Version 5.2.0 » History » Version 2
Version 1 (Tobias Brunner, 27.03.2014 09:32) → Version 2/3 (Tobias Brunner, 08.07.2014 10:01)
h1. Version 5.2.0
* strongSwan has been ported to the [[Windows]] platform. Using a MinGW toolchain,
many parts of the strongSwan codebase run natively on Windows 7 / 2008 R2 and
newer releases.
[[charon-svc]] implements a Windows IKE service based on libcharon, the [[kernel-iph]]
and [[kernel-wfp]] plugins act as networking and IPsec backend on the Windows platform.
[[socket-win]] provides a native IKE socket implementation, while [[winhttp]] fetches
CRL and OCSP information using the WinHTTP API.
* The new [[vici]] plugin provides a Versatile IKE Configuration Interface for
charon. Using the stable IPC interface, external applications can configure,
control and monitor the IKE daemon. Instead of scripting the ipsec tool
and generating [[ipsec.conf]], third party applications can use the new interface
for more control and better reliability.
* Built upon the libvici client library, [[swanctl]] implements the first user of
the VICI interface. Together with a [[swanctl.conf]] configuration file,
connections can be defined, loaded and managed. swanctl provides a portable,
complete IKE configuration and control interface for the command line.
Examples: http://www.strongswan.org/uml/testresults/swanctl/
* The SWID IMV implements a JSON-based REST API which allows the exchange
of SWID tags and Software IDs with the [[strongTNC]] policy manager.
* The SWID IMC can extract all installed packages from the @dpkg@ (Debian,
Ubuntu, etc.), @rpm@ (Fedora, RedHat, etc.), or @pacman@ (Arch Linux, Manjaro, etc.)
package managers, respectively, using the "swidGenerator":https://github.com/strongswan/swidGenerator which generates
SWID tags according to the new ISO/IEC 19770-2:2014 standard.
* All IMVs now share the access requestor ID, device ID and product info
of an access requestor via a common imv_session object.
* The Attestation IMC/IMV pair supports the IMA-NG measurement format
introduced with the Linux 3.13 kernel.
* The aikgen tool generates an Attestation Identity Key bound to a TPM.
* Implemented the PT-EAP transport protocol (RFC 7171) for Trusted Network
Connect.
* The [[ConnSection|ipsec.conf]] _replay_window_ option defines connection specific IPsec replay
windows. Original patch courtesy of Zheng Zhong and Christophe Gouault from 6Wind.
* The custom parser for [[strongswan.conf]] has been replaced with one based on flex/bison.
It adds support for quoted strings (with escape sequences), unlimited includes, more
relaxed newline handling, better syntax error reporting, and a distinction between
empty and unset values (_key=""_ vs. _key=_).
* The parser for [[ipsec.conf]] in starter has been rewritten. It allows overriding options
in all included sections (_also=_) not only in _%default_, options defined in included sections
can also be cleared again. Other improvements, like quoted strings, unlimited includes,
and better whitespace/comment handling have been implemented as well.
* Support for late IKEv1 connection switching based on the XAuth username has been added.
* Added support to parse SSH public keys from files configured in _left|rightsigkey_.
* RDNs in Distinguished Names parsed from strings must now either be separated by a comma
or a slash, not both. If the DN starts with a slash (or whitespace and a slash) slashes
This will be assumed as separator, commas otherwise.
* The algorithm order in the default IKE proposal is again like it was before version:5.1.1 (commit:a4844dbc8f15).
* Scalability of half-open IKE_SA and log level checks have been improved (commit:502eeb7f76d2).
* Added a workaround next major release, see "Roadmap":http://wiki.strongswan.org/projects/strongswan/roadmap for Sonicwall boxes that send ID/HASH payloads unencrypted during
IKEv1 Main Mode (commit:c4c9d291d2aa).
* Support for IPComp was added to the _kernel-pfkey_ plugin (FreeBSD, Mac OS X, Linux),
patch courtesy of Francois ten Krooden (commit:6afa7761a540).
* Passthrough policies are installed with strictly higher priorities than IPsec policies, which
was not always the case previously, depending updates on the traffic selectors.
* The _kernel-netlink_ plugin now follows RFC 6724 when selecting IPv6 source addresses (#543).
* stroke and starter now use the _<daemon>.plugins.stroke.socket_ option to determine the socket
to communicate with the daemon. A @--daemon@ option has been added to stroke.
* The _--disable-tools_ [[Autoconf|./configure]] option has been replaced with the _--disable-pki_ and _--disable-scepclient_ options.
