strongSwan

h1. Version 5.5.0

* The new libtpmtss library offers support for both TPM 1.2 and TPM 2.0 Trusted Platform Modules.

  This allows the Attestation IMC/IMV pair to do TPM 2.0 based attestation.

* The behavior during IKEv2 exchange collisions has been improved/fixed in several corner cases

  and support for @TEMPORARY_FAILURE@ and @CHILD_SA_NOT_FOUND@ notifies, as defined by RFC 7296,

  has been added (#379, #464, #876, #1293). The behavior is tested with a series of new unit tests.

* IPsec policy priorities can be set manually (e.g. for high-priority drop policies) and outbound

  policies may be restricted to a network interface.  These options are only configurable via [[swanctl.conf]].

  An example is provided in the {{tc(swanctl/manual-prio)}} scenario.

* The scheme for the automatically calculated default priorities has been changed and now also

  considers port masks, which were added with version:5.4.0 (for details see commit:d3af3b799f).

* FWD policies are now installed in both directions in regards to the traffic selectors (commit:9c12635252).

  Because such "outbound" FWD policies could conflict with "inbound" FWD policies of other SAs (as, for

  example, in the {{tc(swanctl/net2net-gw)}} or the {{tc(ikev2/ip-two-pools-db)}} scenarios) they are installed

  with a lower priority and don't have a reqid set, which allows kernel plugins to distinguish between the

  two and prefer those with a reqid.

* For outbound IPsec SAs no replay window is configured anymore.

* When using unique marks (_mark=%unique_) the allocated mark is now correctly passed to the

  [[updown]] script (commit:b210369314).

* Enhanced the functionality of the [[swanctl|swanctl --list-conns]] command by listing IKE_SA and CHILD_SA

  [[ExpiryRekey|reauthentication and rekeying settings]] and EAP/XAuth identities and EAP types.

* Fixed an interoperability issue with Windows Server 2012 R2 gateways after modifying the default IKE

  proposal with version:5.4.0 (commit:fae18fd201, also explained in the [[AndroidVPNClient#161-2016-05-04|changelog of the Android app]]).

* DNS servers installed by the [[ResolvePlugin|resolve plugin]] are now refcounted, which should fix its use with

  make-before-break reauthentication. Any output written to stderr/stdout by _resolvconf_ is now logged.

* Negotiation of ESN(Extended Sequence Numbers) with IKEv1 is supported (commit:40bb4677f7).

* The default [[PluginLoad|plugin load list]] may now be modified by specifying the individual _load_ setting of a plugin.

* Fixed how mappings are stored in the _eap-simaka-pseudonym_ plugin (commit:5005325020).

* Support for BoringSSL and OpenSSL 1.1.0 has been added.

* Notes for developers:

  * The methods in the kernel interfaces have been changed to take structs instead of long lists of arguments.

  * Similarly the constructors for @peer_cfg_t@ and @child_cfg_t@ now take structs.

  * We now use the standard unsigned integer types (e.g. @uint64_t@ instead of @u_int64_t@).

  * The [[TestingEnvironment|testing environment]] now uses images based on Debian jessie (stable).