strongSwan

h1. Version 5.2.1

*  The new [[charon-systemd]] IKE daemon implements an IKE daemon tailored

   for use with systemd. It avoids the dependency on [[ipsecstarter|ipsec starter]] and

   uses [[swanctl]] as configuration backend, building a simple and

   lightweight solution. Native systemd journal logging is supported.

*  Support for the new IKEv2 Fragmentation mechanism as defined by

   "RFC 7383":http://tools.ietf.org/html/rfc7383 has been added, which avoids IP fragmentation of

   IKEv2 UDP datagrams exceeding the network's MTU size. This feature is

   activated by setting _fragmentation=yes_ in [[ipsec.conf]] and optionally

   setting the maximum IP packet size with the _charon.fragment_size_

   parameter in [[strongswan.conf]].

* Support of the TCG TNC IF-M Attribute Segmentation specification proposal,

  which allows to transfer potentially huge attributes amounting to several

  megabytes of measurement data like the TCG/SWID Tag [ID] Inventory

  or IETF/Installed Packages attributes via the PA-TNC, PB-TNC and

  either PT-EAP or PT-TLS NEA protocol stack.  By default segmented attributes

  are just reconstructed on the receiving side from the individual segments

  with the exeception of the three attribute types mentioned above which can

  be parsed and processed incrementally as the segments arrive one-by-one.

  A commented example can be found under [[PT-EAP-SWID]].

* For the [[vici]] plugin a ruby gem has been added to allow ruby applications

  to control or monitor the IKE daemon. The vici documentation has been

  updated to include a description of the available operations and some simple

  examples using both the libvici C interface and the ruby gem (see "README.md":http://www.strongswan.org/apidoc/md_src_libcharon_plugins_vici_README.html).

* The new [[ext-auth]] plugin calls an external script to implement custom IKE_SA

  authorization logic, courtesy of Vyronas Tsingaras.

* Paths to the [[ipsec.conf]] and [[ipsec.conf]] configuration files may be configured

  via [[strongswan.conf]].  The path to [[strongswan.conf]] may be passed via the

  @STRONGSWAN_CONF@ environment variable.  Patches courtesy of Shea Levy.

* Support for IKEv1 fragmentation has been extended to Windows XP/7 clients,

  courtesy of Volker Rümelin.

* A static interval for interim RADIUS accounting updates can be configured for

  the [[eapradius|eap-radius plugin]]. It's overridden by any interval the RADIUS server returns

  in the Access-Accept message, but it can be useful if RADIUS is only used for accounting.

* Fixed re-authentication when using IKEv1 Mode Config in push mode (commit:cb98380fe9e4).

* Handle Quick Mode DELETES during a Quick Mode rekeying (commit:cd9bba508bba).

* Fixed some [[UnityPlugin|Cisco Unity]] corner cases (rekeying and situations where no split-include attributes

  are received), one fix didn't made it into this release though (#737).

* Fixed some IKEv1 interoperability issues (e.g. with proposal numbering and IPComp), see #661.

* Fixed a crash during reauthentication with multiple authentication rounds caused by the

  incorrect use of @array_remove_at()@ in @auth_cfg_t@ (commit:8ca9a67fac59).

  Also added a comment regarding the used of that function (see commit:c641974de001).

* The _kernel-pfkey_ plugin now reports packet counts (commit:25fcbab6789c).

* If available the _kernel-pfroute_ plugin uses RTM_IFANNOUNCE/IFAN_DEPARTURE events to 

  delete cached interfaces (see commit:f80093e2ee65).

* The _kernel-netlink_ plugin can set MTU and MSS on installed routes via settings in

  [[strongswan.conf]] (these are global and affect all SAs).

* The _kernel-netlink_ plugin optionally installs protocol and ports on transport mode

  SAs (commit:90e6675a657c) to enforce policies for inbound traffic. Enabling this prevents the use

  of a single IPsec SA by more than one traffic selectors though.

* IPv6 transport via [[kernel-libipsec|libipsec]] has been fixed (commit:15dee933de7d).

* _TESTS_SUITES_EXCLUDE_ option added to [[DeveloperDocumentation|unit test runner]].

* Added the source:testing/scripts/build-strongswan script to (relatively) quickly (re-)build

  strongSwan in the [[testingenvironment|testing environment]].

* Don't wait for charon if @ipsec start --attach-gdb@ is used (commit:f51c923f69f9, commit:508f90131a32).