strongSwan

h1. Version 5.0.0

* The charon IKE daemon gained experimental support for the IKEv1 protocol.

  Pluto has been removed from the 5.x series, and unless strongSwan is

  [[InstallationDocumentation|configured]] with @--disable-ikev1@ or @--disable-ikev2@, charon handles

  both keying protocols. The feature-set of IKEv1 in charon is almost on par with

  pluto, but currently does not support AH or bundled AH+ESP SAs. Beside

  RSA/ECDSA, PSK and XAuth, charon also supports the Hybrid authentication

  mode. Information for [[CharonPlutoIKEv1|interoperability and migration]] is available [[CharonPlutoIKEv1|on

  our wiki]].  More details about the history and context of these changes

  can be found in "our related blog post":http://www.strongswan.org/blog/2012/06/20/bye-bye-pluto.html.

* Charon's @bus_t@ has been refactored so that loggers and other listeners are

  now handled separately.  The single lock was previously cause for deadlocks

  if extensive listeners, such as the one provided by the _updown_ plugin, wanted

  to acquire locks that were held by other threads which in turn tried to log

  messages, and thus were waiting to acquire the same lock currently held by

  the thread calling the listener.

  The implemented changes also allow the use of a read/write-lock for the

  loggers which increases performance if multiple loggers are registered.

  Besides several interface changes this last bit also changes the semantics

  for loggers as these may now be called by multiple threads concurrently.

* Source routes are reinstalled if interfaces are reactivated or IP addresses

  reappear.

* The thread pool (@processor_t@) now has more control over the lifecycle of

  a job (see source:src/libstrongswan/processing/jobs/job.h for details).

  In particular, it now controls the destruction of jobs after execution and

  the cancellation of jobs during shutdown.  Due to these changes the requeueing

  feature, previously available to @callback_job_t@ only, is now available to all

  jobs (in addition to a new rescheduling feature).

* In addition to trustchain key strength definitions for different public key

  systems, the @rightauth@ [[ConnSection|ipsec.conf]] option now takes a list of signature

  hash algorithms considered save for trustchain validation. For example,

  the setting @rightauth=rsa-2048-ecdsa-256-sha256-sha384-sha512@

  requires a trustchain that uses at least RSA-2048 or ECDSA-256 keys and

  certificate signatures using SHA-256 or better.

* The NetworkManager charon plugin of previous releases is now provided by a

  separate executable (@charon-nm@) and it should work again with NM 0.9.

* [[scepclient]] was updated and it now works fine with Windows Server 2008 R2.

  Among other things, support for multiple CA/RA certificates and configurable

  digest/signature algorithms was added.

* Thanks to initial patches by Aleksandr Grinberg the _openssl_ plugin now provides

  PRFs and signers based on HMACs, and can also be used as RNG.

* The @left|rightallowany@ [[ConnSection|ipsec.conf]] option previously available only for

  IKEv1 is now also supported for IKEv2 connections.

* A [[strongswan.conf]] option to retry the initiation of an IKE_SA, if it failed due to a

  failed DNS lookup, was added (@charon.retry_initiate_interval@, disabled by default).

* The source address lookup for IPv6 addresses was fixed (this fixes MOBIKE with IPv6,

  which was broken in some scenarios since [[4.6.2]]).

* Installing IPsec policies with ports (@left|rightprotoport@) was fixed in the

  PF_KEY kernel interface.