Project

General

Profile

Version 5.3.0 » History » Version 2

Tobias Brunner, 30.03.2015 14:05

1 1 Tobias Brunner
h1. Version 5.3.0
2 1 Tobias Brunner
3 2 Tobias Brunner
* Added support for IKEv2 make-before-break reauthentication. By using a global
4 2 Tobias Brunner
  CHILD_SA reqid allocation mechanism, charon supports overlapping CHILD_SAs.
5 2 Tobias Brunner
  This allows the use of make-before-break instead of the previously supported
6 2 Tobias Brunner
  break-before-make reauthentication, avoiding connectivity gaps during that
7 2 Tobias Brunner
  procedure. As the new mechanism may fail with peers not supporting it (such
8 2 Tobias Brunner
  as any previous strongSwan release) it must be explicitly enabled using
9 2 Tobias Brunner
  the _charon.make_before_break_ [[strongswan.conf]] option.
10 2 Tobias Brunner
11 2 Tobias Brunner
* Support for _Signature Authentication in IKEv2_ ("RFC 7427":http://tools.ietf.org/html/rfc7427) has been added.
12 2 Tobias Brunner
  This allows the use of stronger hash algorithms for public key authentication.
13 2 Tobias Brunner
  By default, signature schemes are chosen based on the strength of the
14 2 Tobias Brunner
  signature key, but specific hash algorithms may be configured in leftauth.
15 2 Tobias Brunner
16 2 Tobias Brunner
* Key types and hash algorithms specified in _rightauth_ are now also checked
17 2 Tobias Brunner
  against IKEv2 signature schemes.  If such constraints are used for certificate
18 2 Tobias Brunner
  chain validation in existing configurations, in particular with peers that
19 2 Tobias Brunner
  don't support RFC 7427, it may be necessary to disable this feature with the
20 2 Tobias Brunner
  _charon.signature_authentication_constraints_ setting, because the signature
21 2 Tobias Brunner
  scheme used in classic IKEv2 public key authentication may not be strong
22 2 Tobias Brunner
  enough.
23 2 Tobias Brunner
24 2 Tobias Brunner
* The new [[connmark|connmark plugin]] allows a host to bind conntrack flows to a specific
25 2 Tobias Brunner
  CHILD_SA by applying and restoring the SA mark to conntrack entries. This
26 2 Tobias Brunner
  allows a peer to handle multiple transport mode connections coming over the
27 2 Tobias Brunner
  same NAT device for client-initiated flows (a common use case is to protect
28 2 Tobias Brunner
  L2TP/IPsec).  See {{tc(ikev2/host2host-transport-connmark)}} for an example.
29 2 Tobias Brunner
30 2 Tobias Brunner
* The [[forecast|forecast plugin]] can forward broadcast and multicast messages between
31 2 Tobias Brunner
  connected clients and a LAN. For CHILD_SA using unique marks, it sets up
32 2 Tobias Brunner
  the required Netfilter rules and uses a multicast/broadcast listener that
33 2 Tobias Brunner
  forwards such messages to all connected clients. This plugin is designed for
34 2 Tobias Brunner
  Windows 7 IKEv2 clients, which announce their services over the tunnel if the
35 2 Tobias Brunner
  negotiated IPsec policy allows it. See {{tc(ikev2/forecast)}} for an example.
36 2 Tobias Brunner
37 2 Tobias Brunner
* For the [[vici|vici plugin]] a Python Egg has been added to allow Python applications
38 2 Tobias Brunner
  to control or monitor the IKE daemon using the VICI interface, similar to the
39 2 Tobias Brunner
  existing ruby gem. The Python library has been contributed by Björn Schuberg.
40 2 Tobias Brunner
41 2 Tobias Brunner
* EAP server methods now can fulfill public key constraints, such as _rightcert_
42 2 Tobias Brunner
  or _rightca_. Additionally, public key and signature constraints can be
43 2 Tobias Brunner
  specified for EAP methods in the _rightauth_ keyword. Currently the EAP-TLS and
44 2 Tobias Brunner
  EAP-TTLS methods provide verification details to constraints checking.
45 2 Tobias Brunner
46 2 Tobias Brunner
* Upgrade of the [[bliss|BLISS post-quantum signature algorithm]] to the improved BLISS-B
47 2 Tobias Brunner
  variant. Can be used in conjunction with the SHA256, SHA384 and SHA512 hash
48 2 Tobias Brunner
  algorithms with SHA512 being the default.
49 2 Tobias Brunner
50 2 Tobias Brunner
* The IF-IMV 1.4 interface now makes the IP address of the TNC access requestor
51 2 Tobias Brunner
  as seen by the TNC server available to all IMVs. This information can be
52 2 Tobias Brunner
  forwarded to policy enforcement points (e.g. firewalls or routers).
53 2 Tobias Brunner
54 2 Tobias Brunner
* The new mutual tnccs-20 plugin parameter activates mutual TNC measurements
55 2 Tobias Brunner
  in PB-TNC half-duplex mode between two endpoints over either a PT-EAP or
56 2 Tobias Brunner
  PT-TLS transport medium.
57 2 Tobias Brunner
58 2 Tobias Brunner
* SPIs in IKEv1 DELETE payloads are now compared to those of the current IKE SA.
59 2 Tobias Brunner
  This is required for interoperability with OpenBSD's _isakmpd_, which always uses the
60 2 Tobias Brunner
  latest IKE SA to delete other expired SAs.
61 2 Tobias Brunner
62 2 Tobias Brunner
* The _files_ plugin provides a simple fetcher for @file://@ URIs (commit:1735d80f38).
63 2 Tobias Brunner
64 2 Tobias Brunner
* Fixed CRL verification for PKIs that don't use SHA-1 hashes of the public key
65 2 Tobias Brunner
  as subjectKeyIdentifier or authorityKeyIdentifier (commit:6133770db4).
66 2 Tobias Brunner
67 2 Tobias Brunner
* Route priorities are now considered when doing manual route lookups (commit:6b57790270).
68 2 Tobias Brunner
69 2 Tobias Brunner
* Policies are now removed from the kernel before IPsec SAs, to avoid acquires
70 2 Tobias Brunner
  for untrapped policies (commit:46188b0eb0).