strongSwan

h1. Version 5.0.2

* Implemented all IETF Standard PA-TNC attributes and an OS IMC/IMV

  pair using them to transfer operating system information.

* The new [[IpsecCommand|ipsec]] _listcounters_ command prints a list of global counter values

  about received and sent IKE messages and rekeyings.

* A new [[Lookip|lookip plugin]] can perform fast lookup of tunnel information using a

  clients virtual IP and can send notifications about established or deleted

  tunnels. The "ipsec lookip" command can be used to query such information

  or receive notifications.

* The new [[ErrorNotifyPlugin|error-notify plugin]] catches some common error conditions and allows

  an external application to receive notifications for them over a UNIX socket.

* IKE proposals can now use a PRF algorithm different to that defined for

  integrity protection. If an algorithm with a "prf" prefix is defined

  explicitly (such as prfsha1 or prfsha256), no implicit PRF algorithm based on

  the integrity algorithm is added to the proposal.

* The [[PKCS11Plugin|pkcs11 plugin]] can now load leftcert certificates from a smartcard for a

  specific ipsec.conf conn section and cacert CA certificates for a specific ca

  section.

* The [[LoadTests|load-tester plugin]] gained additional options for certificate generation

  and can load keys and multiple CA certificates from external files. It can

  install a dedicated outer IP address for each tunnel and tunnel initiation

  batches can be triggered and monitored externally using the

  [[IpsecCommand|ipsec]] _load-tester_ tool.

* PKCS#7 container parsing has been modularized, and the openssl plugin

  gained an alternative implementation to decrypt and verify such files.

  In contrast to our own DER parser, OpenSSL can handle BER files, which is

  required for interoperability of our scepclient with EJBCA.

* Support for the proprietary IKEv1 fragmentation extension has been added.

  Fragments are always handled on receipt but only sent if supported by the peer

  and if enabled with the new _fragmentation_ [[ipsec.conf]] option.

* IKEv1 in charon can now parse certificates received in PKCS#7 containers and

  supports NAT traversal as used by Windows clients. Patches courtesy of

  Volker Rümelin.

* The new rdrand plugin provides a high quality / high performance random

  source using the Intel rdrand instruction found on Ivy Bridge processors.

* The integration test environment (see source:testing/README) was updated and

  now uses KVM and reproducible guest images based on Debian.

* The _charon.ikesa_limit_ [[strongswan.conf]] option allows responders to limit

  the number of concurrently established IKE_SAs.

* The charon daemon reloads the [[LoggerConfiguration|logger configuration]] from strongswan.conf

  if it receives a SIGHUP. Besides changing the configuration this allows to easily rotate

  log files created by file loggers without having to restart the daemon.

* Resolving hosts by DNS name is now done in separate threads, which allows us

  to cancel these lookups (if getaddrinfo(3) is a cancellation point, anyway).

  The maximum number of threads can be configured in [[strongswan.conf]].

* Changed connections with _auto=route_ are properly updated during _ipsec update|reload_.

* Added missing XFRM marks for several functions in the kernel-netlink plugin.

* The encoding of TLS extensions (elliptic_curves and signature_algorithms) was fixed.