strongSwan

h1. Version 5.1.2

* A new default configuration file layout is introduced (with full backward compatibility).

  The new default [[strongswan.conf]] file mainly includes config snippets from the

  [[strongswanDirectory|strongswan.d]] and [[strongswanDirectory#strongswan.d/charon|strongswan.d/charon]] directories (the latter containing snippets

  for all plugins).  The snippets, with commented defaults, are automatically generated

  and installed, if they don't exist yet.  They are also installed in

  @$prefix/share/strongswan/templates@ so existing files can be compared to

  the current defaults.

* As an alternative to the non-extensible _charon.load_ setting, the [[PluginLoad|plugins

  to load]] in charon (and optionally other applications) can now be determined

  via the _charon.plugins.<name>.load_ setting for each plugin (enabled in the

  new default [[strongswan.conf]] file via the _charon.load_modular_ option).

  The load setting optionally takes a numeric priority value that allows

  reordering the plugins (otherwise the default plugin order is preserved).

* All [[strongswan.conf]] settings that were formerly defined in library specific

  "global" sections are now application specific (e.g. settings for plugins in

  _libstrongswan.plugins_ can now be set only for charon in _charon.plugins_).

  The old options are still supported, which now allows to define defaults for

  all applications in the _libstrongswan_ section.

* The [[ntru]] libstrongswan plugin supports NTRUEncrypt as a post-quantum

  computer IKE key exchange mechanism. The implementation is based on the

  "ntru-crypto":https://github.com/NTRUOpenSourceProject/ntru-crypto library from the NTRUOpenSourceProject. The supported security

  strengths are _ntru112_, _ntru128_, _ntru192_, and _ntru256_. Since the private DH

  group IDs 1030..1033 have been assigned, the strongSwan Vendor ID must be

  sent (_charon.send_vendor_id = yes_) in order to use NTRU.

* Defined a TPMRA remote attestation workitem and added support for it to the

  Attestation IMV.

* Compatibility issues between IPComp (_compress=yes_) and _leftfirewall=yes_ as

  well as multiple subnets in _left|rightsubnet_ have been fixed.

* When enabling its _session_ [[strongswan.conf]] option, the [[XAuthPam|xauth-pam plugin]] opens

  and closes a PAM session for each established IKE_SA. Patch courtesy of Andrea Bonomi.

* The strongSwan unit testing framework has been rewritten without the "check":http://check.sourceforge.net

  dependency for improved flexibility and portability. It now properly supports

  multi-threaded and memory leak testing and brings a bunch of new test cases.

* The [[NetworkManager]] frontend gained support for PSK authentication.

* The _interface_ option of the [[dhcpplugin|dhcp plugin]] allows binding to a specific interface (commit:3711f66e54).

* If _charon.plugins.stroke.prevent_loglevel_changes_ is enabled, the _stroke_ plugin prevents

  log level changes via [[IpsecStroke|ipsec stroke]].

* The inactivity counter is reset with every rekeying, which means that the inactivity timeout

  must be smaller than the rekeying interval to have any effect (commit:d048a319df).

* SQL schemas and example data (IMV) are now distributed and installed in @$prefix/share/strongswan@.

* A method to register custom proposal keyword parsers has been added (commit:568e302260).

* A deadlock was fixed when installing trap policies (commit:bb492d80b5).