strongSwan

h1. Version 5.0.3

* The new ipseckey plugin enables authentication based on trustworthy public

  keys stored as IPSECKEY resource records in the DNS and protected by DNSSEC.

  To do so it uses a DNSSEC enabled resolver, like the one provided by the new

  unbound plugin, which is based on libldns and libunbound.  Both plugins were

  created by Reto Guadagnini. Examples: {{tc(ikev2/net2net-dnssec)}} {{tc(ikev2/rw-dnssec)}}

* Implemented the TCG TNC IF-IMV 1.4 draft making access requestor identities

  available to an IMV. The OS IMV stores the AR identity together with the

  device ID in the attest database.

* The openssl plugin now uses the AES-NI accelerated version of AES-GCM

  if the hardware supports it.

* The [[EAPRadius|eap-radius plugin]] can now assign [[VirtualIP|virtual IPs]] to IKE clients using the

  Framed-IP-Address attribute by using the _%radius_ named pool in the

  rightsourceip [[ipsec.conf]] option. Cisco Banner attributes are forwarded to

  Unity-capable IKEv1 clients during mode config. charon now sends Interim

  Accounting updates if requested by the RADIUS server, reports

  sent/received packets in Accounting messages, and adds a Terminate-Cause

  to Accounting-Stops.

* The recently introduced _[[IPsecCommand|ipsec]] listcounters_ command can report connection

  specific counters by passing a connection name, and global or connection

  counters can be reset by the _ipsec resetcounters_ command.

* The [[IfMap|tnc-ifmap plugin]] has been reimplemented without any dependency to

  the _Apache Axis2/C_ library.  Several configuration options have been changed.

* The strongSwan libpttls library provides an experimental implementation of

  PT-TLS (RFC 6876), a Posture Transport Protocol over TLS.

* The charon [[SystimeFixPlugin|systime-fix plugin]] can disable certificate lifetime checks on

  embedded systems if the system time is obviously out of sync after bootup.

  Certificates lifetimes get checked once the system time gets sane, closing

  or reauthenticating connections using expired certificates.

* The _ikedscp_ [[ipsec.conf]] option can set DiffServ code points on outgoing

  IKE packets.

* The new xauth-noauth plugin allows to use basic RSA or PSK authentication with

  clients that cannot be configured without XAuth authentication.  The plugin

  simply concludes the XAuth exchange successfully without actually performing

  any authentication.  Therefore, to use this backend it has to be selected

  explicitly with @rightauth2=xauth-noauth@.

* The new charon-tkm IKEv2 daemon delegates security critical operations to a

  separate process. This has the benefit that the network facing daemon has no

  knowledge of keying material used to protect child SAs. Thus subverting

  charon-tkm does not result in the compromise of cryptographic keys.

  The extracted functionality has been implemented from scratch in a minimal TCB

  (trusted computing base) in the Ada programming language. Further information

  can be found at http://www.codelabs.ch/tkm/.

* Multiple certificates can be configured for _left|rightcert_ in [[ipsec.conf]]. The daemon

  chooses the certificate based on the received certificate requests, if possible,

  before enforcing the first.

* Mutual EAP authentication has been fixed when it is not used as first authentication

  round.

* The NetworkManager backend (charon-nm) uses a TUN device to satisfy NM's need

  for a network device. This fixes "LP:872824":https://bugs.launchpad.net/ubuntu/+source/network-manager-strongswan/+bug/872824.

* A route is installed for shunt policies (passthrough/drop). This fixes some combinations

  of shunt policies and virtual IP addresses as locally generated traffic wouldn't match

  the shunt policy anymore due to the route installed with the VIP. Also, the [[UnityPlugin|unity plugin]]

  includes the local address in split-exclude shunt policies.

* Added an option (charon.plugins.ha.autobalance) to balance a [[Highavailability|HA cluster]] automatically.

* Most parts of the _android_ plugin (the backend for the [[AndroidFrontend|Android VPN applet patch]]) have

  been removed and the remaining DNS handler has been moved to the new _android-dns_ plugin.

* Several IKEv1 corner cases have been fixed (commit:e2857be8, commit:f836d433, commit:3dc9d427, commit:9d9042d6,

  commit:0235914d, commit:8a0a1ae8, commit:ac48d9e4).

* Alignment issues in the _kernel-netlink_ plugin have been fixed and the Netlink XFRM message

  attribute handling has been refactored.

* The [[duplicheck|duplicheck plugin]] tracks multiple IKE_SAs when checking state to avoid any

  race conditions (commit:9c84bbcb).

* The _--disable-defaults_ [[AutoConf|configure]] option allows to disable all features

  that are enabled by default.

* The _charon.plugins.stroke.timeout_ [[strongswan.conf]] option allows to define a timeout in ms

  for any stroke command.

* _[[IpsecCommand|ipsec]] statusall_ reports the number of processed IPsec packets.

* Reloading secrets from [[ipsec.secrets]] with _ipsec rereadsecrets_ is now done atomically.

* Supplementary groups are initialized using _initgroups(3)_ when running as unprivileged user.

* Fixed handling of IPv6 SQL address pools if multiple pools are assigned to _rightsourceip_.

* Fixed _stroke loglevel any_ (commit:96a2d207).