strongSwan has been ported to the Windows platform. Using a MinGW toolchain,
    many parts of the strongSwan codebase run natively on Windows 7 / 2008 R2 and
    newer releases.

    charon-svc implements a Windows IKE service based on libcharon, the kernel-iph
    and kernel-wfp plugins act as networking and IPsec backend on the Windows platform.
    socket-win provides a native IKE socket implementation, while winhttp fetches
    CRL and OCSP information using the WinHTTP API.

  • The new vici plugin provides a Versatile IKE Configuration Interface for
    charon. Using the stable IPC interface, external applications can configure,
    control and monitor the IKE daemon. Instead of scripting the ipsec tool
    and generating ipsec.conf, third party applications can use the new interface
    for more control and better reliability.
  • Built upon the libvici client library, swanctl implements the first user of
    the VICI interface. Together with a swanctl.conf configuration file,
    connections can be defined, loaded and managed. swanctl provides a portable,
    complete IKE configuration and control interface for the command line.
    Examples: http://www.strongswan.org/uml/testresults/swanctl/
  • The SWID IMV implements a JSON-based REST API which allows the exchange
    of SWID tags and Software IDs with the strongTNC policy manager.
  • The SWID IMC can extract all installed packages from the dpkg (Debian,
    Ubuntu, etc.), rpm (Fedora, RedHat, etc.), or pacman (Arch Linux, Manjaro, etc.)
    package managers, respectively, using the swidGenerator which generates
    SWID tags according to the new ISO/IEC 19770-2:2014 standard.
  • All IMVs now share the access requestor ID, device ID and product info
    of an access requestor via a common imv_session object.
  • The Attestation IMC/IMV pair supports the IMA-NG measurement format
    introduced with the Linux 3.13 kernel.
  • The aikgen tool generates an Attestation Identity Key bound to a TPM.
  • Implemented the PT-EAP transport protocol (RFC 7171) for Trusted Network
    Connect.
  • The ipsec.conf replay_window option defines connection specific IPsec replay
    windows. Original patch courtesy of Zheng Zhong and Christophe Gouault from 6Wind.
  • The custom parser for strongswan.conf has been replaced with one based on flex/bison.
    It adds support for quoted strings (with escape sequences), unlimited includes, more
    relaxed newline handling, better syntax error reporting, and a distinction between
    empty and unset values (key="" vs. key=).
  • The parser for ipsec.conf in starter has been rewritten. It allows overriding options
    in all included sections (also=) not only in %default, options defined in included sections
    can also be cleared again. Other improvements, like quoted strings, unlimited includes,
    and better whitespace/comment handling have been implemented as well.
  • Support for late IKEv1 connection switching based on the XAuth username has been added.
  • Added support to parse SSH public keys from files configured in left|rightsigkey.
  • RDNs in Distinguished Names parsed from strings must now either be separated by a comma
    or a slash, not both. If the DN starts with a slash (or whitespace and a slash) slashes
    will be assumed as separator, commas otherwise.
  • The algorithm order in the default IKE proposal is again like it was before 5.1.1 (a4844dbc8f15).
  • Scalability of half-open IKE_SA and log level checks have been improved (502eeb7f76d2).
  • Added a workaround for Sonicwall boxes that send ID/HASH payloads unencrypted during
    IKEv1 Main Mode (c4c9d291d2aa).
  • Support for IPComp was added to the kernel-pfkey plugin (FreeBSD, Mac OS X, Linux),
    patch courtesy of Francois ten Krooden (6afa7761a540).
  • Passthrough policies are installed with strictly higher priorities than IPsec policies, which
    was not always the case previously, depending on the traffic selectors.
  • The kernel-netlink plugin now follows RFC 6724 when selecting IPv6 source addresses (#543).
  • stroke and starter now use the <daemon>.plugins.stroke.socket option to determine the socket
    to communicate with the daemon. A --daemon option has been added to stroke.
  • The --disable-tools ./configure option has been replaced with the --disable-pki and --disable-scepclient options.
  • A handle_vips() hook has been added similar to assign_vips(), but for clients
    handling virtual IPs and other configuration attributes (31f26960761c).

5.1.3

14.04.2014

Minor Release

100%

10 issues   (10 closed — 0 open)

Version 5.1.3

  • Fixed an authentication bypass vulnerability triggered by rekeying an
    unestablished IKE_SA while it gets actively initiated. This allowed an
    attacker to trick a peer's IKE_SA state to established, without the need to
    provide any valid authentication credentials. The vulnerability has been
    registered as CVE-2014-2338.
    Refer to our blog for details.
  • The acert plugin evaluates X.509 Attribute Certificates. Group membership
    information encoded as strings can be used to fulfill authorization checks
    defined with the rightgroups ipsec.conf option. Attribute Certificates can be
    loaded locally or get exchanged in IKEv2 certificate payloads.
  • The pki command gained support to generate X.509 Attribute Certificates
    using the --acert subcommand, while the --print command supports the ac type.
    The openac utility has been removed in favor of the new pki functionality.
  • The libtls TLS 1.2 implementation as used by EAP-(T)TLS and other protocols
    has been extended by AEAD mode support, currently limited to AES-GCM.
  • Fixed an issue where CRL/OCSP trustchain validation broke enforcing CA constraints (a844b6589034).
  • Limited OCSP signing to specific certificates to improve performance (91d71abb16a9).
  • authKeyIdentifier is not added to self-signed certificates anymore (f7d04ba6c462).
  • Fixed the comparison of IKE configs if only the cipher suites were different (23f34f6ed504).

5.1.2

28.02.2014

Minor Release

100%

18 issues   (18 closed — 0 open)

Version 5.1.2

  • A new default configuration file layout is introduced (with full backward compatibility).
    The new default strongswan.conf file mainly includes config snippets from the
    strongswan.d and strongswan.d/charon directories (the latter containing snippets
    for all plugins). The snippets, with commented defaults, are automatically generated
    and installed, if they don't exist yet. They are also installed in
    $prefix/share/strongswan/templates so existing files can be compared to
    the current defaults.
  • As an alternative to the non-extensible charon.load setting, the plugins
    to load
    in charon (and optionally other applications) can now be determined
    via the charon.plugins.<name>.load setting for each plugin (enabled in the
    new default strongswan.conf file via the charon.load_modular option).
    The load setting optionally takes a numeric priority value that allows
    reordering the plugins (otherwise the default plugin order is preserved).
  • All strongswan.conf settings that were formerly defined in library specific
    "global" sections are now application specific (e.g. settings for plugins in
    libstrongswan.plugins can now be set only for charon in charon.plugins).
    The old options are still supported, which now allows to define defaults for
    all applications in the libstrongswan section.
  • The ntru libstrongswan plugin supports NTRUEncrypt as a post-quantum
    computer IKE key exchange mechanism. The implementation is based on the
    ntru-crypto library from the NTRUOpenSourceProject. The supported security
    strengths are ntru112, ntru128, ntru192, and ntru256. Since the private DH
    group IDs 1030..1033 have been assigned, the strongSwan Vendor ID must be
    sent (charon.send_vendor_id = yes) in order to use NTRU.
  • Defined a TPMRA remote attestation workitem and added support for it to the
    Attestation IMV.
  • Compatibility issues between IPComp (compress=yes) and leftfirewall=yes as
    well as multiple subnets in left|rightsubnet have been fixed.
  • When enabling its session strongswan.conf option, the xauth-pam plugin opens
    and closes a PAM session for each established IKE_SA. Patch courtesy of Andrea Bonomi.
  • The strongSwan unit testing framework has been rewritten without the check
    dependency for improved flexibility and portability. It now properly supports
    multi-threaded and memory leak testing and brings a bunch of new test cases.
  • If charon.plugins.stroke.prevent_loglevel_changes is enabled, the stroke plugin prevents
    log level changes via ipsec stroke.
  • The inactivity counter is reset with every rekeying, which means that the inactivity timeout
    must be smaller than the rekeying interval to have any effect (d048a319df).
  • SQL schemas and example data (IMV) are now distributed and installed in $prefix/share/strongswan.
  • A method to register custom proposal keyword parsers has been added (568e302260).
  • A deadlock was fixed when installing trap policies (bb492d80b5).

5.1.1

01.11.2013

Minor Release

100%

22 issues   (22 closed — 0 open)

Version 5.1.1

  • Fixed a denial-of-service vulnerability and potential authorization bypass
    triggered by a crafted ID_DER_ASN1_DN ID payload. The cause is an insufficient
    length check when comparing such identities. The vulnerability has been
    registered as CVE-2013-6075.
    Refer to our blog for details.
  • Fixed a denial-of-service vulnerability triggered by a crafted IKEv1
    fragmentation payload. The cause is a NULL pointer dereference. The
    vulnerability has been registered as CVE-2013-6076.
    Refer to our blog for details.
  • The lean stand-alone pt-tls-client can set up a RFC 6876 PT-TLS session
    with a strongSwan policy enforcement point which uses the tnc-pdp charon
    plugin.
  • The new TCG TNC SWID IMC/IMV pair supports targeted SWID requests for either
    full SWID Tag or concise SWID Tag ID inventories.
  • The XAuth backend in eap-radius now supports multiple XAuth exchanges for
    different credential types and display messages. All user input gets
    concatenated and verified with a single User-Password RADIUS attribute on
    the AAA. With an AAA supporting it, one for example can implement
    Password+Token authentication with proper dialogs on iOS and OS X clients.
  • charon supports IKEv1 Mode Config exchange in push mode. The ipsec.conf
    modeconfig=push option enables it for both client and server, the same way
    as pluto used it.
  • Using the ah ipsec.conf keyword on both IKEv1 and IKEv2 connections,
    charon can negotiate and install Security Associations integrity-protected by
    the Authentication Header protocol. Supported are plain AH(+IPComp) SAs only,
    but not the deprecated RFC 2401 style ESP+AH bundles.
  • The generation of initialization vectors for IKE and ESP (when using libipsec)
    is now modularized and IVs for e.g. AES-GCM are now correctly allocated
    sequentially, while other algorithms like AES-CBC still use random IVs.
  • The left and right options in ipsec.conf can take multiple address ranges
    and subnets. This allows connection matching against a larger set of
    addresses, for example to use a different connection for clients connecting
    from an internal network.
  • For all those who have a queasy feeling about the NIST elliptic curve set,
    the Brainpool curves introduced for use with IKE by RFC 6932 might be a
    more trustworthy alternative.
  • The kernel-libipsec userland IPsec backend now supports usage statistics,
    volume based rekeying and accepts ESPv3 style TFC padded packets.
  • libipsec now properly calculates padding length especially for AES-GCM.
  • load-tester supports transport mode connections and more complex traffic
    selectors, including such using unique ports for each tunnel.
  • The new dnscert plugin provides support for authentication via CERT RRs that
    are protected via DNSSEC. The plugin was created by Ruslan N. Marchenko.
  • The eap-radius plugin supports forwarding of several Cisco Unity specific
    RADIUS attributes in corresponding configuration payloads.
  • The ipsec pki utility and its subcommands all received man pages.
    The command itself is now installed in $prefix/bin by default. So the ipsec
    prefix is now optional.
  • pki --pub is able to convert public keys to other formats (e.g. DNSKEY or SSH).
  • Database transactions are now abstracted and implemented by the two backends.
    If you use MySQL make sure all tables use the InnoDB engine.
  • libstrongswan now can provide an experimental custom implementation of the
    printf family functions based on klibc if neither Vstr nor glibc style printf
    hooks are available. This can avoid the Vstr dependency on some systems at
    the cost of slower and less complete printf functions.
  • Handling of ICMP[v6] has been improved. For instance, traffic selectors with
    specific ICMP message type and code can now be configured in ipsec.conf
    and are properly installed in the kernel.
  • IKEv1 reauthentication should be more stable with third-party peers (ee99f37e, d2e4dd75).
  • Fixes a regression in 5.1.0 that caused a segmentation fault when reestablishing
    CHILD_SAs due to closeaction=restart|hold (e42ab08a).
  • Fixes a regression in 5.1.0 that caused IP addresses on ignored, down or loopback
    interfaces to get ignored when searching for an address contained in the local traffic
    selector (d7ae0b254).
  • The calculation of the ESN bitmap length in the kernel-netlink plugin was fixed (e001cc2b).
  • When removing configs via stroke plugin (e.g. with ipsec update/reload) matching
    peer configs are not removed anymore, if they are still used by other child configs (791fde16).
  • reqids of established CHILD_SAs are reused when routing connections via stroke plugin (32fef0c6).

