Version 5.0.1 » History » Version 2
Version 1 (Tobias Brunner, 02.07.2012 10:10) → Version 2/3 (Tobias Brunner, 03.10.2012 11:20)
h1. Version 5.0.1
* Introduced the sending of the standard IETF Assessment Result
PA-TNC attribute by all strongSwan Integrity Measurement Verifiers.
* Extended PTS Attestation IMC/IMV pair to provide full evidence of
the Linux IMA measurement process. All pertinent file information
of a Linux OS can be collected and stored in an SQL database.
* The PA-TNC and PB-TNC protocols can now process huge data payloads
>64 kB by distributing PA-TNC attributes over multiple PA-TNC messages
and these messages over several PB-TNC batches. As long as no
consolidated recommandation from all IMVs can be obtained, the TNC
server requests more client data by sending an empty SDATA batch.
* The @rightgroups2@ [[ConnSection|ipsec.conf]] option can require group membership during
a second authentication round, for example during XAuth authentication
against a RADIUS server.
* The [[XAuthPAM|xauth-pam backend]] can authenticate IKEv1 XAuth and Hybrid authenticated
clients against any PAM service. The IKEv2 [[EAPGTC|eap-gtc plugin]] does not use
PAM directly anymore, but can use any XAuth backend to verify credentials,
including xauth-pam.
* The new unity plugin brings support for some parts of the IKEv1 Cisco Unity
Extension. As client, charon narrows traffic selectors to the received
Split-Include attributes and automatically installs IPsec bypass policies
for received Local-LAN attributes. As server, charon sends Split-Include
attributes for @leftsubnet@ definitions containing multiple subnets to Unity-
aware clients.
* An EAP-Nak payload is returned by clients if the gateway requests an EAP
method that the client does not support. Clients can also request a specific
EAP method by configuring that method with @leftauth@ in [[ConnSection|ipsec.conf]].
* The eap-dynamic plugin handles EAP-Nak payloads returned by clients and uses
these to select a different EAP method supported/requested by the client.
The plugin initially requests the first registered method or the first method
configured with @charon.plugins.eap-dynamic.preferred@ in [[strongswan.conf]].
* The new @left|rightdns@ [[ConnSection|ipsec.conf]] options specify connection specific DNS servers to
request/respond in IKEv2 configuration payloads or IKEv2 mode config. leftdns
can be any (comma separated) combination of @%config4@ and @%config6@ to request
multiple servers, both for IPv4 and IPv6. @rightdns@ takes a list of DNS server
IP addresses to return.
* The @left|rightsourceip@ options now accept multiple addresses or pools.
@leftsourceip@ can be any (comma separated) combination of @%config4@, @%config6@
or fixed IP addresses to request. @rightsourceip@ accepts multiple explicitly
specified or referenced named pools.
* Multiple connections can now share a single address pool when they use the
same definition in one of the @rightsourceip@ pools.
* The [[strongswan.conf]] options @charon.interfaces_ignore@ and @charon.interfaces_use@
allow one to configure the network interfaces used by the daemon.
* The kernel-netlink plugin supports the new [[strongswan.conf]] option
@charon.install_virtual_ip_on@, which specifies the interface on which
[[VirtualIP|virtual IP addresses]] will be installed. If it is not specified the current behavior
of using the outbound interface is preserved.
* The kernel-netlink plugin tries to keep the current source address when
looking for valid routes to reach other hosts.
* The [[InstallationDocumentation#Building-strongSwan|autotools build]] has been migrated to use a config.h header. strongSwan
development headers will get installed during "make install" if
@--with-dev-headers@ has been passed to [[InstallationDocumentation#Building-strongSwan|./configure]].
* All crypto primitives gained return values for most operations, allowing
crypto backends to fail, for example when using hardware accelerators.
* The UDP ports used by charon can be configured via [[InstallationDocumentation#Building-strongSwan|./configure]] or the
@charon.port@ and @charon.port_nat_t@ options in [[strongswan.conf]],
if ports are configure to @0@ they will be allocated randomly.
* The [[NetworkManager|NetworkManager backend]] (charon-nm) uses random source ports
to avoid conflicts with regular charon.
* With @uniqueids=never@ configured in [[ConfigSetupSection|ipsec.conf]] INITIAL_CONTACT notifies are ignored.
Even with @uniqueids=no@ configured the daemon will delete existing IKE_SAs with the same
peer upon receipt of an INITIAL_CONTACT notify. This new option allows to ignore these notifies.
* Prefixing the identity configured with @rightid@ with a @%@ character prevents initiators
from sending an IDr payload in the IKE_AUTH exchange. Later the configured identity will
not only be checked against the returned IDr, but also against other identities contained
in the responder's certificate.
* Non-"/0" subnet sizes are accepted next minor release, see "Roadmap":http://wiki.strongswan.org/projects/strongswan/roadmap for traffic selectors starting at 0.0.0.0.
* Job handling in controller_t was fixed, which occasionally caused crashes updates on @ipsec up/down@.
* Caching of relations in validated certificate chains can be disabled with the
@libstrongswan.cert_cache@ [[strongswan.conf]] option.
* Logging of multi-line log messages was fixed in situations where more than one logger
was registered.
* Fixed transmission EAP-MSCHAPv2 user name if it contains a domain part.
