Version 5.5.0¶

• The new libtpmtss library offers support for both TPM 1.2 and TPM 2.0 Trusted Platform Modules.
  This allows the Attestation IMC/IMV pair to do TPM 2.0 based attestation.

• The behavior during IKEv2 exchange collisions has been improved/fixed in several corner cases
  and support for TEMPORARY_FAILURE and CHILD_SA_NOT_FOUND notifies, as defined by RFC 7296,
  has been added (#379, #464, #876, #1293). The behavior is tested with a series of new unit tests.

• IPsec policy priorities can be set manually (e.g. for high-priority drop policies) and outbound
  policies may be restricted to a network interface. These options are only configurable via swanctl.conf.
  An example is provided in the swanctl/manual-prio scenario.

• The scheme for the automatically calculated default priorities has been changed and now also
  considers port masks, which were added with 5.4.0 (for details see commit:d3af3b799f).

• FWD policies are now installed in both directions in regards to the traffic selectors (commit:9c12635252).
  Because such "outbound" FWD policies could conflict with "inbound" FWD policies of other SAs (as, for
  example, in the swanctl/net2net-gw or the ikev2/ip-two-pools-db scenarios) they are installed
  with a lower priority and don't have a reqid set, which allows kernel plugins to distinguish between the
  two and prefer those with a reqid.

• For outbound IPsec SAs no replay window is configured anymore.

• When using unique marks (mark=%unique) the allocated mark is now correctly passed to the
  updown script (commit:b210369314).

• Enhanced the functionality of the swanctl --list-conns command by listing IKE_SA and CHILD_SA
  reauthentication and rekeying settings and EAP/XAuth identities and EAP types.

• Fixed an interoperability issue with Windows Server 2012 R2 gateways after modifying the default IKE
  proposal with 5.4.0 (commit:fae18fd201, also explained in the changelog of the Android app).

• DNS servers installed by the resolve plugin are now refcounted, which should fix its use with
  make-before-break reauthentication. Any output written to stderr/stdout by resolvconf is now logged.

• Negotiation of ESN with IKEv1 is supported (commit:40bb4677f7).

• The default plugin load list may now be modified by specifying the individual load setting of a plugin.

• Fixed how mappings are stored in the eap-simaka-pseudonym plugin (commit:5005325020).

• Support for BoringSSL and OpenSSL 1.1.0 has been added.

• Notes for developers:
  • The methods in the kernel interfaces have been changed to take structs instead of long lists of arguments.
  • Similarly the constructors for peer_cfg_t and child_cfg_t now take structs.
  • We now use the standard unsigned integer types (e.g. uint64_t instead of u_int64_t).
  • The testing environment now uses images based on Debian jessie (stable).