Version 4.1.4 » History » Version 2
Tobias Brunner, 23.09.2019 15:45
Formatting fixes
| 1 | 1 | Tobias Brunner | h1. Version 4.1.4 |
|---|---|---|---|
| 2 | 1 | Tobias Brunner | |
| 3 | 1 | Tobias Brunner | |
| 4 | 1 | Tobias Brunner | * The pluto IKEv1 daemon now exhibits the same behaviour as its |
| 5 | 1 | Tobias Brunner | IKEv2 companion charon by inserting an explicit route via the |
| 6 | 1 | Tobias Brunner | _updown script only if a sourceip exists. This is admissible |
| 7 | 1 | Tobias Brunner | since routing through the IPsec tunnel is handled automatically |
| 8 | 1 | Tobias Brunner | by NETKEY's IPsec policies. As a consequence the left|rightnexthop |
| 9 | 1 | Tobias Brunner | parameter is not required any more. |
| 10 | 1 | Tobias Brunner | |
| 11 | 1 | Tobias Brunner | * The new IKEv1 parameter right|leftallowany parameters helps to handle |
| 12 | 1 | Tobias Brunner | the case where both peers possess dynamic IP addresses that are |
| 13 | 1 | Tobias Brunner | usually resolved using DynDNS or a similar service. |
| 14 | 1 | Tobias Brunner | |
| 15 | 1 | Tobias Brunner | The configuration |
| 16 | 2 | Tobias Brunner | <pre> |
| 17 | 2 | Tobias Brunner | right=peer.foo.bar |
| 18 | 2 | Tobias Brunner | rightallowany=yes |
| 19 | 2 | Tobias Brunner | </pre> |
| 20 | 1 | Tobias Brunner | can be used by the initiator to start up a connection to a peer |
| 21 | 2 | Tobias Brunner | by resolving @peer.foo.bar@ into the currently allocated IP address. |
| 22 | 1 | Tobias Brunner | Thanks to the rightallowany flag the connection behaves later on |
| 23 | 1 | Tobias Brunner | as |
| 24 | 2 | Tobias Brunner | <pre> |
| 25 | 1 | Tobias Brunner | right=%any |
| 26 | 2 | Tobias Brunner | </pre> |
| 27 | 1 | Tobias Brunner | so that the peer can rekey the connection as an initiator when his |
| 28 | 1 | Tobias Brunner | IP address changes. An alternative notation is |
| 29 | 2 | Tobias Brunner | <pre> |
| 30 | 2 | Tobias Brunner | right=%peer.foo.bar |
| 31 | 2 | Tobias Brunner | </pre> |
| 32 | 1 | Tobias Brunner | which will implicitly set rightallowany=yes. |
| 33 | 1 | Tobias Brunner | |
| 34 | 1 | Tobias Brunner | * ipsec starter now fails more gracefully in the presence of parsing |
| 35 | 1 | Tobias Brunner | errors. Flawed ca and conn section are discarded and pluto is started |
| 36 | 1 | Tobias Brunner | if non-fatal errors only were encountered. If right=%peer.foo.bar |
| 37 | 1 | Tobias Brunner | cannot be resolved by DNS then right=%any will be used so that passive |
| 38 | 1 | Tobias Brunner | connections as a responder are still possible. |
| 39 | 1 | Tobias Brunner | |
| 40 | 1 | Tobias Brunner | * The new pkcs11initargs parameter that can be placed in the |
| 41 | 1 | Tobias Brunner | setup config section of /etc/ipsec.conf allows the definition |
| 42 | 1 | Tobias Brunner | of an argument string that is used with the PKCS#11 C_Initialize() |
| 43 | 1 | Tobias Brunner | function. This non-standard feature is required by the NSS softoken |
| 44 | 1 | Tobias Brunner | library. This patch was contributed by Robert Varga. |
| 45 | 1 | Tobias Brunner | |
| 46 | 1 | Tobias Brunner | * Fixed a bug in ipsec starter introduced by strongswan-2.8.5 |
| 47 | 1 | Tobias Brunner | which caused a segmentation fault in the presence of unknown |
| 48 | 1 | Tobias Brunner | or misspelt keywords in ipsec.conf. This bug fix was contributed |
| 49 | 1 | Tobias Brunner | by Robert Varga. |
| 50 | 1 | Tobias Brunner | |
| 51 | 1 | Tobias Brunner | * Partial support for MOBIKE in IKEv2. The initiator acts on interface/ |
| 52 | 1 | Tobias Brunner | address configuration changes and updates IKE and IPsec SAs dynamically. |