strongSwan

h1. Version 4.3.5

* The IKEv1 pluto daemon can now use SQL-based address pools to deal out

  virtual IP addresses as a Mode Config server. The pool capability has been

  migrated from charon's sql plugin to a new attr-sql plugin which is loaded

  by libstrongswan and which can be used by both daemons either with a SQLite

  or MySQL database and the corresponding plugin.

* In addition to time based rekeying, charon supports IPsec SA lifetimes based

  on processed volume or number of packets. They new ipsec.conf paramaters

  'lifetime' (an alias to 'keylife'), 'lifebytes' and 'lifepackets' handle

  SA timeouts, while the parameters 'margintime' (an alias to rekeymargin),

  'marginbytes' and 'marginpackets' trigger the rekeying before a SA expires.

  The existing parameter 'rekeyfuzz' affects all margins.

* The new '[[IPsecPKI|ipsec pki]]' tool provides a set of commands to maintain a public

  key infrastructure. It currently supports operations to create RSA and ECDSA

  private/public keys, calculate fingerprints and issue or verify certificates.

* The EAP-AKA plugin can use different backends for USIM/quintuplet

  calculations, very similar to the EAP-SIM plugin. The existing 3GPP2 software

  implementation has been migrated to a separate plugin.

* The IKEv2 daemon charon gained basic PGP support. It can use locally installed

  peer certificates and can issue signatures based on RSA private keys.

* If no CA/Gateway certificate is specified in the NetworkManager plugin,

  charon uses a set of trusted root certificates preinstalled by distributions.

  The directory containing CA certificates can be specified using the

  --with-nm-ca-dir=path configure option.

h2. IKEv1 fixes

* Fixed smartcard-based authentication in the pluto daemon which was broken by

  the ECDSA support introduced with the 4.3.2 release.

* Fixed the broken parsing of PKCS#7 wrapped certificates by the pluto daemon.

* A patch contributed by Heiko Hund fixes mixed IPv6 in IPv4 and vice versa

  tunnels established with the IKEv1 pluto daemon.

* The pluto daemon now uses the libstrongswan x509 plugin for certificates and

  CRLs and the struct id type was replaced by identification_t used by charon

  and the libstrongswan library.

h2. IKEv2 fixes

* Fixed the encoding of the Email relative distinguished name in left|rightid

  statements.

* Charon uses a monotonic time source for statistics and job queueing, behaving

  correctly if the system time changes (e.g. when using NTP).

* Plugin names have been streamlined: EAP plugins now have a dash after eap

  (e.g. eap-sim), as it is used with the --enable-eap-sim ./configure option.

  Plugin configuration sections in strongswan.conf now use the same name as the

  plugin itself (i.e. with a dash). Make sure to update "load" directives and

  the affected plugin sections in existing strongswan.conf files.

* The private/public key parsing and encoding has been split up into

  separate pkcs1, pgp, pem and dnskey plugins. The public key implementation

  plugins gmp, gcrypt and openssl can all make use of them.