Version 4.3.6¶
- The IKEv2 daemon supports RFC 3779 IP address block constraints
carried as a critical X.509v3 extension in the peer certificate.
- The ipsec pool --add|del dns|nbns command manages DNS and NBNS name
server entries that are sent via the IKEv1 Mode Config or IKEv2
Configuration Payload to remote clients.
- The Camellia cipher can be used as an IKEv1 encryption algorithm.
- The IKEv1 and IKEV2 daemons now check certificate path length constraints.
- The new ipsec.conf conn option "inactivity" closes a CHILD_SA if no traffic
was sent or received within the given interval. To close the complete IKE_SA
if its only CHILD_SA was inactive, set the global strongswan.conf option
"charon.inactivity_close_ike" to yes.
- More detailed IKEv2 EAP payload information in debug output
- IKEv2 EAP-SIM and EAP-AKA share joint libsimaka library
- Added required userland changes for proper SHA256 and SHA384/512 in ESP that
will be introduced with Linux 2.6.33. The "sha256"/"sha2_256" keyword now
configures the kernel with 128 bit truncation, not the non-standard 96
bit truncation used by previous releases. To use the old 96 bit truncation
scheme, the new "sha256_96" proposal keyword has been introduced.
- Fixed IPComp in tunnel mode (IKEv2 only), stripping out the duplicated outer header. This
change makes IPcomp tunnel mode connections incompatible with previous
releases; disable compression on such tunnels.
- Fixed BEET mode connections on recent kernels by installing SAs with
appropriate traffic selectors, based on a patch by Michael Rossberg.
- Using extensions (such as BEET mode) and crypto algorithms (such as twofish,
serpent, sha256_96) allocated in the private use space now require that we
know its meaning, i.e. we are talking to strongSwan. Use the new
"charon.send_vendor_id" option in strongswan.conf to let the remote peer know
this is the case.The same strongSwan Vendor ID hash is now also used by the IKEv1
pluto daemon.
- Experimental support for draft-eronen-ipsec-ikev2-eap-auth, where the
responder omits public key authentication in favor of a mutual authentication
method. To enable EAP-only authentication, set rightauth=eap on the responder
to rely only on the MSK constructed AUTH payload. This not-yet standardized
extension requires the strongSwan vendor ID introduced above.
- The IKEv1 daemon ignores the Juniper SRX notification type 40001, thus
allowing interoperability.