5.1.0

01.08.2013

Major Release

100%

9 issues   (9 closed — 0 open)

Version 5.1.0

  • Fixed a denial-of-service vulnerability triggered by specific XAuth usernames
    and EAP identities (since 5.0.3), and PEM files (since 4.1.11). The crash
    was caused by insufficient error handling in the is_asn1() function.
    The vulnerability has been registered as CVE-2013-5018.
    Refer to our blog for details.
  • The new charon-cmd command line IKE client can establish road warrior
    connections using IKEv1 or IKEv2 with different authentication profiles.
    It does not depend on any configuration files (no ipsec.conf nor ipsec.secrets
    but may use strongswan.conf options) and can be configured using a few
    simple command line options.
  • The kernel-pfroute networking backend has been greatly improved. It now
    can install virtual IPs on TUN devices on Mac OS X and FreeBSD, allowing these
    systems to act as a client in common road warrior scenarios.
  • The new kernel-libipsec plugin uses TUN devices and libipsec to provide IPsec
    processing in userland on Linux, FreeBSD and Mac OS X.
  • The eap-radius plugin can now serve as an XAuth backend called xauth-radius,
    directly verifying XAuth credentials using RADIUS User-Name/User-Password
    attributes. This is more efficient than the existing xauth-eap + eap-radius
    combination, and allows RADIUS servers without EAP support to act as AAA
    backend for IKEv1.
  • The new osx-attr plugin installs configuration attributes (currently DNS
    servers) via SystemConfiguration on Mac OS X. The keychain plugin provides
    certificates from the OS X keychain service.
  • The sshkey plugin parses SSH public keys, which, together with the --agent
    option for charon-cmd, allows the use of ssh-agent for authentication.
    To configure SSH keys in ipsec.conf the left|rightrsasigkey options are
    replaced with left|rightsigkey, which now take public keys in one of three
    formats: SSH (RFC 4253, ssh: prefix), DNSKEY (RFC 3110, dns: prefix), and
    PKCS#1 (the default, no prefix).
  • Extraction of certificates and private keys from PKCS#12 files is now provided
    by the new pkcs12 plugin or the openssl plugin. charon-cmd (--p12) as well
    as charon (via P12 token in ipsec.secrets) can make use of this.
  • IKEv2 can now negotiate transport mode and IPComp in NAT situations.
  • IKEv2 exchange initiators now properly close an established IKE or CHILD_SA
    on error conditions using an additional exchange, keeping state in sync
    between peers.
  • Using a SQL database interface a Trusted Network Connect (TNC) Policy Manager
    can generate specific measurement workitems for an arbitrary number of
    Integrity Measurement Verifiers (IMVs) based on the history of the VPN user
    and/or device.

    The new strongTNC web application provides a frontend to manage such databases.
    This project was started by Stefan Rohner and Marco Tanner as part of their Bachelor Thesis.

  • Several core classes in libstrongswan are now tested with unit tests. These
    can be enabled with --enable-unit-tests and run with make check. Coverage
    reports can be generated with --enable-coverage and make coverage (this
    disables any optimization, so it should not be enabled when building
    production releases).
  • The leak-detective developer tool has been greatly improved. It works much
    faster/stabler with multiple threads, does not use deprecated malloc hooks
    anymore and has been ported to OS X.
  • chunk_hash() is now based on SipHash-2-4 with a random key. This provides
    better distribution and prevents hash flooding attacks when used with
    hashtables. To generate reproducible hashes the chunk_hash_static() function
    can be used.
  • All default plugins implement the get_features() method to define features
    and their dependencies. The plugin loader has been improved, so that plugins
    in a custom load statement can be ordered freely or to express preferences
    without being affected by dependencies between plugin features.
  • A centralized thread can take care for watching multiple file descriptors
    concurrently. This removes the need for a dedicated listener threads in
    various plugins. The number of "reserved" threads for such tasks has been
    reduced to about five, depending on the plugin configuration.
  • Plugins that can be controlled by a UNIX socket IPC mechanism gained network
    transparency. Third party applications querying these plugins now can use
    TCP connections from a different host.
    See the respective socket options in strongswan.conf.
  • Protocol and port can be specified for each individual subnet specified with
    the left|rightsubnet ipsec.conf options.
  • The closeaction ipsec.conf option is now also supported for IKEv1 (thanks to
    Oliver Smith for the initial patch).
  • libipsec now supports AES-GCM.
  • By replacing several linked lists that exist during the full lifetime of an SA with a
    simple array implementation the memory usage per tunnel is reduced by 5 KB or more.
  • Responders reuse reqids of trapped policies, making auto=route on both sides more reliable.
  • Instead of silently replacing a policy if the reqid changes, the kernel-netlink
    plugin now rejects such requests. This has consequences e.g. if two clients behind the
    same NAT use transport mode (see #365).
  • Capability dropping has been improved. Every plugin verifies that the capabilities
    it requires are actually held and requests to keep only those that are really required at runtime.
  • Support for silent rules was added to the build system, they can be enabled
    with --enable-silent-rules. make V=0 or V=1 can be used to build with a different
    verbosity than configured.
  • The unique identifier of an IKE_SA is passed as PLUTO_UNIQUEID to the updown script.
  • Whether the socket-default plugin uses IPv4 and/or IPv6 can be configured via strongswan.conf.
  • Fixed a race-condition if the DELETE for a redundant CHILD_SA created by a responder during a
    CHILD_SA rekey collision arrives before the responder's answer to the initiator's winning
    CREATE_CHILD_SA request.
  • The X.509 certificate decoder provided by the openssl plugin supports IP address blocks (patch by Michael Rossberg).
  • scepclient can use a specific source address configured with the new --bind option.
  • Negotiation of IKEv1 DPD with Cisco IOS devices has been fixed, if they do not send the
    DPD vendor ID in the first message.
  • The ipsec stroke exportconncert and exportconnchain commands can be used to export
    either a single end entity certificate or the full trust chain for a specific connection.
  • The ipsec stroke up-nb and down-nb commands do the same as up and down, respectively,
    but they do not block until the command has finished.

5.0.4

30.04.2013

Minor Release

No issues for this version

Version 5.0.4

  • Fixed a security vulnerability in the openssl plugin which was reported by
    Kevin Wojtysiak. The vulnerability has been registered as CVE-2013-2944.
    Before the fix, if the openssl plugin's ECDSA signature verification was used,
    due to a misinterpretation of the error code returned by the OpenSSL
    ECDSA_verify() function, an empty or zeroed signature was accepted as a
    legitimate one.
    Refer to our blog for details.
  • The handling of a couple of other non-security relevant OpenSSL return codes
    was fixed as well.
  • The tnc_ifmap plugin now publishes virtual IPv4 and IPv6 addresses via its
    TCG TNC IF-MAP 2.1 interface.
  • The charon.initiator_only strongswan.conf option causes charon to ignore
    IKE initiation requests.
  • The openssl plugin can now use the openssl-fips library.

5.0.3

05.04.2013

Minor Release

100%

8 issues   (8 closed — 0 open)

Version 5.0.3

  • The new ipseckey plugin enables authentication based on trustworthy public
    keys stored as IPSECKEY resource records in the DNS and protected by DNSSEC.
    To do so it uses a DNSSEC enabled resolver, like the one provided by the new
    unbound plugin, which is based on libldns and libunbound. Both plugins were
    created by Reto Guadagnini. Examples: ikev2/net2net-dnssec ikev2/rw-dnssec
  • Implemented the TCG TNC IF-IMV 1.4 draft making access requestor identities
    available to an IMV. The OS IMV stores the AR identity together with the
    device ID in the attest database.
  • The openssl plugin now uses the AES-NI accelerated version of AES-GCM
    if the hardware supports it.
  • The eap-radius plugin can now assign virtual IPs to IKE clients using the
    Framed-IP-Address attribute by using the %radius named pool in the
    rightsourceip ipsec.conf option. Cisco Banner attributes are forwarded to
    Unity-capable IKEv1 clients during mode config. charon now sends Interim
    Accounting updates if requested by the RADIUS server, reports
    sent/received packets in Accounting messages, and adds a Terminate-Cause
    to Accounting-Stops.
  • The recently introduced ipsec listcounters command can report connection
    specific counters by passing a connection name, and global or connection
    counters can be reset by the ipsec resetcounters command.
  • The tnc-ifmap plugin has been reimplemented without any dependency to
    the Apache Axis2/C library. Several configuration options have been changed.
  • The strongSwan libpttls library provides an experimental implementation of
    PT-TLS (RFC 6876), a Posture Transport Protocol over TLS.
  • The charon systime-fix plugin can disable certificate lifetime checks on
    embedded systems if the system time is obviously out of sync after bootup.
    Certificates lifetimes get checked once the system time gets sane, closing
    or reauthenticating connections using expired certificates.
  • The ikedscp ipsec.conf option can set DiffServ code points on outgoing
    IKE packets.
  • The new xauth-noauth plugin allows to use basic RSA or PSK authentication with
    clients that cannot be configured without XAuth authentication. The plugin
    simply concludes the XAuth exchange successfully without actually performing
    any authentication. Therefore, to use this backend it has to be selected
    explicitly with rightauth2=xauth-noauth.
  • The new charon-tkm IKEv2 daemon delegates security critical operations to a
    separate process. This has the benefit that the network facing daemon has no
    knowledge of keying material used to protect child SAs. Thus subverting
    charon-tkm does not result in the compromise of cryptographic keys.
    The extracted functionality has been implemented from scratch in a minimal TCB
    (trusted computing base) in the Ada programming language. Further information
    can be found at http://www.codelabs.ch/tkm/.
  • Multiple certificates can be configured for left|rightcert in ipsec.conf. The daemon
    chooses the certificate based on the received certificate requests, if possible,
    before enforcing the first.
  • Mutual EAP authentication has been fixed when it is not used as first authentication
    round.
  • The NetworkManager backend (charon-nm) uses a TUN device to satisfy NM's need
    for a network device. This fixes LP:872824.
  • A route is installed for shunt policies (passthrough/drop). This fixes some combinations
    of shunt policies and virtual IP addresses as locally generated traffic wouldn't match
    the shunt policy anymore due to the route installed with the VIP. Also, the unity plugin
    includes the local address in split-exclude shunt policies.
  • Added an option (charon.plugins.ha.autobalance) to balance a HA cluster automatically.
  • Most parts of the android plugin (the backend for the Android VPN applet patch) have
    been removed and the remaining DNS handler has been moved to the new android-dns plugin.
  • Alignment issues in the kernel-netlink plugin have been fixed and the Netlink XFRM message
    attribute handling has been refactored.
  • The --disable-defaults configure option allows to disable all features
    that are enabled by default.
  • The charon.plugins.stroke.timeout strongswan.conf option allows to define a timeout in ms
    for any stroke command.
  • ipsec statusall reports the number of processed IPsec packets.
  • Reloading secrets from ipsec.secrets with ipsec rereadsecrets is now done atomically.
  • Supplementary groups are initialized using initgroups(3) when running as unprivileged user.
  • Fixed handling of IPv6 SQL address pools if multiple pools are assigned to rightsourceip.