* A @handle_vips()@ hook has been added similar to @assign_vips()@, but for clients
handling virtual IPs and other configuration attributes (commit:31f26960761c). release date.
* strongSwan has been ported to the [[Windows]] platform. Using a MinGW toolchain,
many parts of the strongSwan codebase run natively on Windows 7 / 2008 R2 and
newer releases.
[[charon-svc]] implements a Windows IKE service based on libcharon, the [[kernel-iph]]
and [[kernel-wfp]] plugins act as networking and IPsec backend on the Windows platform.
[[socket-win]] provides a native IKE socket implementation, while [[winhttp]] fetches
CRL and OCSP information using the WinHTTP API.
* The new [[vici]] plugin provides a Versatile IKE Configuration Interface for
charon. Using the stable IPC interface, external applications can configure,
control and monitor the IKE daemon. Instead of scripting the ipsec tool
and generating [[ipsec.conf]], third party applications can use the new interface
for more control and better reliability.
* Built upon the libvici client library, [[swanctl]] implements the first user of
the VICI interface. Together with a [[swanctl.conf]] configuration file,
connections can be defined, loaded and managed. swanctl provides a portable,
complete IKE configuration and control interface for the command line.
Examples: http://www.strongswan.org/uml/testresults/swanctl/
* The SWID IMV implements a JSON-based REST API which allows the exchange
of SWID tags and Software IDs with the [[strongTNC]] policy manager.
* The SWID IMC can extract all installed packages from the @dpkg@ (Debian,
Ubuntu, etc.), @rpm@ (Fedora, RedHat, etc.), or @pacman@ (Arch Linux, Manjaro, etc.)
package managers, respectively, using the "swidGenerator":https://github.com/strongswan/swidGenerator which generates
SWID tags according to the new ISO/IEC 19770-2:2014 standard.
* All IMVs now share the access requestor ID, device ID and product info
of an access requestor via a common imv_session object.
* The Attestation IMC/IMV pair supports the IMA-NG measurement format
introduced with the Linux 3.13 kernel.
* The aikgen tool generates an Attestation Identity Key bound to a TPM.
* Implemented the PT-EAP transport protocol (RFC 7171) for Trusted Network
Connect.
* The [[ConnSection|ipsec.conf]] _replay_window_ option defines connection specific IPsec replay
windows. Original patch courtesy of Zheng Zhong and Christophe Gouault from 6Wind.
* The custom parser for [[strongswan.conf]] has been replaced with one based on flex/bison.
It adds support for quoted strings (with escape sequences), unlimited includes, more
relaxed newline handling, better syntax error reporting, and a distinction between
empty and unset values (_key=""_ vs. _key=_).
* The parser for [[ipsec.conf]] in starter has been rewritten. It allows overriding options
in all included sections (_also=_) not only in _%default_, options defined in included sections
can also be cleared again. Other improvements, like quoted strings, unlimited includes,
and better whitespace/comment handling have been implemented as well.
* Support for late IKEv1 connection switching based on the XAuth username has been added.
* Added support to parse SSH public keys from files configured in _left|rightsigkey_.
* RDNs in Distinguished Names parsed from strings must now either be separated by a comma
or a slash, not both. If the DN starts with a slash (or whitespace and a slash) slashes
This will be assumed as separator, commas otherwise.
* The algorithm order in the default IKE proposal is again like it was before version:5.1.1 (commit:a4844dbc8f15).
* Scalability of half-open IKE_SA and log level checks have been improved (commit:502eeb7f76d2).
* Added a workaround next major release, see "Roadmap":http://wiki.strongswan.org/projects/strongswan/roadmap for Sonicwall boxes that send ID/HASH payloads unencrypted during
IKEv1 Main Mode (commit:c4c9d291d2aa).
* Support for IPComp was added to the _kernel-pfkey_ plugin (FreeBSD, Mac OS X, Linux),
patch courtesy of Francois ten Krooden (commit:6afa7761a540).
* Passthrough policies are installed with strictly higher priorities than IPsec policies, which
was not always the case previously, depending updates on the traffic selectors.
* The _kernel-netlink_ plugin now follows RFC 6724 when selecting IPv6 source addresses (#543).
* stroke and starter now use the _<daemon>.plugins.stroke.socket_ option to determine the socket
to communicate with the daemon. A @--daemon@ option has been added to stroke.
* The _--disable-tools_ [[Autoconf|./configure]] option has been replaced with the _--disable-pki_ and _--disable-scepclient_ options.
* A @handle_vips()@ hook has been added similar to @assign_vips()@, but for clients
handling virtual IPs and other configuration attributes (commit:31f26960761c). release date.