A new default configuration file layout is introduced (with full backward compatibility). The new default strongswan.conf file mainly includes config snippets from the strongswan.d and strongswan.d/charon directories (the latter containing snippets for all plugins). The snippets, with commented defaults, are automatically generated and installed, if they don't exist yet. They are also installed in $prefix/share/strongswan/templates so existing files can be compared to the current defaults.
As an alternative to the non-extensible charon.load setting, the plugins to load in charon (and optionally other applications) can now be determined via the charon.plugins.<name>.load setting for each plugin (enabled in the new default strongswan.conf file via the charon.load_modular option). The load setting optionally takes a numeric priority value that allows reordering the plugins (otherwise the default plugin order is preserved).
All strongswan.conf settings that were formerly defined in library specific "global" sections are now application specific (e.g. settings for plugins in libstrongswan.plugins can now be set only for charon in charon.plugins). The old options are still supported, which now allows to define defaults for all applications in the libstrongswan section.
The ntru libstrongswan plugin supports NTRUEncrypt as a post-quantum computer IKE key exchange mechanism. The implementation is based on the ntru-crypto library from the NTRUOpenSourceProject. The supported security strengths are ntru112, ntru128, ntru192, and ntru256. Since the private DH group IDs 1030..1033 have been assigned, the strongSwan Vendor ID must be sent (charon.send_vendor_id = yes) in order to use NTRU.
Defined a TPMRA remote attestation workitem and added support for it to the Attestation IMV.
Compatibility issues between IPComp (compress=yes) and leftfirewall=yes as well as multiple subnets in left|rightsubnet have been fixed.
When enabling its sessionstrongswan.conf option, the xauth-pam plugin opens and closes a PAM session for each established IKE_SA. Patch courtesy of Andrea Bonomi.
The strongSwan unit testing framework has been rewritten without the check dependency for improved flexibility and portability. It now properly supports multi-threaded and memory leak testing and brings a bunch of new test cases.
The NetworkManager frontend gained support for PSK authentication.
The interface option of the dhcp plugin allows binding to a specific interface (3711f66e54).
If charon.plugins.stroke.prevent_loglevel_changes is enabled, the stroke plugin prevents log level changes via ipsec stroke.
The inactivity counter is reset with every rekeying, which means that the inactivity timeout must be smaller than the rekeying interval to have any effect (d048a319df).
SQL schemas and example data (IMV) are now distributed and installed in $prefix/share/strongswan.
A method to register custom proposal keyword parsers has been added (568e302260).
A deadlock was fixed when installing trap policies (bb492d80b5).