strongSwan

h1. Version 5.2.0

* strongSwan has been ported to the [[Windows]] platform. Using a MinGW toolchain,

  many parts of the strongSwan codebase run natively on Windows 7 / 2008 R2 and

  newer releases.

  [[charon-svc]] implements a Windows IKE service based on libcharon, the [[kernel-iph]]

  and [[kernel-wfp]] plugins act as networking and IPsec backend on the Windows platform.

  [[socket-win]] provides a native IKE socket implementation, while [[winhttp]] fetches

  CRL and OCSP information using the WinHTTP API.

* The new [[vici]] plugin provides a Versatile IKE Configuration Interface for

  charon. Using the stable IPC interface, external applications can configure,

  control and monitor the IKE daemon. Instead of scripting the ipsec tool

  and generating [[ipsec.conf]], third party applications can use the new interface

  for more control and better reliability.

* Built upon the libvici client library, [[swanctl]] implements the first user of

  the VICI interface. Together with a [[swanctl.conf]] configuration file,

  connections can be defined, loaded and managed. swanctl provides a portable,

  complete IKE configuration and control interface for the command line.

  Examples: http://www.strongswan.org/uml/testresults/swanctl/

* The SWID IMV implements a JSON-based REST API which allows the exchange

  of SWID tags and Software IDs with the [[strongTNC]] policy manager.

* The SWID IMC can extract all installed packages from the @dpkg@ (Debian,

  Ubuntu, etc.), @rpm@ (Fedora, RedHat, etc.), or @pacman@ (Arch Linux, Manjaro, etc.)

  package managers, respectively, using the "swidGenerator":https://github.com/strongswan/swidGenerator which generates

  SWID tags according to the new ISO/IEC 19770-2:2014 standard.

* All IMVs now share the access requestor ID, device ID and product info

  of an access requestor via a common imv_session object.

* The Attestation IMC/IMV pair supports the IMA-NG measurement format

  introduced with the Linux 3.13 kernel.

* The aikgen tool generates an Attestation Identity Key bound to a TPM.

* Implemented the PT-EAP transport protocol (RFC 7171) for Trusted Network

  Connect.

* The [[ConnSection|ipsec.conf]] _replay_window_ option defines connection specific IPsec replay

  windows. Original patch courtesy of Zheng Zhong and Christophe Gouault from 6Wind.

* The custom parser for [[strongswan.conf]] has been replaced with one based on flex/bison.

  It adds support for quoted strings (with escape sequences), unlimited includes, more

  relaxed newline handling, better syntax error reporting, and a distinction between

  empty and unset values (_key=""_ vs. _key=_).

* The parser for [[ipsec.conf]] in starter has been rewritten. It allows overriding options

  in all included sections (_also=_) not only in _%default_, options defined in included sections

  can also be cleared again. Other improvements, like quoted strings, unlimited includes,

  and better whitespace/comment handling have been implemented as well.

* Support for late IKEv1 connection switching based on the XAuth username has been added.

* Added support to parse SSH public keys from files configured in _left|rightsigkey_.

* RDNs in Distinguished Names parsed from strings must now either be separated by a comma

  or a slash, not both. If the DN starts with a slash (or whitespace and a slash) slashes

  will be assumed as separator, commas otherwise.

* The algorithm order in the default IKE proposal is again like it was before version:5.1.1 (commit:a4844dbc8f15).

* Scalability of half-open IKE_SA and log level checks have been improved (commit:502eeb7f76d2).

* Added a workaround for Sonicwall boxes that send ID/HASH payloads unencrypted during

  IKEv1 Main Mode (commit:c4c9d291d2aa).

* If private algorithm identifiers are used, rekeying is fixed by migrating extensions/conditions

  to the new IKE_SA during rekeying (commit:094963d1b160).

* Support for IPComp was added to the _kernel-pfkey_ plugin (FreeBSD, Mac OS X, Linux),

  patch courtesy of Francois ten Krooden (commit:6afa7761a540).

* Passthrough policies are installed with strictly higher priorities than IPsec policies, which

  was not always the case previously, depending on the traffic selectors.

* The _kernel-netlink_ plugin now follows RFC 6724 when selecting IPv6 source addresses (#543).

* stroke and starter now use the _<daemon>.plugins.stroke.socket_ option to determine the socket

  to communicate with the daemon. A @--daemon@ option has been added to stroke.

* The _--disable-tools_ [[Autoconf|./configure]] option has been replaced with the _--disable-pki_ and

  _--disable-scepclient_ options.

* A @handle_vips()@ hook has been added similar to @assign_vips()@, but for clients

  handling virtual IPs and other configuration attributes (commit:31f26960761c).