Introduced the sending of the standard IETF Assessment Result PA-TNC attribute by all strongSwan Integrity Measurement Verifiers.
Extended PTS Attestation IMC/IMV pair to provide full evidence of the Linux IMA measurement process. All pertinent file information of a Linux OS can be collected and stored in an SQL database.
The PA-TNC and PB-TNC protocols can now process huge data payloads >64 kB by distributing PA-TNC attributes over multiple PA-TNC messages and these messages over several PB-TNC batches. As long as no consolidated recommandation from all IMVs can be obtained, the TNC server requests more client data by sending an empty SDATA batch.
The rightgroups2ipsec.conf option can require group membership during a second authentication round, for example during XAuth authentication against a RADIUS server.
The xauth-pam backend can authenticate IKEv1 XAuth and Hybrid authenticated clients against any PAM service. The IKEv2 eap-gtc plugin does not use PAM directly anymore, but can use any XAuth backend to verify credentials, including xauth-pam.
The new unity plugin brings support for some parts of the IKEv1 Cisco Unity Extensions. As client, charon narrows traffic selectors to the received Split-Include attributes and automatically installs IPsec bypass policies for received Local-LAN attributes. As server, charon sends Split-Include attributes for leftsubnet definitions containing multiple subnets to Unity- aware clients.
An EAP-Nak payload is returned by clients if the gateway requests an EAP method that the client does not support. Clients can also request a specific EAP method by configuring that method with leftauth in ipsec.conf.
The eap-dynamic plugin handles EAP-Nak payloads returned by clients and uses these to select a different EAP method supported/requested by the client. The plugin initially requests the first registered method or the first method configured with charon.plugins.eap-dynamic.preferred in strongswan.conf.
The new left|rightdnsipsec.conf options specify connection specific DNS servers to request/respond in IKEv2 configuration payloads or IKEv2 mode config. leftdns can be any (comma separated) combination of %config4 and %config6 to request multiple servers, both for IPv4 and IPv6. rightdns takes a list of DNS server IP addresses to return.
The left|rightsourceip options now accept multiple addresses or pools. leftsourceip can be any (comma separated) combination of %config4, %config6 or fixed IP addresses to request. rightsourceip accepts multiple explicitly specified or referenced named pools.
Multiple connections can now share a single address pool when they use the same definition in one of the rightsourceip pools.
The strongswan.conf options charon.interfaces_ignore and charon.interfaces_use allow one to configure the network interfaces used by the daemon.
The kernel-netlink plugin supports the new strongswan.conf option charon.install_virtual_ip_on, which specifies the interface on which virtual IP addresses will be installed. If it is not specified the current behavior of using the outbound interface is preserved.
The kernel-netlink plugin tries to keep the current source address when looking for valid routes to reach other hosts.
The autotools build has been migrated to use a config.h header. strongSwan development headers will get installed during "make install" if --with-dev-headers has been passed to ./configure.
All crypto primitives gained return values for most operations, allowing crypto backends to fail, for example when using hardware accelerators.
The UDP ports used by charon can be configured via ./configure or the charon.port and charon.port_nat_t options in strongswan.conf, if ports are configure to 0 they will be allocated randomly.
The NetworkManager backend (charon-nm) uses random source ports to avoid conflicts with regular charon.
With uniqueids=never configured in ipsec.conf INITIAL_CONTACT notifies are ignored. Even with uniqueids=no configured the daemon will delete existing IKE_SAs with the same peer upon receipt of an INITIAL_CONTACT notify. This new option allows to ignore these notifies.
Prefixing the identity configured with rightid with a % character prevents initiators from sending an IDr payload in the IKE_AUTH exchange. Later the configured identity will not only be checked against the returned IDr, but also against other identities contained in the responder's certificate.
Non-"/0" subnet sizes are accepted for traffic selectors starting at 0.0.0.0.
Job handling in controller_t was fixed, which occasionally caused crashes on ipsec up/down.
Caching of relations in validated certificate chains can be disabled with the libstrongswan.cert_cachestrongswan.conf option.
Logging of multi-line log messages was fixed in situations where more than one logger was registered.
Fixed transmission EAP-MSCHAPv2 user name if it contains a domain part.
Added an option to enforce the configured destination address for DHCP packets.