5.0.2

31.01.2013

Minor Release

100%

11 issues   (11 closed — 0 open)

Version 5.0.2

  • Implemented all IETF Standard PA-TNC attributes and an OS IMC/IMV
    pair using them to transfer operating system information.
  • The new ipsec listcounters command prints a list of global counter values
    about received and sent IKE messages and rekeyings.
  • A new lookip plugin can perform fast lookup of tunnel information using a
    clients virtual IP and can send notifications about established or deleted
    tunnels. The "ipsec lookip" command can be used to query such information
    or receive notifications.
  • The new error-notify plugin catches some common error conditions and allows
    an external application to receive notifications for them over a UNIX socket.
  • IKE proposals can now use a PRF algorithm different to that defined for
    integrity protection. If an algorithm with a "prf" prefix is defined
    explicitly (such as prfsha1 or prfsha256), no implicit PRF algorithm based on
    the integrity algorithm is added to the proposal.
  • The pkcs11 plugin can now load leftcert certificates from a smartcard for a
    specific ipsec.conf conn section and cacert CA certificates for a specific ca
    section.
  • The load-tester plugin gained additional options for certificate generation
    and can load keys and multiple CA certificates from external files. It can
    install a dedicated outer IP address for each tunnel and tunnel initiation
    batches can be triggered and monitored externally using the
    ipsec load-tester tool.
  • PKCS#7 container parsing has been modularized, and the openssl plugin
    gained an alternative implementation to decrypt and verify such files.
    In contrast to our own DER parser, OpenSSL can handle BER files, which is
    required for interoperability of our scepclient with EJBCA.
  • Support for the proprietary IKEv1 fragmentation extension has been added.
    Fragments are always handled on receipt but only sent if supported by the peer
    and if enabled with the new fragmentation ipsec.conf option.
  • IKEv1 in charon can now parse certificates received in PKCS#7 containers and
    supports NAT traversal as used by Windows clients. Patches courtesy of
    Volker Rümelin.
  • The new rdrand plugin provides a high quality / high performance random
    source using the Intel rdrand instruction found on Ivy Bridge processors.
  • The integration test environment (see source:testing/README) was updated and
    now uses KVM and reproducible guest images based on Debian.
  • The charon.ikesa_limit strongswan.conf option allows responders to limit
    the number of concurrently established IKE_SAs.
  • The charon daemon reloads the logger configuration from strongswan.conf
    if it receives a SIGHUP. Besides changing the configuration this allows to easily rotate
    log files created by file loggers without having to restart the daemon.
  • Resolving hosts by DNS name is now done in separate threads, which allows us
    to cancel these lookups (if getaddrinfo(3) is a cancellation point, anyway).
    The maximum number of threads can be configured in strongswan.conf.
  • Changed connections with auto=route are properly updated during ipsec update|reload.
  • Added missing XFRM marks for several functions in the kernel-netlink plugin.
  • The encoding of TLS extensions (elliptic_curves and signature_algorithms) was fixed.

5.0.1

03.10.2012

Minor Release

100%

18 issues   (18 closed — 0 open)

Version 5.0.1

  • Introduced the sending of the standard IETF Assessment Result
    PA-TNC attribute by all strongSwan Integrity Measurement Verifiers.
  • Extended PTS Attestation IMC/IMV pair to provide full evidence of
    the Linux IMA measurement process. All pertinent file information
    of a Linux OS can be collected and stored in an SQL database.
  • The PA-TNC and PB-TNC protocols can now process huge data payloads
    >64 kB by distributing PA-TNC attributes over multiple PA-TNC messages
    and these messages over several PB-TNC batches. As long as no
    consolidated recommandation from all IMVs can be obtained, the TNC
    server requests more client data by sending an empty SDATA batch.
  • The rightgroups2 ipsec.conf option can require group membership during
    a second authentication round, for example during XAuth authentication
    against a RADIUS server.
  • The xauth-pam backend can authenticate IKEv1 XAuth and Hybrid authenticated
    clients against any PAM service. The IKEv2 eap-gtc plugin does not use
    PAM directly anymore, but can use any XAuth backend to verify credentials,
    including xauth-pam.
  • The new unity plugin brings support for some parts of the IKEv1 Cisco Unity
    Extensions. As client, charon narrows traffic selectors to the received
    Split-Include attributes and automatically installs IPsec bypass policies
    for received Local-LAN attributes. As server, charon sends Split-Include
    attributes for leftsubnet definitions containing multiple subnets to Unity-
    aware clients.
  • An EAP-Nak payload is returned by clients if the gateway requests an EAP
    method that the client does not support. Clients can also request a specific
    EAP method by configuring that method with leftauth in ipsec.conf.
  • The eap-dynamic plugin handles EAP-Nak payloads returned by clients and uses
    these to select a different EAP method supported/requested by the client.
    The plugin initially requests the first registered method or the first method
    configured with charon.plugins.eap-dynamic.preferred in strongswan.conf.
  • The new left|rightdns ipsec.conf options specify connection specific DNS servers to
    request/respond in IKEv2 configuration payloads or IKEv2 mode config. leftdns
    can be any (comma separated) combination of %config4 and %config6 to request
    multiple servers, both for IPv4 and IPv6. rightdns takes a list of DNS server
    IP addresses to return.
  • The left|rightsourceip options now accept multiple addresses or pools.
    leftsourceip can be any (comma separated) combination of %config4, %config6
    or fixed IP addresses to request. rightsourceip accepts multiple explicitly
    specified or referenced named pools.
  • Multiple connections can now share a single address pool when they use the
    same definition in one of the rightsourceip pools.
  • The strongswan.conf options charon.interfaces_ignore and charon.interfaces_use
    allow one to configure the network interfaces used by the daemon.
  • The kernel-netlink plugin supports the new strongswan.conf option
    charon.install_virtual_ip_on, which specifies the interface on which
    virtual IP addresses will be installed. If it is not specified the current behavior
    of using the outbound interface is preserved.
  • The kernel-netlink plugin tries to keep the current source address when
    looking for valid routes to reach other hosts.
  • The autotools build has been migrated to use a config.h header. strongSwan
    development headers will get installed during "make install" if
    --with-dev-headers has been passed to ./configure.
  • All crypto primitives gained return values for most operations, allowing
    crypto backends to fail, for example when using hardware accelerators.
  • The UDP ports used by charon can be configured via ./configure or the
    charon.port and charon.port_nat_t options in strongswan.conf,
    if ports are configure to 0 they will be allocated randomly.
  • With uniqueids=never configured in ipsec.conf INITIAL_CONTACT notifies are ignored.
    Even with uniqueids=no configured the daemon will delete existing IKE_SAs with the same
    peer upon receipt of an INITIAL_CONTACT notify. This new option allows to ignore these notifies.
  • Prefixing the identity configured with rightid with a % character prevents initiators
    from sending an IDr payload in the IKE_AUTH exchange. Later the configured identity will
    not only be checked against the returned IDr, but also against other identities contained
    in the responder's certificate.
  • Non-"/0" subnet sizes are accepted for traffic selectors starting at 0.0.0.0.
  • Job handling in controller_t was fixed, which occasionally caused crashes on ipsec up/down.
  • Caching of relations in validated certificate chains can be disabled with the
    libstrongswan.cert_cache strongswan.conf option.
  • Logging of multi-line log messages was fixed in situations where more than one logger
    was registered.
  • Fixed transmission EAP-MSCHAPv2 user name if it contains a domain part.
  • Added an option to enforce the configured destination address for DHCP packets.

5.0.0

30.06.2012

Major Release

100%

5 issues   (5 closed — 0 open)

Version 5.0.0

  • The charon IKE daemon gained experimental support for the IKEv1 protocol.
    Pluto has been removed from the 5.x series, and unless strongSwan is
    configured with --disable-ikev1 or --disable-ikev2, charon handles
    both keying protocols. The feature-set of IKEv1 in charon is almost on par with
    pluto, but currently does not support AH or bundled AH+ESP SAs. Beside
    RSA/ECDSA, PSK and XAuth, charon also supports the Hybrid authentication
    mode. Information for interoperability and migration is available on
    our wiki
    . More details about the history and context of these changes
    can be found in our related blog post.
  • Charon's bus_t has been refactored so that loggers and other listeners are
    now handled separately. The single lock was previously cause for deadlocks
    if extensive listeners, such as the one provided by the updown plugin, wanted
    to acquire locks that were held by other threads which in turn tried to log
    messages, and thus were waiting to acquire the same lock currently held by
    the thread calling the listener.
    The implemented changes also allow the use of a read/write-lock for the
    loggers which increases performance if multiple loggers are registered.
    Besides several interface changes this last bit also changes the semantics
    for loggers as these may now be called by multiple threads concurrently.
  • Source routes are reinstalled if interfaces are reactivated or IP addresses
    reappear.
  • The thread pool (processor_t) now has more control over the lifecycle of
    a job (see source:src/libstrongswan/processing/jobs/job.h for details).
    In particular, it now controls the destruction of jobs after execution and
    the cancellation of jobs during shutdown. Due to these changes the requeueing
    feature, previously available to callback_job_t only, is now available to all
    jobs (in addition to a new rescheduling feature).
  • In addition to trustchain key strength definitions for different public key
    systems, the rightauth ipsec.conf option now takes a list of signature
    hash algorithms considered save for trustchain validation. For example,
    the setting rightauth=rsa-2048-ecdsa-256-sha256-sha384-sha512
    requires a trustchain that uses at least RSA-2048 or ECDSA-256 keys and
    certificate signatures using SHA-256 or better.
  • The NetworkManager charon plugin of previous releases is now provided by a
    separate executable (charon-nm) and it should work again with NM 0.9.
  • scepclient was updated and it now works fine with Windows Server 2008 R2.
    Among other things, support for multiple CA/RA certificates and configurable
    digest/signature algorithms was added.
  • Thanks to initial patches by Aleksandr Grinberg the openssl plugin now provides
    PRFs and signers based on HMACs, and can also be used as RNG.
  • The left|rightallowany ipsec.conf option previously available only for
    IKEv1 is now also supported for IKEv2 connections.
  • A strongswan.conf option to retry the initiation of an IKE_SA, if it failed due to a
    failed DNS lookup, was added (charon.retry_initiate_interval, disabled by default).
  • The source address lookup for IPv6 addresses was fixed (this fixes MOBIKE with IPv6,
    which was broken in some scenarios since 4.6.2).
  • Installing IPsec policies with ports (left|rightprotoport) was fixed in the
    PF_KEY kernel interface.

