Our private libraries (e.g. libstrongswan) are not installed directly in prefix/lib anymore. Instead a subdirectory is used (prefix/lib/ipsec/ by default). The plugins directory is also moved from libexec/ipsec/ to that directory.
The dynamic IMC/IMV libraries were moved from the plugins directory to a new imcvs directory in the prefix/lib/ipsec/ subdirectory.
Job priorities were introduced to prevent thread starvation caused by too many threads handling blocking operations (such as CRL fetching).
IKEv2 charon daemon supports PASS and DROP shunt policies preventing traffic to go through IPsec connections. Installation of the shunt policies either via the XFRM netfilter or PFKEYv2 IPsec kernel interfaces.
The history of policies installed in the kernel is now tracked so that e.g. trap policies are correctly updated when reauthenticated SAs are terminated.
IMC/IMV Scanner pair implementing the RFC 5792 PA-TNC (IF-M) protocol. Using "netstat -l" the IMC scans open listening ports on the TNC client and sends a port list to the IMV which based on a port policy decides if the client is admitted to the network. (--enable-imc-scanner/--enable-imv-scanner).
IMC/IMV Test pair implementing the RFC 5792 PA-TNC (IF-M) protocol. (--enable-imc-test/--enable-imv-test).
The IKEv2 close action does not use the same value as the ipsec.confdpdaction setting, but the value defined by its own closeaction keyword. The action is triggered if the remote peer closes a CHILD_SA unexpectedly.