strongSwan

h1. Version 4.2.9

* Flexible configuration of logging subsystem allowing to log to multiple

  syslog facilities or to files using fine-grained log levels for each target.

* Load testing plugin to do stress testing of the IKEv2 daemon against self

  or another host. Found and fixed issues during tests in the multi-threaded

  use of the OpenSSL plugin.

* Added profiling code to synchronization primitives to find bottlenecks if

  running on multiple cores. Found and fixed an issue where parts of the

  Diffie-Hellman calculation acquired an exclusive lock. This greatly improves

  parallelization to multiple cores.

* updown script invocation has been separated into a plugin of its own to

  further slim down the daemon core.

* Separated IKE_SA/CHILD_SA key derivation process into a closed system,

  allowing future implementations to use a secured environment in e.g. kernel

  memory or hardware.

* The kernel interface of charon has been modularized. XFRM NETLINK (default)

  and PFKEY (--enable-kernel-pfkey) interface plugins for the native IPsec

  stack of the Linux 2.6 kernel as well as a PFKEY interface for the KLIPS

  IPsec stack (--enable-kernel-klips) are provided.

* Basic Mobile IPv6 support has been introduced, securing Binding Update

  messages as well as tunneled traffic between Mobile Node and Home Agent.

  The installpolicy=no option allows peaceful cooperation with a dominant

  mip6d daemon and the new type=transport_proxy implements the special MIPv6

  IPsec transport proxy mode where the IKEv2 daemon uses the Care-of-Address

  but the IPsec SA is set up for the Home Adress.

* Implemented migration of Mobile IPv6 connections using the KMADDRESS

  field contained in XFRM_MSG_MIGRATE messages sent by the mip6d daemon

  via the Linux 2.6.28 (or appropriately patched) kernel.