4.6.4

31.05.2012

Minor Release

No issues for this version

Version 4.6.4

  • Fixed a security vulnerability in the gmp plugin. If this plugin was used
    for RSA signature verification an empty or zeroed signature was handled as
    a legitimate one.
    Refer to our blog for details.
  • Fixed several issues with reauthentication and address updates.

4.6.3

01.05.2012

Minor Release

100%

4 issues   (4 closed — 0 open)

Version 4.6.3

  • The tnc-pdp plugin implements a RADIUS server interface allowing
    a strongSwan TNC server to act as a Policy Decision Point.
  • The eap-radius authentication backend enforces Session-Timeout attributes
    using RFC4478 repeated authentication and acts upon RADIUS Dynamic
    Authorization extensions, RFC 5176. Currently supported are disconnect
    requests and CoA messages containing a Session-Timeout.
  • The eap-radius plugin can forward arbitrary RADIUS attributes from and to
    clients using custom IKEv2 notify payloads. The new radattr plugin reads
    attributes to include from files and prints received attributes to the
    console.
  • Added support for untruncated MD5 and SHA1 HMACs in ESP as used in
    RFC 4595.
  • The cmac plugin implements the AES-CMAC-96 and AES-CMAC-PRF-128 algorithms
    as defined in RFC 4494 and RFC 4615, respectively.
  • The resolve plugin automatically installs nameservers via resolvconf(8),
    if it is installed, instead of modifying /etc/resolv.conf directly.
  • The IKEv2 charon daemon supports now raw RSA public keys in RFC 3110
    DNSKEY and PKCS#1 file format.
  • The farp plugin sends ARP responses for any tunneled address, not only virtual IPs.
  • Charon resolves hosts again during additional keying tries.
  • Fixed switching back to original address pair during MOBIKE.
  • When resending IKE_SA_INIT with a COOKIE charon reuses the previous DH value,
    as specified in RFC 5996. This has an effect on the lifecycle of diffie_hellman_t,
    see source:src/libcharon/sa/keymat.h#39 for details.
  • COOKIEs are now kept enabled a bit longer to avoid certain race conditions the commit
    message to 1b7debcc has some details.
  • The new stroke user-creds command allows to set username/password for a connection.
  • Added a workaround for null-terminated XAuth secrets (as sent by Android 4).

4.6.2

21.02.2012

Minor Release

100%

6 issues   (6 closed — 0 open)

Version 4.6.2

  • Upgraded the TCG IF-IMC and IF-IMV C API to the upcoming version 1.3
    which supports IF-TNCCS 2.0 long message types, the exclusive flags
    and multiple IMC/IMV IDs. Both the TNC Client and Server as well as
    the "Test", "Scanner", and "Attestation" IMC/IMV pairs were updated.
  • The EAP-RADIUS authentication backend supports RADIUS accounting. It sends
    start/stop messages containing Username, Framed-IP and Input/Output-Octets
    attributes and has been tested against FreeRADIUS and Microsoft NPS.

    Radius Accounting Example

  • Added support for PKCS#8 encoded private keys via the libstrongswan
    pkcs8 plugin. This is the default format used by some OpenSSL tools since
    version 1.0.0 (e.g. openssl req with -keyout).
  • Added session resumption support to the strongSwan TLS stack.
  • The maximum number of stroke messages concurrently handled by the charon
    daemon is now limited to avoid clogging the thread pool with potentially
    blocking jobs. How many messages are handled concurrently can be configured
    with the charon.plugins.stroke.max_concurrent option in strongswan.conf.
  • For Android builds the binaries to be installed on the final system have to be
    added to PRODUCT_PACKAGES in build/target/product/core.mk. Dependencies such as
    libraries are automatically installed. See the comments in the top-level Android.mk.
  • Debug output for low-level encoding/decoding (X.509, ASN.1 etc.) are now logged
    in a new ASN log group.
  • The native thread ID is logged in the LIB log group with log level 2 when a thread is created.

4.6.1

10.11.2011

Minor Release

No issues for this version

Version 4.6.1

  • Because of changing checksums before and after installation which caused
    the integrity tests to fail we avoided directly linking libsimaka, libtls and
    libtnccs to those libcharon plugins which make use of these dynamic libraries.
    Instead we linked the libraries to the charon daemon. Unfortunately Ubuntu
    11.10 activated the --as-needed ld option which discards explicit links
    to dynamic libraries that are not actually used by the charon daemon itself,
    thus causing failures during the loading of the plugins which depend on these
    libraries for resolving external symbols.
  • Therefore our approach of computing integrity checksums for plugins had to be
    changed radically by moving the hash generation from the compilation to the
    post-installation phase.

4.6.0

05.11.2011

Major Release

100%

4 issues   (4 closed — 0 open)

Version 4.6.0

  • The new libstrongswan certexpire plugin collects expiration information of
    all used certificates and exports them to CSV files. It either directly
    exports them or uses cron style scheduling for batch exports.
  • starter passes unresolved hostnames to charon, allowing it to do name
    resolution not before the connection attempt. This is especially useful with
    connections between hosts using dynamic IP addresses. Thanks to Mirko Parthey
    for the initial patch.
  • The android plugin can now be used without the Android frontend patch and
    provides DNS server registration and logging to logcat.
  • Pluto and starter (plus stroke and whack) have been ported to Android. With starter and
    stroke the IKEv2 daemon charon can now be configured via ipsec.conf on Android.
  • Support for ECDSA private and public key operations has been added to the
    pkcs11 plugin. The plugin now also provides DH and ECDH via PKCS#11 and can
    use tokens as random number generators (RNG). By default only private key
    operations are enabled, more advanced features have to be enabled by their
    option in strongswan.conf. This also applies to public key operations (even
    for keys not stored on the token) which were enabled by default before.
  • The libstrongswan plugin system now supports detailed plugin dependencies.
    Many plugins have been extended to export their capabilities and requirements.
    This allows the plugin loader to resolve plugin loading order automatically,
    and in future releases, to dynamically load the required features on demand.
    Existing third party plugins are source (but not binary) compatible if they
    properly initialize the new get_features() plugin function to NULL.
  • The tnc-ifmap plugin implements a TNC IF-MAP 2.0 client which can deliver
    metadata about IKE_SAs via a SOAP interface to a MAP server. The tnc-ifmap
    plugin requires the Apache Axis2/C library.
  • Remote attestation effected by the TCG Platform Trust Service (PTS)
    can be transferred via the TNC IF-M 1.0 protocol (RFC 5792 PA-TNC)
    to a strongSwan TNC server. Currently remote file measurements are
    supported with full TPM support expected for the 4.6.1 release.
    For details consult the following link: http://www.strongswan.org/uml/pts/

4.5.3

03.08.2011

Minor Release

100%

1 issue   (1 closed — 0 open)

Version 4.5.3

  • Our private libraries (e.g. libstrongswan) are not installed directly in
    prefix/lib anymore. Instead a subdirectory is used (prefix/lib/ipsec/ by
    default). The plugins directory is also moved from libexec/ipsec/ to that
    directory.
  • The dynamic IMC/IMV libraries were moved from the plugins directory to
    a new imcvs directory in the prefix/lib/ipsec/ subdirectory.
  • Job priorities were introduced to prevent thread starvation caused by too
    many threads handling blocking operations (such as CRL fetching).
  • IKEv2 charon daemon supports PASS and DROP shunt policies
    preventing traffic to go through IPsec connections. Installation of the
    shunt policies either via the XFRM netfilter or PFKEYv2 IPsec kernel
    interfaces.
  • The history of policies installed in the kernel is now tracked so that e.g.
    trap policies are correctly updated when reauthenticated SAs are terminated.
  • IMC/IMV Scanner pair implementing the RFC 5792 PA-TNC (IF-M) protocol.
    Using "netstat -l" the IMC scans open listening ports on the TNC client
    and sends a port list to the IMV which based on a port policy decides if
    the client is admitted to the network.
    (--enable-imc-scanner/--enable-imv-scanner).
  • IMC/IMV Test pair implementing the RFC 5792 PA-TNC (IF-M) protocol.
    (--enable-imc-test/--enable-imv-test).
  • The IKEv2 close action does not use the same value as the ipsec.conf dpdaction
    setting, but the value defined by its own closeaction keyword. The action
    is triggered if the remote peer closes a CHILD_SA unexpectedly.

4.5.2

15.05.2011

Minor Release

100%

1 issue   (1 closed — 0 open)

Version 4.5.2

  • The whitelist plugin for the IKEv2 daemon maintains an in-memory identity
    whitelist. Any connection attempt of peers not whitelisted will get rejected.
    The 'ipsec whitelist' utility provides a simple command line frontend for
    whitelist administration.
  • The duplicheck plugin provides a specialized form of duplicate checking,
    doing a liveness check on the old SA and optionally notify a third party
    application about detected duplicates.
  • The coupling plugin permanently couples two or more devices by limiting
    authentication to previously used certificates.
  • In the case that the peer config and child config don't have the same name
    (usually in SQL database defined connections), ipsec up|route <peer config>
    starts|routes all associated child configs and ipsec up|route <child config>
    only starts|routes the specific child config.
  • fixed the encoding and parsing of X.509 certificate policy statements (CPS).
  • Duncan Salerno contributed the eap-sim-pcsc plugin implementing a
    pcsc-lite based SIM card backend.
  • The eap-peap plugin implements the EAP PEAP protocol. Interoperates
    successfully with a FreeRADIUS server and Windows 7 Agile VPN clients.
  • The IKEv2 daemon charon rereads strongswan.conf on SIGHUP and instructs
    all plugins to reload. Currently only the eap-radius and the attr plugins
    support configuration reloading.
  • Added userland support to the IKEv2 daemon for Extended Sequence Numbers
    support coming with Linux 2.6.39. To enable ESN on a connection, add
    the 'esn' keyword to the proposal. The default proposal uses 32-bit sequence
    numbers only ('noesn'), and the same value is used if no ESN mode is
    specified. To negotiate ESN support with the peer, include both, e.g.
    esp=aes128-sha1-esn-noesn.
  • In addition to ESN, Linux 2.6.39 gained support for replay windows larger
    than 32 packets. The new global strongswan.conf option 'charon.replay_window'
    configures the size of the replay window, in packets.

