The charon IKE daemon gained experimental support for the IKEv1 protocol. Pluto has been removed from the 5.x series, and unless strongSwan is configured with --disable-ikev1 or --disable-ikev2, charon handles both keying protocols. The feature-set of IKEv1 in charon is almost on par with pluto, but currently does not support AH or bundled AH+ESP SAs. Beside RSA/ECDSA, PSK and XAuth, charon also supports the Hybrid authentication mode. Information for interoperability and migration is available on our wiki. More details about the history and context of these changes can be found in our related blog post.
Charon's bus_t has been refactored so that loggers and other listeners are now handled separately. The single lock was previously cause for deadlocks if extensive listeners, such as the one provided by the updown plugin, wanted to acquire locks that were held by other threads which in turn tried to log messages, and thus were waiting to acquire the same lock currently held by the thread calling the listener. The implemented changes also allow the use of a read/write-lock for the loggers which increases performance if multiple loggers are registered. Besides several interface changes this last bit also changes the semantics for loggers as these may now be called by multiple threads concurrently.
Source routes are reinstalled if interfaces are reactivated or IP addresses reappear.
The thread pool (processor_t) now has more control over the lifecycle of a job (see source:src/libstrongswan/processing/jobs/job.h for details). In particular, it now controls the destruction of jobs after execution and the cancellation of jobs during shutdown. Due to these changes the requeueing feature, previously available to callback_job_t only, is now available to all jobs (in addition to a new rescheduling feature).
In addition to trustchain key strength definitions for different public key systems, the rightauthipsec.conf option now takes a list of signature hash algorithms considered save for trustchain validation. For example, the setting rightauth=rsa-2048-ecdsa-256-sha256-sha384-sha512 requires a trustchain that uses at least RSA-2048 or ECDSA-256 keys and certificate signatures using SHA-256 or better.
The NetworkManager charon plugin of previous releases is now provided by a separate executable (charon-nm) and it should work again with NM 0.9.
scepclient was updated and it now works fine with Windows Server 2008 R2. Among other things, support for multiple CA/RA certificates and configurable digest/signature algorithms was added.
Thanks to initial patches by Aleksandr Grinberg the openssl plugin now provides PRFs and signers based on HMACs, and can also be used as RNG.
The left|rightallowanyipsec.conf option previously available only for IKEv1 is now also supported for IKEv2 connections.
A strongswan.conf option to retry the initiation of an IKE_SA, if it failed due to a failed DNS lookup, was added (charon.retry_initiate_interval, disabled by default).
The source address lookup for IPv6 addresses was fixed (this fixes MOBIKE with IPv6, which was broken in some scenarios since 4.6.2).
Installing IPsec policies with ports (left|rightprotoport) was fixed in the PF_KEY kernel interface.