strongSwan

h1. Version 5.7.0

* Dots are not allowed anymore in section names in [[swanctl.conf]] and [[strongswan.conf]].

  This mainly affects the [[LoggerConfiguration|configuration of file loggers]]. If the  path for such a log file contains dots

  it now has to be configured in the new _path_ setting within the arbitrarily renamed subsection in the

  _filelog_ section.

* Sections in [[swanctl.conf]] and [[strongswan.conf]] may now reference other sections. All settings and

  subsections from such a section are inherited. This allows to simplify configs as redundant information

  has only to be specified once and may then be included in other sections (see [[strongswan.conf]] for

  an example).

* The originally selected IKE config (based on the IPs and IKE version) can now change if no matching

  algorithm proposal is found.  This way the order of the configs doesn't matter that much anymore and

  it's easily possible to specify separate configs for clients that require weak algorithms (instead

  of having to also add them in other configs that might be selected).

* Support for Postquantum Preshared Keys for IKEv2 ("draft-ietf-ipsecme-qr-ikev2":https://tools.ietf.org/html/draft-ietf-ipsecme-qr-ikev2) has been added.

* The new _botan_ plugin is a wrapper around the "Botan C++ crypto library":https://botan.randombit.net.

  It requires a fairly recent build from Botan's master branch (or the upcoming 2.8.0 release).

  Thanks to René Korthaus and his team from Rohde & Schwarz Cybersecurity for the initial patch.

* Implementation of "RFC 8412":https://tools.ietf.org/html/rfc8412 "Software Inventory Message and Attributes (SWIMA)

  for PA-TNC". SWIMA subscription option sets CLOSE_WRITE trigger on @apt@ history.log file

  resulting in a ClientRetry PB-TNC batch to initialize a new measurement cycle.

* Added support for fuzzing the PA-TNC (RFC 5792) and PB-TNC (RFC 5793) NEA

  protocols on Google's OSS-Fuzz infrastructure.

* Support for version 2 of Intel's TPM2-TSS TGC Software Stack. The presence of

  the in-kernel /dev/tpmrm0 resource manager is automatically detected.

* The pki tool accepts a xmppAddr otherName as a subjectAlternativeName using

  the syntax @--san xmppaddr:<jid>@.

* [[swanctl.conf]] supports the configuration of marks the in- and/or outbound SA should apply to packets after

  processing on Linux.  Configuring such a mark for outbound SAs requires at least a 4.14 kernel.  The ability

  to set a mask and configuring a mark/mask for inbound SAs will be added with the upcoming 4.19 kernel.

* New options in [[swanctl.conf]] allow configuring how/whether DF, ECN and DS fields in the IP headers are

  copied during IPsec processing. Controlling this is currently only possible on Linux.

* To avoid conflicts, the [[dhcpplugin|dhcp plugin]] now only uses the DHCP server port if explicitly configured.