4.5.1

11.02.2011

Minor Release

No issues for this version

Version 4.5.1

  • Sansar Choinyambuu implemented the RFC 5793 Posture Broker Protocol (BP)
    compatible with Trusted Network Connect (TNC). The TNCCS 2.0 protocol
    requires the tnccs_20, tnc_imc and tnc_imv plugins but does not depend
    on the libtnc library. Any available IMV/IMC pairs conforming to the
    Trusted Computing Group's TNC-IF-IMV/IMC 1.2 interface specification
    can be loaded via /etc/tnc_config.
  • Re-implemented the TNCCS 1.1 protocol by using the tnc_imc and tnc_imv
    in place of the external libtnc library.
  • The tnccs_dynamic plugin loaded on a TNC server in addition to the
    tnccs_11 and tnccs_20 plugins, dynamically detects the IF-TNCCS
    protocol version used by a TNC client and invokes an instance of
    the corresponding protocol stack.
  • IKE and ESP proposals can now be stored in an SQL database using a
    new proposals table. The start_action field in the child_configs
    tables allows the automatic starting or routing of connections stored
    in an SQL database.
  • The new certificate_authorities and certificate_distribution_points
    tables make it possible to store CRL and OCSP Certificate Distribution
    points in an SQL database.
  • The new 'include' statement allows to recursively include other files in
    strongswan.conf. Existing sections and values are thereby extended and
    replaced, respectively.
  • Due to the changes in the parser for strongswan.conf, the configuration
    syntax for the attr plugin has changed. Previously, it was possible to
    specify multiple values of a specific attribute type by adding multiple
    key/value pairs with the same key (e.g. dns) to the plugins.attr section.
    Because values with the same key now replace previously defined values
    this is not possible anymore. As an alternative, multiple values can be
    specified by separating them with a comma (e.g. dns = 1.2.3.4, 2.3.4.5).
  • ipsec listalgs now appends (set in square brackets) to each crypto
    algorithm listed the plugin that registered the function.
  • Traffic Flow Confidentiality padding supported with Linux 2.6.38 can be used
    by the IKEv2 daemon. The ipsec.conf 'tfc' keyword pads all packets to a given
    boundary, the special value '%mtu' pads all packets to the path MTU.
  • The new af-alg plugin can use various crypto primitives of the Linux Crypto
    API using the AF_ALG interface introduced with 2.6.38. This removes the need
    for additional userland implementations of symmetric cipher, hash, hmac and
    xcbc algorithms.
  • The IKEv2 daemon supports the INITIAL_CONTACT notify as initiator and
    responder. The notify is sent when initiating configurations with a unique
    policy, set in ipsec.conf via the global 'uniqueids' option.
  • The conftest conformance testing framework enables the IKEv2 stack to perform
    many tests using a distinct tool and configuration frontend. Various hooks
    can alter reserved bits, flags, add custom notifies and proposals, reorder
    or drop messages and much more. It is enabled using the --enable-conftest
    ./configure switch.
  • The new libstrongswan constraints plugin provides advanced X.509 constraint
    checking. In addition to X.509 pathLen constraints, the plugin checks for
    nameConstraints and certificatePolicies, including policyMappings and
    policyConstraints. The x509 certificate plugin and the pki tool have been
    enhanced to support these extensions. The new left/rightcertpolicy ipsec.conf
    connection keywords take OIDs a peer certificate must have.
  • The left/rightauth ipsec.conf keywords accept values with a minimum strength
    for trustchain public keys in bits, such as rsa-2048 or ecdsa-256.
  • The revocation and x509 libstrongswan plugins and the pki tool gained basic
    support for delta CRLs.

4.5.0

31.10.2010

Major Release

100%

3 issues   (3 closed — 0 open)

Version 4.5.0

  • IMPORTANT: the default keyexchange mode 'ike' is changing with release 4.5
    from 'ikev1' to 'ikev2', thus commemorating the five year anniversary of the
    IKEv2 RFC 4306 and its mature successor RFC 5996. The time has definitively
    come for IKEv1 to go into retirement and to cede its place to the much more
    robust, powerful and versatile IKEv2 protocol!
    If you still like to use the old IKEv1 protocol then you must explicitly
    define keyexchange=ikev1.
  • Added new ctr, ccm and gcm plugins providing Counter, Counter with CBC-MAC
    and Galois/Counter Modes based on existing CBC implementations. These
    new plugins bring support for AES and Camellia Counter and CCM algorithms
    and the AES GCM algorithms for use in IKEv2. A list of all supported
    algorithms can be found here.
  • The new pkcs11 plugin brings full Smartcard support to the IKEv2 daemon and
    the ipsec pki utility using one or more PKCS#11 libraries. It currently supports
    RSA private and public key operations and loads X.509 certificates from
    tokens.
  • Implemented a general purpose TLS stack based on crypto and credential
    primitives of libstrongswan. libtls supports TLS versions 1.0, 1.1 and 1.2,
    ECDHE-ECDSA/RSA, DHE-RSA and RSA key exchange algorithms and RSA/ECDSA based
    client authentication.
  • The RADIUS plugin eap-radius now supports multiple RADIUS servers for
    redundant setups. Servers are selected by a defined priority, server load and
    availability.
  • Applets for Maemo 5 (Nokia) allow to easily configure and control IKEv2
    based VPN connections with EAP authentication on supported devices.
  • The simple led plugin controls hardware LEDs through the Linux LED subsystem.
    It currently shows activity of the IKE daemon and is a good example how to
    implement a simple event listener.
  • The IKEv1 daemon pluto now uses the same kernel interfaces as the IKEv2
    daemon charon. As a result of this, pluto now supports xfrm marks which
    were introduced in charon with 4.4.1.
  • Improved MOBIKE behavior in several corner cases, for instance, if the
    initial responder moves to a different address.
  • Fixed left-/rightnexthop option, which was broken since 4.4.0.
  • Fixed a bug not releasing a virtual IP address to a pool if the XAUTH
    identity was different from the IKE identity.
  • Fixed the alignment of ModeConfig messages on 4-byte boundaries in the
    case where the attributes are not a multiple of 4 bytes (e.g. Cisco's
    UNITY_BANNER).
  • Fixed the interoperability of the socket_raw and socket_default
    charon plugins.

4.4.1

01.08.2010

Minor Release

100%

3 issues   (3 closed — 0 open)

Version 4.4.1

  • The PLUTO_MARK_IN and PLUTO_ESP_ENC environment variables can be used
    in a user-specific updown script to set marks on inbound ESP or
    ESP_IN_UDP packets.
  • The openssl plugin now supports X.509 certificate and CRL functions. The use of the Online
    Certificate Status Protocol (OCSP) still requires the x509 plugin, though.
    X.509 attribute certificate handling rely on the x509 plugin as well.
  • OCSP/CRL checking in IKEv2 has been moved to the revocation plugin, enabled
    by default. Plase update manual load directives in strongswan.conf.
  • RFC3779 ipAddrBlock constraint checking has been moved to the addrblock
    plugin, disabled by default. Enable it and update manual load directives
    in strongswan.conf, if required.
  • Issue a warning if explicit load lists are used. Since the number of pluto
    and charon plugins are increasing steadily with each release and explicit load
    lists might become obsoleted, a warning is now issued by ipsec starter if explicit
    load lists are found in strongswan.conf since we don't recommend their use for
    inexperienced users. Experts read on here.
  • The pki utility supports CRL generation using the --signcrl command.
  • The ipsec pki --self, --issue and --req commands now support output in
    PEM format using the --outform pem option.
  • The major refactoring of the IKEv1 Mode Config functionality now allows
    the transport and handling of arbitrary Mode Config attributes.
  • The RADIUS proxy plugin eap-radius now supports multiple servers. Configured
    servers are chosen randomly, with the option to prefer a specific server.
    Non-responding servers are degraded by the selection process.
  • The ipsec pool tool manages arbitrary configuration attributes stored
    in an SQL database. ipsec pool --help gives the details.
  • The new eap-simaka-sql plugin acts as a backend for EAP-SIM and EAP-AKA,
    reading triplets/quintuplets from an SQL database.
  • The High Availability plugin now supports a HA enabled in-memory address
    pool and Node reintegration without IKE_SA rekeying. The latter allows
    clients without IKE_SA rekeying support to keep connected during
    reintegration. Additionally, many other issues have been fixed in the ha
    plugin.
  • Fixed a potential remote code execution vulnerability resulting from
    the misuse of snprintf(). The vulnerability was introduced with the
    strongswan-4.3.3 release and is exploitable by unauthenticated users.
    Patches for all releases starting with 4.3.3 are available.

4.4.0

03.05.2010

Major Release

100%

4 issues   (4 closed — 0 open)

Version 4.4.0

  • The IKEv2 High Availability plugin has been integrated. It provides
    load sharing and failover capabilities in a cluster of currently two nodes,
    based on an extend ClusterIP kernel module (for details see HighAvailability).
    The development of the High Availability functionality was sponsored by
    secunet Security Networks AG.
  • Added IKEv1 and IKEv2 configuration support for the AES-GMAC
    authentication-only ESP cipher. Our aes_gmac kernel patch or a Linux
    2.6.34 kernel is required to make AES-GMAC available via the XFRM
    kernel interface.
  • Added support for Diffie-Hellman groups 22, 23 and 24 to the gmp, gcrypt
    and openssl plugins, usable by both pluto and charon. The new proposal
    keywords are modp1024s160, modp2048s224 and modp2048s256.
    Thanks to Joy Latten from IBM for her contribution.
  • The IKEv1 pluto daemon supports RAM-based virtual IP pools using
    the rightsourceip directive with a subnet from which addresses
    are allocated.
  • The ipsec pki --gen and --pub commands now allow the output of
    private and public keys in PEM format using the --outform pem
    command line option.
  • The new DHCP plugin queries virtual IP addresses for clients from a DHCP
    server using broadcasts, or a defined server using the
    charon.plugins.dhcp.server strongswan.conf option. DNS/WINS server information
    is additionally served to clients if the DHCP server provides such
    information. The plugin is used in ipsec.conf configurations having
    rightsourceip set to %dhcp.
  • A new plugin called farp fakes ARP responses for virtual IP addresses
    handed out to clients from the IKEv2 daemon charon. The plugin lets a
    road-warrior act as a client on the local LAN if it uses a virtual IP
    from the responders subnet, e.g. acquired using the DHCP plugin.
  • The existing IKEv2 socket implementations have been migrated to the
    socket-default and the socket-raw plugins. The new socket-dynamic plugin
    binds sockets dynamically to ports configured via the left-/rightikeport
    ipsec.conf connection parameters.
  • The Android charon plugin stores received DNS server information as "net.dns"
    system properties, as used by the Android platform.

