Support for "Hash and URL" encoded certificate payloads has been implemented in the IKEv2 daemon charon. Using the "certuribase" option of a CA section allows to assign a base URL to all certificates issued by the specified CA. The final URL is then built by concatenating that base and the hex encoded SHA1 hash of the DER encoded certificate. Note that this feature is disabled by default and must be enabled using the option "charon.hash_and_url".
The IKEv2 daemon charon now supports the "uniqueids" option to close multiple IKE_SAs with the same peer. The option value "keep" prefers existing connection setups over new ones, where the value "replace" replaces existing connections.
The crypto factory in libstrongswan additionaly supports random number generators, plugins may provide other sources of randomness. The default plugin reads raw random data from /dev/(u)random.
Extended the credential framework by a caching option to allow plugins persistent caching of fetched credentials. The "cachecrl" option has been re-implemented.
The new trustchain verification introduced in 4.2.0 has been parallelized. Threads fetching CRL or OCSP information no longer block other threads.
A new IKEv2 configuration attribute framework has been introduced allowing plugins to provide virtual IP addresses, and in the future, other configuration attribute services (e.g. DNS/WINS servers).
The stroke plugin has been extended to provide virtual IP addresses from a pool defined in ipsec.conf. The "rightsourceip" parameter now accepts address pools in CIDR notation (e.g. 10.1.1.0/24). The parameter also accepts the value "%poolname", where "poolname" identifies a pool provided by a separate plugin.
Fixed compilation on uClibc and a couple of other minor bugs.
Set DPD defaults in ipsec starter to dpd_delay=30s and dpd_timeout=150s.
The IKEv1 pluto daemon now supports the ESP encryption algorithm CAMELLIA with key lengths of 128, 192, and 256 bits, as well as the authentication algorithm AES_XCBC_MAC. Configuration example: esp=camellia192-aesxcbc.