Version 4.3.6 » History » Version 1
Tobias Brunner, 17.03.2010 10:22
Added news for 4.3.6
| 1 | 1 | Tobias Brunner | h1. Version 4.3.6 |
|---|---|---|---|
| 2 | 1 | Tobias Brunner | |
| 3 | 1 | Tobias Brunner | * The IKEv2 daemon supports RFC 3779 IP address block constraints |
| 4 | 1 | Tobias Brunner | carried as a critical X.509v3 extension in the peer certificate. |
| 5 | 1 | Tobias Brunner | |
| 6 | 1 | Tobias Brunner | * The [[IpsecPool|ipsec pool]] --add|del dns|nbns command manages DNS and NBNS name |
| 7 | 1 | Tobias Brunner | server entries that are sent via the IKEv1 Mode Config or IKEv2 |
| 8 | 1 | Tobias Brunner | Configuration Payload to remote clients. |
| 9 | 1 | Tobias Brunner | |
| 10 | 1 | Tobias Brunner | * The Camellia cipher can be used as an IKEv1 encryption algorithm. |
| 11 | 1 | Tobias Brunner | |
| 12 | 1 | Tobias Brunner | * The IKEv1 and IKEV2 daemons now check certificate path length constraints. |
| 13 | 1 | Tobias Brunner | |
| 14 | 1 | Tobias Brunner | * The new ipsec.conf conn option "inactivity" closes a CHILD_SA if no traffic |
| 15 | 1 | Tobias Brunner | was sent or received within the given interval. To close the complete IKE_SA |
| 16 | 1 | Tobias Brunner | if its only CHILD_SA was inactive, set the global strongswan.conf option |
| 17 | 1 | Tobias Brunner | "charon.inactivity_close_ike" to yes. |
| 18 | 1 | Tobias Brunner | |
| 19 | 1 | Tobias Brunner | * More detailed IKEv2 EAP payload information in debug output |
| 20 | 1 | Tobias Brunner | |
| 21 | 1 | Tobias Brunner | * IKEv2 EAP-SIM and EAP-AKA share joint libsimaka library |
| 22 | 1 | Tobias Brunner | |
| 23 | 1 | Tobias Brunner | * Added required userland changes for proper SHA256 and SHA384/512 in ESP that |
| 24 | 1 | Tobias Brunner | will be introduced with Linux 2.6.33. The "sha256"/"sha2_256" keyword now |
| 25 | 1 | Tobias Brunner | configures the kernel with 128 bit truncation, not the non-standard 96 |
| 26 | 1 | Tobias Brunner | bit truncation used by previous releases. To use the old 96 bit truncation |
| 27 | 1 | Tobias Brunner | scheme, the new "sha256_96" proposal keyword has been introduced. |
| 28 | 1 | Tobias Brunner | |
| 29 | 1 | Tobias Brunner | * Fixed IPComp in tunnel mode (IKEv2 only), stripping out the duplicated outer header. This |
| 30 | 1 | Tobias Brunner | change makes IPcomp tunnel mode connections incompatible with previous |
| 31 | 1 | Tobias Brunner | releases; disable compression on such tunnels. |
| 32 | 1 | Tobias Brunner | |
| 33 | 1 | Tobias Brunner | * Fixed BEET mode connections on recent kernels by installing SAs with |
| 34 | 1 | Tobias Brunner | appropriate traffic selectors, based on a patch by Michael Rossberg. |
| 35 | 1 | Tobias Brunner | |
| 36 | 1 | Tobias Brunner | * Using extensions (such as BEET mode) and crypto algorithms (such as twofish, |
| 37 | 1 | Tobias Brunner | serpent, sha256_96) allocated in the private use space now require that we |
| 38 | 1 | Tobias Brunner | know its meaning, i.e. we are talking to strongSwan. Use the new |
| 39 | 1 | Tobias Brunner | "charon.send_vendor_id" option in strongswan.conf to let the remote peer know |
| 40 | 1 | Tobias Brunner | this is the case. |
| 41 | 1 | Tobias Brunner | |
| 42 | 1 | Tobias Brunner | The same strongSwan Vendor ID hash is now also used by the IKEv1 |
| 43 | 1 | Tobias Brunner | pluto daemon. |
| 44 | 1 | Tobias Brunner | |
| 45 | 1 | Tobias Brunner | * Experimental support for draft-eronen-ipsec-ikev2-eap-auth, where the |
| 46 | 1 | Tobias Brunner | responder omits public key authentication in favor of a mutual authentication |
| 47 | 1 | Tobias Brunner | method. To enable EAP-only authentication, set rightauth=eap on the responder |
| 48 | 1 | Tobias Brunner | to rely only on the MSK constructed AUTH payload. This not-yet standardized |
| 49 | 1 | Tobias Brunner | extension requires the strongSwan vendor ID introduced above. |
| 50 | 1 | Tobias Brunner | |
| 51 | 1 | Tobias Brunner | * The IKEv1 daemon ignores the Juniper SRX notification type 40001, thus |
| 52 | 1 | Tobias Brunner | allowing interoperability. |