4.3.6

01.02.2010

Minor Release

100%

2 issues   (2 closed — 0 open)

Version 4.3.6

  • The IKEv2 daemon supports RFC 3779 IP address block constraints
    carried as a critical X.509v3 extension in the peer certificate.
  • The ipsec pool --add|del dns|nbns command manages DNS and NBNS name
    server entries that are sent via the IKEv1 Mode Config or IKEv2
    Configuration Payload to remote clients.
  • The Camellia cipher can be used as an IKEv1 encryption algorithm.
  • The IKEv1 and IKEV2 daemons now check certificate path length constraints.
  • The new ipsec.conf conn option "inactivity" closes a CHILD_SA if no traffic
    was sent or received within the given interval. To close the complete IKE_SA
    if its only CHILD_SA was inactive, set the global strongswan.conf option
    "charon.inactivity_close_ike" to yes.
  • More detailed IKEv2 EAP payload information in debug output
  • IKEv2 EAP-SIM and EAP-AKA share joint libsimaka library
  • Added required userland changes for proper SHA256 and SHA384/512 in ESP that
    will be introduced with Linux 2.6.33. The "sha256"/"sha2_256" keyword now
    configures the kernel with 128 bit truncation, not the non-standard 96
    bit truncation used by previous releases. To use the old 96 bit truncation
    scheme, the new "sha256_96" proposal keyword has been introduced.
  • Fixed IPComp in tunnel mode (IKEv2 only), stripping out the duplicated outer header. This
    change makes IPcomp tunnel mode connections incompatible with previous
    releases; disable compression on such tunnels.
  • Fixed BEET mode connections on recent kernels by installing SAs with
    appropriate traffic selectors, based on a patch by Michael Rossberg.
  • Using extensions (such as BEET mode) and crypto algorithms (such as twofish,
    serpent, sha256_96) allocated in the private use space now require that we
    know its meaning, i.e. we are talking to strongSwan. Use the new
    "charon.send_vendor_id" option in strongswan.conf to let the remote peer know
    this is the case.

    The same strongSwan Vendor ID hash is now also used by the IKEv1
    pluto daemon.

  • Experimental support for draft-eronen-ipsec-ikev2-eap-auth, where the
    responder omits public key authentication in favor of a mutual authentication
    method. To enable EAP-only authentication, set rightauth=eap on the responder
    to rely only on the MSK constructed AUTH payload. This not-yet standardized
    extension requires the strongSwan vendor ID introduced above.
  • The IKEv1 daemon ignores the Juniper SRX notification type 40001, thus
    allowing interoperability.

4.3.5

29.10.2009

Minor Release

100%

4 issues   (4 closed — 0 open)

Version 4.3.5

  • The IKEv1 pluto daemon can now use SQL-based address pools to deal out
    virtual IP addresses as a Mode Config server. The pool capability has been
    migrated from charon's sql plugin to a new attr-sql plugin which is loaded
    by libstrongswan and which can be used by both daemons either with a SQLite
    or MySQL database and the corresponding plugin.
  • In addition to time based rekeying, charon supports IPsec SA lifetimes based
    on processed volume or number of packets. They new ipsec.conf paramaters
    'lifetime' (an alias to 'keylife'), 'lifebytes' and 'lifepackets' handle
    SA timeouts, while the parameters 'margintime' (an alias to rekeymargin),
    'marginbytes' and 'marginpackets' trigger the rekeying before a SA expires.
    The existing parameter 'rekeyfuzz' affects all margins.
  • The new 'ipsec pki' tool provides a set of commands to maintain a public
    key infrastructure. It currently supports operations to create RSA and ECDSA
    private/public keys, calculate fingerprints and issue or verify certificates.
  • The EAP-AKA plugin can use different backends for USIM/quintuplet
    calculations, very similar to the EAP-SIM plugin. The existing 3GPP2 software
    implementation has been migrated to a separate plugin.
  • The IKEv2 daemon charon gained basic PGP support. It can use locally installed
    peer certificates and can issue signatures based on RSA private keys.
  • If no CA/Gateway certificate is specified in the NetworkManager plugin,
    charon uses a set of trusted root certificates preinstalled by distributions.
    The directory containing CA certificates can be specified using the
    --with-nm-ca-dir=path configure option.

IKEv1 fixes

  • Fixed smartcard-based authentication in the pluto daemon which was broken by
    the ECDSA support introduced with the 4.3.2 release.
  • Fixed the broken parsing of PKCS#7 wrapped certificates by the pluto daemon.
  • A patch contributed by Heiko Hund fixes mixed IPv6 in IPv4 and vice versa
    tunnels established with the IKEv1 pluto daemon.
  • The pluto daemon now uses the libstrongswan x509 plugin for certificates and
    CRLs and the struct id type was replaced by identification_t used by charon
    and the libstrongswan library.

IKEv2 fixes

  • Fixed the encoding of the Email relative distinguished name in left|rightid
    statements.
  • Charon uses a monotonic time source for statistics and job queueing, behaving
    correctly if the system time changes (e.g. when using NTP).
  • Plugin names have been streamlined: EAP plugins now have a dash after eap
    (e.g. eap-sim), as it is used with the --enable-eap-sim ./configure option.
    Plugin configuration sections in strongswan.conf now use the same name as the
    plugin itself (i.e. with a dash). Make sure to update "load" directives and
    the affected plugin sections in existing strongswan.conf files.
  • The private/public key parsing and encoding has been split up into
    separate pkcs1, pgp, pem and dnskey plugins. The public key implementation
    plugins gmp, gcrypt and openssl can all make use of them.

4.3.4

18.08.2009

100%

1 issue   (1 closed — 0 open)

Version 4.3.4

  • IKEv2 charon daemon ported to FreeBSD and Mac OS X. Installation details can
    be found on wiki.strongswan.org.
  • ipsec statusall shows the number of bytes transmitted and received over
    ESP connections configured by the IKEv2 charon daemon.
  • The IKEv2 charon daemon supports include files in ipsec.secrets.

4.3.3

19.07.2009

100%

2 issues   (2 closed — 0 open)

Version 4.3.3

  • The configuration option --enable-integrity-test plus the strongswan.conf
    option libstrongswan.integrity_test = yes activate integrity tests
    of the IKE daemons charon and pluto, libstrongswan and all loaded
    plugins. Thus dynamic library misconfigurations and non-malicious file
    manipulations can be reliably detected.
  • The new default setting libstrongswan.ecp_x_coordinate_only=yes allows
    IKEv1 interoperability with MS Windows using the ECP DH groups 19 and 20.
  • The IKEv1 pluto daemon now supports the AES-CCM and AES-GCM ESP
    authenticated encryption algorithms.
  • The IKEv1 pluto daemon now supports V4 OpenPGP keys.
  • The RDN parser vulnerability discovered by Orange Labs research team
    was not completely fixed in version 4.3.2. Some more modifications
    had to be applied to the asn1_length() function to make it robust.

4.3.2

18.06.2009

100%

3 issues   (3 closed — 0 open)

Version 4.3.2

  • The new gcrypt plugin provides symmetric cipher, hasher, RNG, Diffie-Hellman
    and RSA crypto primitives using the LGPL licensed GNU gcrypt library.
  • libstrongswan features an integrated crypto selftest framework for registered
    algorithms. The test-vector plugin provides a first set of test vectors and
    allows pluto and charon to rely on tested crypto algorithms.
  • pluto can now use all libstrongswan plugins with the exception of x509 and xcbc.
    Thanks to the openssl plugin, the ECP Diffie-Hellman groups 19, 20, 21, 25, and
    26 as well as ECDSA-256, ECDSA-384, and ECDSA-521 authentication can be used
    with IKEv1.
  • Applying their fuzzing tool, the Orange Labs vulnerability research team found
    another two DoS vulnerabilities, one in the rather old ASN.1 parser of Relative
    Distinguished Names (RDNs) and a second one in the conversion of ASN.1 UTCTIME
    and GENERALIZEDTIME strings to a time_t value.

4.3.1

22.05.2009

100%

2 issues   (2 closed — 0 open)

Version 4.3.1

  • The nm plugin now passes DNS/NBNS server information to NetworkManager,
    allowing a gateway administrator to set DNS/NBNS configuration on clients
    dynamically.
  • The nm plugin also accepts CA certificates for gateway authentication. If
    a CA certificate is configured, strongSwan uses the entered gateway address
    as its idenitity, requiring the gateways certificate to contain the same as
    subjectAltName. This allows a gateway administrator to deploy the same
    certificates to Windows 7 and NetworkManager clients.
  • The command ipsec purgeike deletes IKEv2 SAs that don't have a CHILD SA.
    The command ipsec down <conn>{n} deletes CHILD SA instance n of connection
    <conn> whereas ipsec down <conn>{*} deletes all CHILD SA instances.
    The command ipsec down <conn>[n] deletes IKE SA instance n of connection
    <conn> plus dependent CHILD SAs whereas ipsec down <conn>[*] deletes all
    IKE SA instances of connection <conn>.
  • Fixed a regression introduced in 4.3.0 where EAP authentication calculated
    the AUTH payload incorrectly. Further, the EAP-MSCHAPv2 MSK key derivation
    has been updated to be compatible with the Windows 7 Release Candidate.
  • Refactored installation of triggering policies. Routed policies are handled
    outside of IKE_SAs to keep them installed in any case. A tunnel gets
    established only once, even if initiation is delayed due network outages.
  • Improved the handling of multiple acquire signals triggered by the kernel.
  • Fixed two DoS vulnerabilities in the charon daemon that were discovered by
    fuzzing techniques: 1) Sending a malformed IKE_SA_INIT request leaved an
    incomplete state which caused a null pointer dereference if a subsequent
    CREATE_CHILD_SA request was sent. 2) Sending an IKE_AUTH request with either
    a missing TSi or TSr payload caused a null pointer derefence because the
    checks for TSi and TSr were interchanged. The IKEv2 fuzzer used was
    developped by the Orange Labs vulnerability research team. The tool was
    initially written by Gabriel Campana and is now maintained by Laurent Butti.
  • Added support for AES counter mode in ESP in IKEv2 using the proposal
    keywords aes128ctr, aes192ctr and aes256ctr.
  • Further progress in refactoring pluto: Use of the curl and ldap plugins
    for fetching crls and OCSP. Use of the random plugin to get keying material
    from /dev/random or /dev/urandom. Use of the openssl plugin as an alternative
    to the aes, des, sha1, sha2, and md5 plugins. The blowfish, twofish, and
    serpent encryption plugins are now optional and are not enabled by default.

4.3.0

22.04.2009

100%

1 issue   (1 closed — 0 open)

4.3.0

  • Support for the IKEv2 Multiple Authentication Exchanges extension (RFC4739).
    Initiators and responders can use several authentication rounds (e.g. RSA
    followed by EAP) to authenticate. The new ipsec.conf leftauth/rightauth and
    leftauth2/rightauth2 parameters define own authentication rounds or setup
    constraints for the remote peer. See the ipsec.conf man page for more detials.
  • If glibc printf hooks (register_printf_function) are not available,
    strongSwan can use the vstr string library to run on non-glibc systems.
  • The IKEv2 charon daemon can now configure the ESP CAMELLIA-CBC cipher
    (esp=camellia128|192|256).
  • Refactored the pluto and scepclient code to use basic functions (memory
    allocation, leak detective, chunk handling, printf_hooks, strongswan.conf
    attributes, ASN.1 parser, etc.) from the libstrongswan library.
  • Up to two DNS and WINS servers to be sent via IKEv1 ModeConfig can be
    configured in the pluto section of strongswan.conf.