* Added an option to enforce the configured destination address for [[DHCPPlugin|DHCP packets]].
release date.
* Introduced the sending of the standard IETF Assessment Result
PA-TNC attribute by all strongSwan Integrity Measurement Verifiers.
* Extended PTS Attestation IMC/IMV pair to provide full evidence of
the Linux IMA measurement process. All pertinent file information
of a Linux OS can be collected and stored in an SQL database.
* The PA-TNC and PB-TNC protocols can now process huge data payloads
>64 kB by distributing PA-TNC attributes over multiple PA-TNC messages
and these messages over several PB-TNC batches. As long as no
consolidated recommandation from all IMVs can be obtained, the TNC
server requests more client data by sending an empty SDATA batch.
* The @rightgroups2@ [[ConnSection|ipsec.conf]] option can require group membership during
a second authentication round, for example during XAuth authentication
against a RADIUS server.
* The [[XAuthPAM|xauth-pam backend]] can authenticate IKEv1 XAuth and Hybrid authenticated
clients against any PAM service. The IKEv2 [[EAPGTC|eap-gtc plugin]] does not use
PAM directly anymore, but can use any XAuth backend to verify credentials,
including xauth-pam.
* The new unity plugin brings support for some parts of the IKEv1 Cisco Unity
Extension. As client, charon narrows traffic selectors to the received
Split-Include attributes and automatically installs IPsec bypass policies
for received Local-LAN attributes. As server, charon sends Split-Include
attributes for @leftsubnet@ definitions containing multiple subnets to Unity-
aware clients.
* An EAP-Nak payload is returned by clients if the gateway requests an EAP
method that the client does not support. Clients can also request a specific
EAP method by configuring that method with @leftauth@ in [[ConnSection|ipsec.conf]].
* The eap-dynamic plugin handles EAP-Nak payloads returned by clients and uses
these to select a different EAP method supported/requested by the client.
The plugin initially requests the first registered method or the first method
configured with @charon.plugins.eap-dynamic.preferred@ in [[strongswan.conf]].
* The new @left|rightdns@ [[ConnSection|ipsec.conf]] options specify connection specific DNS servers to
request/respond in IKEv2 configuration payloads or IKEv2 mode config. leftdns
can be any (comma separated) combination of @%config4@ and @%config6@ to request
multiple servers, both for IPv4 and IPv6. @rightdns@ takes a list of DNS server
IP addresses to return.
* The @left|rightsourceip@ options now accept multiple addresses or pools.
@leftsourceip@ can be any (comma separated) combination of @%config4@, @%config6@
or fixed IP addresses to request. @rightsourceip@ accepts multiple explicitly
specified or referenced named pools.
* Multiple connections can now share a single address pool when they use the
same definition in one of the @rightsourceip@ pools.
* The [[strongswan.conf]] options @charon.interfaces_ignore@ and @charon.interfaces_use@
allow one to configure the network interfaces used by the daemon.
* The kernel-netlink plugin supports the new [[strongswan.conf]] option
@charon.install_virtual_ip_on@, which specifies the interface on which
[[VirtualIP|virtual IP addresses]] will be installed. If it is not specified the current behavior
of using the outbound interface is preserved.
* The kernel-netlink plugin tries to keep the current source address when
looking for valid routes to reach other hosts.
* The [[InstallationDocumentation#Building-strongSwan|autotools build]] has been migrated to use a config.h header. strongSwan
development headers will get installed during "make install" if
@--with-dev-headers@ has been passed to [[InstallationDocumentation#Building-strongSwan|./configure]].
* All crypto primitives gained return values for most operations, allowing
crypto backends to fail, for example when using hardware accelerators.
* The UDP ports used by charon can be configured via [[InstallationDocumentation#Building-strongSwan|./configure]] or the
@charon.port@ and @charon.port_nat_t@ options in [[strongswan.conf]],
if ports are configure to @0@ they will be allocated randomly.
* The [[NetworkManager|NetworkManager backend]] (charon-nm) uses random source ports
to avoid conflicts with regular charon.
* With @uniqueids=never@ configured in [[ConfigSetupSection|ipsec.conf]] INITIAL_CONTACT notifies are ignored.
Even with @uniqueids=no@ configured the daemon will delete existing IKE_SAs with the same
peer upon receipt of an INITIAL_CONTACT notify. This new option allows to ignore these notifies.
* Prefixing the identity configured with @rightid@ with a @%@ character prevents initiators
from sending an IDr payload in the IKE_AUTH exchange. Later the configured identity will
not only be checked against the returned IDr, but also against other identities contained
in the responder's certificate.
* Non-"/0" subnet sizes are accepted next minor release, see "Roadmap":http://wiki.strongswan.org/projects/strongswan/roadmap for traffic selectors starting at 0.0.0.0.
* Job handling in controller_t was fixed, which occasionally caused crashes updates on @ipsec up/down@.
* Caching of relations in validated certificate chains can be disabled with the
@libstrongswan.cert_cache@ [[strongswan.conf]] option.
* Logging of multi-line log messages was fixed in situations where more than one logger
was registered.
* Fixed transmission EAP-MSCHAPv2 user name if it contains a domain part.
* Added an option to enforce the configured destination address for [[DHCPPlugin|DHCP packets]].
release date.