strongSwan

h1. Version 5.5.0

* The new libtpmtss library offers support for both TPM 1.2 and TPM 2.0 Trusted Platform Modules.

  This allows the Attestation IMC/IMV pair to do TPM 2.0 based attestation.

* The behavior during IKEv2 exchange collisions has been improved/fixed in several corner cases

  and support for @TEMPORARY_FAILURE@ and @CHILD_SA_NOT_FOUND@ notifies, as defined by RFC 7296,

  has been added (#379, #464, #876, #1293). The behavior is tested with a series of new unit tests.

* IPsec policy priorities can be set manually (e.g. for high-priority drop policies) and outbound

  policies may be restricted to a network interface.  These options are only configurable via [[swanctl.conf]].

  An example is provided in the {{tc(swanctl/manual-prio)}} scenario.

* The scheme for the automatically calculated default priorities has been changed and now also

  considers port masks, which were added with version:5.4.0 (for details see commit:d3af3b799f).

* FWD policies are now installed in both directions in regards to the traffic selectors (commit:9c12635252).

  Because such "outbound" FWD policies could conflict with "inbound" FWD policies of other SAs (as, for

  example, in the {{tc(swanctl/net2net-gw)}} or the {{tc(ikev2/ip-two-pools-db)}} scenarios) they are installed

  with a lower priority and don't have a reqid set, which allows kernel plugins to distinguish between the

  two and prefer those with a reqid.

* How the interface for routes installed with policies is determined has changed (commit:96b1fab53c).  In most

  cases the interface over which the other peer is reached is now used, not the interface on which the local

  address (or the source IP) is installed.  However, that might be the same interface depending on the

  configuration (i.e. in practice there will often not be a change).

* No routes are installed anymore for drop policies and policies with port/protocol selector (commit:e7369a9dc5).

* For outbound IPsec SAs no replay window is configured anymore.

* When using unique marks (_mark=%unique_) the allocated mark is now correctly passed to the

  [[updown]] script (commit:b210369314).

* Enhanced the functionality of the [[swanctl|swanctl --list-conns]] command by listing IKE_SA and CHILD_SA

  [[ExpiryRekey|reauthentication and rekeying settings]] and EAP/XAuth identities and EAP types.

* Fixed an interoperability issue with Windows Server 2012 R2 gateways after modifying the default IKE

  proposal with version:5.4.0 (commit:fae18fd201, also explained in the [[AndroidVPNClient#161-2016-05-04|changelog of the Android app]]).

* DNS servers installed by the [[ResolvePlugin|resolve plugin]] are now refcounted, which should fix its use with

  make-before-break reauthentication. Any output written to stderr/stdout by _resolvconf_ is now logged.

* Negotiation of ESN(Extended Sequence Numbers) with IKEv1 is supported (commit:40bb4677f7).

* The default [[PluginLoad|plugin load list]] may now be modified by specifying the individual _load_ setting of a plugin.

* Fixed how mappings are stored in the _eap-simaka-pseudonym_ plugin (commit:5005325020).

* Support for BoringSSL and OpenSSL 1.1.0 has been added.

* Notes for developers:

  * The methods in the kernel interfaces have been changed to take structs instead of long lists of arguments.

  * Similarly the constructors for @peer_cfg_t@ and @child_cfg_t@ now take structs.

  * We now use the standard unsigned integer types (e.g. @uint64_t@ instead of @u_int64_t@).

  * The [[TestingEnvironment|testing environment]] now uses images based on Debian jessie (stable).