4.2.14

30.03.2009

No issues for this version

Version 4.2.14

  • The new server-side EAP RADIUS plugin (--enable-eap-radius)
    relays EAP messages to and from a RADIUS server. Succesfully
    tested with with a freeradius server using EAP-MD5 and EAP-SIM.
  • A vulnerability in the Dead Peer Detection (RFC 3706) code was found by
    Gerd v. Egidy <gerd.von.egidy AT intra2net DOT com> of Intra2net AG affecting
    all Openswan and strongSwan releases. A malicious (or expired ISAKMP)
    R_U_THERE or R_U_THERE_ACK Dead Peer Detection packet can cause the
    pluto IKE daemon to crash and restart. No authentication or encryption
    is required to trigger this bug. One spoofed UDP packet can cause the
    pluto IKE daemon to restart and be unresponsive for a few seconds while
    restarting. This DPD null state vulnerability has been officially
    registered as CVE-2009-0790 and is fixed by this release.
  • ASN.1 to time_t conversion caused a time wrap-around for
    dates after Jan 18 03:14:07 UTC 2038 on 32-bit platforms.
    As a workaround such dates are set to the maximum representable
    time, i.e. Jan 19 03:14:07 UTC 2038.
  • Distinguished Names containing wildcards (*) are not sent in the
    IDr payload anymore.

4.2.13

22.03.2009

No issues for this version

Version 4.2.13

  • Fixed a use-after-free bug in the DPD timeout section of the
    IKEv1 pluto daemon which sporadically caused a segfault.
  • Fixed a crash in the IKEv2 charon daemon occuring with
    mixed RAM-based and SQL-based virtual IP address pools.
  • Fixed ASN.1 parsing of algorithmIdentifier objects where the
    parameters field is optional.
  • Ported nm plugin to NetworkManager 7.1.

4.2.12

21.02.2009

100%

1 issue   (1 closed — 0 open)

Version 4.2.12

  • Support of the EAP-MSCHAPv2 protocol enabled by the option
    --enable-eap-mschapv2. Requires the MD4 hash algorithm enabled
    either by --enable-md4 or --enable-openssl.
  • Assignment of up to two DNS and up to two WINS servers to peers via
    the IKEv2 Configuration Payload (CP). The IPv4 or IPv6 nameserver
    addresses are defined in strongswan.conf.
  • The strongSwan applet for the Gnome NetworkManager is now built and
    distributed as a separate tarball under the name NetworkManager-strongswan.

4.2.11

21.01.2009

No issues for this version

Version 4.2.11

  • Fixed ESP NULL encryption broken by the refactoring of keymat.c.
    Also introduced proper initialization and disposal of keying material.
  • Fixed the missing listing of connection definitions in ipsec statusall
    broken by an unfortunate local variable overload.

4.2.10

26.12.2008

100%

1 issue   (1 closed — 0 open)

Version 4.2.10

  • Several performance improvements to handle thousands of tunnels with almost
    linear upscaling. All relevant data structures have been replaced by faster
    counterparts with better lookup times.
  • Better parallelization to run charon on multiple cores. Due to improved
    ressource locking and other optimizations the daemon can take full
    advantage of 16 or even more cores.
  • The load-tester plugin can use a NULL Diffie-Hellman group and simulate
    unique identities and certificates by signing peer certificates using a CA
    on the fly.
  • The redesigned stroke in-memory IP pool handles leases. The "ipsec leases"
    command queries assigned leases.
  • Added support for smartcards in charon by using the ENGINE API provided by
    OpenSSL, based on patches by Michael Roßberg.
  • The Padlock plugin supports the hardware RNG found on VIA CPUs to provide a
    reliable source of randomness.

4.2.9

18.11.2008

100%

2 issues   (2 closed — 0 open)

Version 4.2.9

  • Flexible configuration of logging subsystem allowing to log to multiple
    syslog facilities or to files using fine-grained log levels for each target.
  • Load testing plugin to do stress testing of the IKEv2 daemon against self
    or another host. Found and fixed issues during tests in the multi-threaded
    use of the OpenSSL plugin.
  • Added profiling code to synchronization primitives to find bottlenecks if
    running on multiple cores. Found and fixed an issue where parts of the
    Diffie-Hellman calculation acquired an exclusive lock. This greatly improves
    parallelization to multiple cores.
  • updown script invocation has been separated into a plugin of its own to
    further slim down the daemon core.
  • Separated IKE_SA/CHILD_SA key derivation process into a closed system,
    allowing future implementations to use a secured environment in e.g. kernel
    memory or hardware.
  • The kernel interface of charon has been modularized. XFRM NETLINK (default)
    and PFKEY (--enable-kernel-pfkey) interface plugins for the native IPsec
    stack of the Linux 2.6 kernel as well as a PFKEY interface for the KLIPS
    IPsec stack (--enable-kernel-klips) are provided.
  • Basic Mobile IPv6 support has been introduced, securing Binding Update
    messages as well as tunneled traffic between Mobile Node and Home Agent.
    The installpolicy=no option allows peaceful cooperation with a dominant
    mip6d daemon and the new type=transport_proxy implements the special MIPv6
    IPsec transport proxy mode where the IKEv2 daemon uses the Care-of-Address
    but the IPsec SA is set up for the Home Adress.
  • Implemented migration of Mobile IPv6 connections using the KMADDRESS
    field contained in XFRM_MSG_MIGRATE messages sent by the mip6d daemon
    via the Linux 2.6.28 (or appropriately patched) kernel.

4.2.8

14.10.2008

100%

4 issues   (4 closed — 0 open)

Version 4.2.8

  • IKEv2 charon daemon supports authentication based on raw public keys
    stored in the SQL database backend. The ipsec listpubkeys command
    lists the available raw public keys via the stroke interface.
  • Several MOBIKE improvements: Detect changes in NAT mappings in DPD exchanges,
    handle events if kernel detects NAT mapping changes in UDP-encapsulated
    ESP packets (requires kernel patch), reuse old addesses in MOBIKE updates as
    long as possible and other fixes.
  • Fixed a bug in addr_in_subnet() which caused insertion of wrong source
    routes for destination subnets having netwmasks not being a multiple of 8 bits.
    Thanks go to Wolfgang Steudel, TU Ilmenau for reporting this bug.

4.2.7

18.09.2008

No issues for this version

Version 4.2.7

  • Fixed a Denial-of-Service vulnerability where an IKE_SA_INIT message with
    a KE payload containing zeroes only can cause a crash of the IKEv2 charon
    daemon due to a NULL pointer returned by the mpz_export() function of the
    GNU Multiprecision Library (GMP). Thanks go to Mu Dynamics Research Labs
    for making us aware of this problem.
  • The new agent plugin provides a private key implementation on top of an
    ssh-agent.
  • The NetworkManager plugin has been extended to support certificate client
    authentication using RSA keys loaded from a file or using ssh-agent.
  • Daemon capability dropping has been ported to libcap and must be enabled
    explicitly --with-capabilities=libcap. Future version will support the
    newer libcap2 library.
  • ipsec listalgs lists the IKEv2 cryptografic algorithms registered with the
    charon keying daemon.

4.2.6

27.08.2008

100%

4 issues   (4 closed — 0 open)

Version 4.2.6

  • A NetworkManager plugin allows GUI-based configuration of road-warrior
    clients in a simple way. It features X509 based gateway authentication
    and EAP client authentication, tunnel setup/teardown and storing passwords
    in the Gnome Keyring.
  • A new EAP-GTC plugin implements draft-sheffer-ikev2-gtc-00.txt and allows
    username/password authentication against any PAM service on the gateway.
    The new EAP method interacts nicely with the NetworkManager plugin and allows
    client authentication against e.g. LDAP.
  • Improved support for the EAP-Identity method. The new ipsec.conf eap_identity
    parameter defines an additional identity to pass to the server in EAP
    authentication.
  • The "ipsec statusall" command now lists CA restrictions, EAP
    authentication types and EAP identities.
  • Fixed two multithreading deadlocks occurring when starting up
    several hundred tunnels concurrently.
  • Fixed the --enable-integrity-test configure option which
    computes a SHA-1 checksum over the libstrongswan library.

4.2.5

25.07.2008

100%

2 issues   (2 closed — 0 open)

Version 4.2.5

  • Consistent logging of IKE and CHILD SAs at the audit (AUD) level.
  • Improved the performance of the SQL-based virtual IP address pool
    by introducing an additional addresses table. The leases table
    storing only history information has become optional and can be
    disabled by setting charon.plugins.sql.lease_history = no in
    strongswan.conf.
  • The XFRM_STATE_AF_UNSPEC flag added to xfrm.h allows IPv4-over-IPv6
    and IPv6-over-IPv4 tunnels with the 2.6.26 and later Linux kernels.
  • management of different virtual IP pools for different
    network interfaces have become possible.
  • fixed a bug which prevented the assignment of more than 256
    virtual IP addresses from a pool managed by an sql database.
  • fixed a bug which did not delete own IPCOMP SAs in the kernel.

4.2.4

27.06.2008

100%

3 issues   (3 closed — 0 open)

Version 4.2.4

  • Added statistics functions to ipsec pool --status and ipsec pool --leases
    and input validation checks to various ipsec pool commands.
  • ipsec statusall now lists all loaded charon plugins and displays
    the negotiated IKEv2 cipher suite proposals.
  • The openssl plugin supports the elliptic curve Diffie-Hellman groups
    19, 20, 21, 25, and 26.
  • The openssl plugin supports ECDSA authentication using elliptic curve
    X.509 certificates.
  • Fixed a bug in stroke which caused multiple charon threads to close
    the file descriptors during packet transfers over the stroke socket.
  • ESP sequence numbers are now migrated in IPsec SA updates handled by
    MOBIKE. Works only with Linux kernels >= 2.6.17.

4.2.3

25.05.2008

100%

1 issue   (1 closed — 0 open)

Version 4.2.3

  • Fixed the strongswan.conf path configuration problem that occurred when
    --sysconfig was not set explicitly in ./configure.
  • Fixed a number of minor bugs that where discovered during the 4th
    IKEv2 interoperability workshop in San Antonio, TX.

