Project

General

Profile

Version 4.2.1

  • Support for "Hash and URL" encoded certificate payloads has been implemented
    in the IKEv2 daemon charon. Using the "certuribase" option of a CA section
    allows to assign a base URL to all certificates issued by the specified CA.
    The final URL is then built by concatenating that base and the hex encoded
    SHA1 hash of the DER encoded certificate. Note that this feature is disabled
    by default and must be enabled using the option "charon.hash_and_url".
  • The IKEv2 daemon charon now supports the "uniqueids" option to close multiple
    IKE_SAs with the same peer. The option value "keep" prefers existing
    connection setups over new ones, where the value "replace" replaces existing
    connections.
  • The crypto factory in libstrongswan additionaly supports random number
    generators, plugins may provide other sources of randomness. The default
    plugin reads raw random data from /dev/(u)random.
  • Extended the credential framework by a caching option to allow plugins
    persistent caching of fetched credentials. The "cachecrl" option has been
    re-implemented.
  • The new trustchain verification introduced in 4.2.0 has been parallelized.
    Threads fetching CRL or OCSP information no longer block other threads.
  • A new IKEv2 configuration attribute framework has been introduced allowing
    plugins to provide virtual IP addresses, and in the future, other
    configuration attribute services (e.g. DNS/WINS servers).
  • The stroke plugin has been extended to provide virtual IP addresses from
    a pool defined in ipsec.conf. The "rightsourceip" parameter now accepts
    address pools in CIDR notation (e.g. 10.1.1.0/24). The parameter also accepts
    the value "%poolname", where "poolname" identifies a pool provided by a
    separate plugin.
  • Fixed compilation on uClibc and a couple of other minor bugs.
  • Set DPD defaults in ipsec starter to dpd_delay=30s and dpd_timeout=150s.
  • The IKEv1 pluto daemon now supports the ESP encryption algorithm CAMELLIA
    with key lengths of 128, 192, and 256 bits, as well as the authentication
    algorithm AES_XCBC_MAC. Configuration example: esp=camellia192-aesxcbc.