Version 5.0.0

  • The charon IKE daemon gained experimental support for the IKEv1 protocol.
    Pluto has been removed from the 5.x series, and unless strongSwan is
    configured with --disable-ikev1 or --disable-ikev2, charon handles
    both keying protocols. The feature-set of IKEv1 in charon is almost on par with
    pluto, but currently does not support AH or bundled AH+ESP SAs. Beside
    RSA/ECDSA, PSK and XAuth, charon also supports the Hybrid authentication
    mode. Information for interoperability and migration is available on
    our wiki
    . More details about the history and context of these changes
    can be found in our related blog post.
  • Charon's bus_t has been refactored so that loggers and other listeners are
    now handled separately. The single lock was previously cause for deadlocks
    if extensive listeners, such as the one provided by the updown plugin, wanted
    to acquire locks that were held by other threads which in turn tried to log
    messages, and thus were waiting to acquire the same lock currently held by
    the thread calling the listener.
    The implemented changes also allow the use of a read/write-lock for the
    loggers which increases performance if multiple loggers are registered.
    Besides several interface changes this last bit also changes the semantics
    for loggers as these may now be called by multiple threads concurrently.
  • Source routes are reinstalled if interfaces are reactivated or IP addresses
  • The thread pool (processor_t) now has more control over the lifecycle of
    a job (see source:src/libstrongswan/processing/jobs/job.h for details).
    In particular, it now controls the destruction of jobs after execution and
    the cancellation of jobs during shutdown. Due to these changes the requeueing
    feature, previously available to callback_job_t only, is now available to all
    jobs (in addition to a new rescheduling feature).
  • In addition to trustchain key strength definitions for different public key
    systems, the rightauth ipsec.conf option now takes a list of signature
    hash algorithms considered save for trustchain validation. For example,
    the setting rightauth=rsa-2048-ecdsa-256-sha256-sha384-sha512
    requires a trustchain that uses at least RSA-2048 or ECDSA-256 keys and
    certificate signatures using SHA-256 or better.
  • The NetworkManager charon plugin of previous releases is now provided by a
    separate executable (charon-nm) and it should work again with NM 0.9.
  • scepclient was updated and it now works fine with Windows Server 2008 R2.
    Among other things, support for multiple CA/RA certificates and configurable
    digest/signature algorithms was added.
  • Thanks to initial patches by Aleksandr Grinberg the openssl plugin now provides
    PRFs and signers based on HMACs, and can also be used as RNG.
  • The left|rightallowany ipsec.conf option previously available only for
    IKEv1 is now also supported for IKEv2 connections.
  • A strongswan.conf option to retry the initiation of an IKE_SA, if it failed due to a
    failed DNS lookup, was added (charon.retry_initiate_interval, disabled by default).
  • The source address lookup for IPv6 addresses was fixed (this fixes MOBIKE with IPv6,
    which was broken in some scenarios since 4.6.2).
  • Installing IPsec policies with ports (left|rightprotoport) was fixed in the
    PF_KEY kernel interface.