4.2.2

21.05.2008

100%

1 issue   (1 closed — 0 open)

Version 4.2.2

  • Plugins for libstrongswan and charon can optionally be loaded according
    to a configuration in strongswan.conf. Most components provide a
    "load = " option followed by a space separated list of plugins to load.
    This allows e.g. the fallback from a hardware crypto accelerator to
    to software-based crypto plugins.
  • Charons SQL plugin has been extended by a virtual IP address pool.
    Configurations with a rightsourceip=%poolname setting query a SQLite or
    MySQL database for leases. The "ipsec pool" command helps in administrating
    the pool database. See ipsec pool --help for the available options
  • The Authenticated Encryption Algorithms AES-CCM-8/12/16 and AES-GCM-8/12/16
    for ESP are now supported starting with the Linux 2.6.25 kernel. The
    syntax is e.g. esp=aes128ccm12 or esp=aes256gcm16.

4.2.1

19.04.2008

100%

8 issues   (8 closed — 0 open)

Version 4.2.1

  • Support for "Hash and URL" encoded certificate payloads has been implemented
    in the IKEv2 daemon charon. Using the "certuribase" option of a CA section
    allows to assign a base URL to all certificates issued by the specified CA.
    The final URL is then built by concatenating that base and the hex encoded
    SHA1 hash of the DER encoded certificate. Note that this feature is disabled
    by default and must be enabled using the option "charon.hash_and_url".
  • The IKEv2 daemon charon now supports the "uniqueids" option to close multiple
    IKE_SAs with the same peer. The option value "keep" prefers existing
    connection setups over new ones, where the value "replace" replaces existing
    connections.
  • The crypto factory in libstrongswan additionaly supports random number
    generators, plugins may provide other sources of randomness. The default
    plugin reads raw random data from /dev/(u)random.
  • Extended the credential framework by a caching option to allow plugins
    persistent caching of fetched credentials. The "cachecrl" option has been
    re-implemented.
  • The new trustchain verification introduced in 4.2.0 has been parallelized.
    Threads fetching CRL or OCSP information no longer block other threads.
  • A new IKEv2 configuration attribute framework has been introduced allowing
    plugins to provide virtual IP addresses, and in the future, other
    configuration attribute services (e.g. DNS/WINS servers).
  • The stroke plugin has been extended to provide virtual IP addresses from
    a pool defined in ipsec.conf. The "rightsourceip" parameter now accepts
    address pools in CIDR notation (e.g. 10.1.1.0/24). The parameter also accepts
    the value "%poolname", where "poolname" identifies a pool provided by a
    separate plugin.
  • Fixed compilation on uClibc and a couple of other minor bugs.
  • Set DPD defaults in ipsec starter to dpd_delay=30s and dpd_timeout=150s.
  • The IKEv1 pluto daemon now supports the ESP encryption algorithm CAMELLIA
    with key lengths of 128, 192, and 256 bits, as well as the authentication
    algorithm AES_XCBC_MAC. Configuration example: esp=camellia192-aesxcbc.

4.2.0

03.04.2008

100%

18 issues   (18 closed — 0 open)

Version 4.2.0

  • libstrongswan has been modularized to attach crypto algorithms,
    credential implementations (keys, certificates) and fetchers dynamically
    through plugins. Existing code has been ported to plugins:
    • RSA/Diffie-Hellman implementation using the GNU Multi Precision library
    • X509 certificate system supporting CRLs, OCSP and attribute certificates
    • Multiple plugins providing crypto algorithms in software
    • CURL and OpenLDAP fetcher
  • libstrongswan gained a relational database API which uses pluggable database
    providers. Plugins for MySQL and SQLite are available.
  • The IKEv2 keying daemon charon is more extensible. Generic plugins may provide
    connection configuration, credentials and EAP methods or control the daemon.
    Existing code has been ported to plugins:
    • EAP-AKA, EAP-SIM, EAP-MD5 and EAP-Identity
    • stroke configuration, credential and control (compatible to pluto)
    • XML based management protocol to control and query the daemon

    The following new plugins are available:

    • An experimental SQL configuration, credential and logging plugin on
      top of either MySQL or SQLite
    • A unit testing plugin to run tests at daemon startup
  • The authentication and credential framework in charon has been heavily
    refactored to support modular credential providers, proper
    CERTREQ/CERT payload exchanges and extensible authorization rules.
  • The framework of strongSwan Manager has envolved to the web application
    framework libfast (FastCGI Application Server w/ Templates) and is usable
    by other applications.

4.1.11

15.02.2008

No issues for this version

Version 4.1.11

  • IKE rekeying in NAT situations did not inherit the NAT conditions
    to the rekeyed IKE_SA so that the UDP encapsulation was lost with
    the next CHILD_SA rekeying.
  • Wrong type definition of the next_payload variable in id_payload.c
    caused an INVALID_SYNTAX error on PowerPC platforms.
  • Implemented IKEv2 EAP-SIM server and client test modules that use
    triplets stored in a file. For details on the configuration see
    the scenario 'ikev2/rw-eap-sim-rsa'.

4.1.10

20.12.2007

100%

2 issues   (2 closed — 0 open)

Version 4.1.10

  • Fixed error in the ordering of the certinfo_t records in the ocsp cache that
    caused multiple entries of the same serial number to be created.
  • Implementation of a simple EAP-MD5 module which provides CHAP
    authentication. This may be interesting in conjunction with certificate
    based server authentication, as weak passwords can't be brute forced
    (in contradiction to traditional IKEv2 PSK).
  • A complete software based implementation of EAP-AKA, using algorithms
    specified in 3GPP2 (S.S0055). This implementation does not use an USIM,
    but reads the secrets from ipsec.secrets. Make sure to read eap_aka.h
    before using it.
  • Support for vendor specific EAP methods using Expanded EAP types. The
    interface to EAP modules has been slightly changed, so make sure to
    check the changes if you're already rolling your own modules.

4.1.9

04.12.2007

100%

3 issues   (3 closed — 0 open)

Version 4.1.9

  • The default _updown script now dynamically inserts and removes ip6tables
    firewall rules if leftfirewall=yes is set in IPv6 connections. New IPv6
    net-net and roadwarrior (PSK/RSA) scenarios for both IKEv1 and IKEV2 were
    added.
  • Implemented RFC4478 repeated authentication to force EAP/Virtual-IP clients
    to reestablish an IKE_SA within a given timeframe.
  • strongSwan Manager supports configuration listing, initiation and termination
    of IKE and CHILD_SAs.
  • Fixes and improvements to multithreading code.
  • IKEv2 plugins have been renamed to libcharon-* to avoid naming conflicts.
    Make sure to remove the old plugins in $libexecdir/ipsec, otherwise they get
    loaded twice.

4.1.8

17.10.2007

100%

1 issue   (1 closed — 0 open)

Version 4.1.8

  • Removed recursive pthread mutexes since uClibc doesn't support them.

4.1.7

02.10.2007

100%

3 issues   (3 closed — 0 open)

Version 4.1.7

  • In NAT traversal situations and multiple queued Quick Modes,
    those pending connections inserted by auto=start after the
    port floating from 500 to 4500 were erronously deleted.
  • Added a "forceencaps" connection parameter to enforce UDP encapsulation
    to surmount restrictive firewalls. NAT detection payloads are faked to
    simulate a NAT situation and trick the other peer into NAT mode (IKEv2 only).
  • Preview of strongSwan Manager, a web based configuration and monitoring
    application. It uses a new XML control interface to query the IKEv2 daemon
    (see http://trac.strongswan.org/wiki/Manager).
  • Experimental SQLite configuration backend which will provide the configuration
    interface for strongSwan Manager in future releases.
  • Further improvements to MOBIKE support.

4.1.6

03.09.2007

No issues for this version

Version 4.1.6

  • Since some third party IKEv2 implementations run into
    problems with strongSwan announcing MOBIKE capability per
    default, MOBIKE can be disabled on a per-connection-basis
    using the mobike=no option. Whereas mobike=no disables the
    sending of the MOBIKE_SUPPORTED notification and the floating
    to UDP port 4500 with the IKE_AUTH request even if no NAT
    situation has been detected, strongSwan will still support
    MOBIKE acting as a responder.
  • the default ipsec routing table plus its corresponding priority
    used for inserting source routes has been changed from 100 to 220.
    It can be configured using the --with-ipsec-routing-table and
    --with-ipsec-routing-table-prio options.
  • the --enable-integrity-test configure option tests the
    integrity of the libstrongswan crypto code during the charon
    startup.
  • the --disable-xauth-vid configure option disables the sending
    of the XAUTH vendor ID. This can be used as a workaround when
    interoperating with some Windows VPN clients that get into
    trouble upon reception of an XAUTH VID without eXtended
    AUTHentication having been configured.
  • ipsec stroke now supports the rereadsecrets, rereadaacerts,
    rereadacerts, and listacerts options.

4.1.5

08.08.2007

100%

3 issues   (3 closed — 0 open)

Version 4.1.5

  • If a DNS lookup failure occurs when resolving right=%<FQDN>
    or right=<FQDN> combined with rightallowany=yes then the
    connection is not updated by ipsec starter thus preventing
    the disruption of an active IPsec connection. Only if the DNS
    lookup successfully returns with a changed IP address the
    corresponding connection definition is updated.
  • Routes installed by the keying daemons are now in a separate
    routing table with the ID 100 to avoid conflicts with the main
    table. Route lookup for IKEv2 traffic is done in userspace to ignore
    routes installed for IPsec, as IKE traffic shouldn't get encapsulated.

4.1.4

05.07.2007

100%

3 issues   (3 closed — 0 open)

Version 4.1.4

  • The pluto IKEv1 daemon now exhibits the same behaviour as its
    IKEv2 companion charon by inserting an explicit route via the
    _updown script only if a sourceip exists. This is admissible
    since routing through the IPsec tunnel is handled automatically
    by NETKEY's IPsec policies. As a consequence the left|rightnexthop
    parameter is not required any more.
  • The new IKEv1 parameter right|leftallowany parameters helps to handle
    the case where both peers possess dynamic IP addresses that are
    usually resolved using DynDNS or a similar service.

    The configuration

    right=peer.foo.bar
    rightallowany=yes

    can be used by the initiator to start up a connection to a peer
    by resolving peer.foo.bar into the currently allocated IP address.
    Thanks to the rightallowany flag the connection behaves later on
    as

    right=%any

    so that the peer can rekey the connection as an initiator when his
    IP address changes. An alternative notation is

    right=%peer.foo.bar

    which will implicitly set rightallowany=yes.

  • ipsec starter now fails more gracefully in the presence of parsing
    errors. Flawed ca and conn section are discarded and pluto is started
    if non-fatal errors only were encountered. If right=%peer.foo.bar
    cannot be resolved by DNS then right=%any will be used so that passive
    connections as a responder are still possible.
  • The new pkcs11initargs parameter that can be placed in the
    setup config section of /etc/ipsec.conf allows the definition
    of an argument string that is used with the PKCS#11 C_Initialize()
    function. This non-standard feature is required by the NSS softoken
    library. This patch was contributed by Robert Varga.
  • Fixed a bug in ipsec starter introduced by strongswan-2.8.5
    which caused a segmentation fault in the presence of unknown
    or misspelt keywords in ipsec.conf. This bug fix was contributed
    by Robert Varga.
  • Partial support for MOBIKE in IKEv2. The initiator acts on interface/
    address configuration changes and updates IKE and IPsec SAs dynamically.