Version 5.8.0 » History » Version 2
Version 1 (Tobias Brunner, 14.03.2019 13:51) → Version 2/3 (Tobias Brunner, 26.04.2019 18:42)
h1. Version 5.8.0
* The @systemd@ service units have been renamed. The modern unit, which was called _strongswan-swanctl_,
is now called _strongswan_ (the previous name is configured as alias in the unit, for which a symlink is
created when the unit is enabled). The legacy unit is now called _strongswan-starter_.
* Support for XFRM interfaces (available since Linux 4.19) has been added, which are intended to
replace VTI devices (they are similar but offer several advantages, for instance, they are not bound
to an address or address family).
IPsec SAs and policies are associated with such interfaces via interface IDs that can be configured in
[[swanctl.conf]] (dynamic IDs may optionally be allocated for each SA and even direction). It's possible to
use separate interfaces for in- and outbound traffic (or only use an interface in one direction and regular
policies in the other).
Interfaces may be created dynamically via [[updown]]/[[vici]] scripts, or statically before or after establishing
the SAs. Routes must be added manually as needed (the daemon This will not install any routes for outbound
policies with an interface ID).
When moving XFRM interfaces to other network namespaces they retain access to the SAs and policies
installed in the original namespace, which allows providing IPsec tunnels for processes in other network
namespaces without giving them access to the IPsec keys or IKE credentials.
More information can be found on the page about [[RouteBasedVPN#XFRM-Interfaces-on-Linux|route-based VPNs]].
* Initiation of childless IKE_SAs is supported ("RFC 6023":https://tools.ietf.org/html/rfc6023). If enabled and supported by the responder,
no CHILD_SA is established during IKE_AUTH. Instead, all CHILD_SAs are created with CREATE_CHILD_SA
exchanges. This allows using a separate DH exchange even next major release, see "Roadmap":http://wiki.strongswan.org/projects/strongswan/roadmap for the first CHILD_SA, which is otherwise
created during IKE_AUTH with keys derived from the IKE_SA's key material.
The [[swanctl]] @--initiate@ command may be used to initiate only the IKE_SA via @--ike@ option if @--child@ is
omitted and the peer supports this extension.
* The [[NetworkManager]] backend and plugin support IPv6.
* The new _wolfssl_ plugin is a wrapper around the "wolfSSL":https://github.com/wolfSSL/wolfssl crypto library. Thanks to Sean Parkinson of
wolfSSL Inc. for the initial patch.
* IKE SPIs may optionally be labeled via the _charon.spi_mask|label_ options in [[strongswan.conf]]. This feature
was extracted from _charon-tkm_, however, now applies the mask/label in network order.
* The _openssl_ plugin supports ChaCha20-Poly1305 when built with OpenSSL 1.1.0.
* The PB-TNC finite state machine according to section 3.2 of "RFC 5793":https://tools.ietf.org/html/rfc5793 was not correctly implemented
when sending either a @CRETRY@ or @SRETRY@ batch. These batches can only be sent in the "Decided" state
and a @CRETRY@ batch can immediately carry all messages usually transported by a @CDATA@ batch. It is
currently not possible to send a @SRETRY@ batch since full-duplex mode for PT-TLS transport is not supported.
* Instead of marking IPv6 virtual IPs as deprecated, the _kernel-netlink_ plugin now uses address labels to
avoid that such addresses are used for non-VPN traffic (commit:00a953d090).
* The _agent_ plugin now creates sockets to the ssh/gpg-agent dynamically and does not keep them open,
which otherwise might prevent the agent from getting terminated.
* To avoid broadcast loops the [[forecast]] plugin now only reinjects packets that are marked or received from
the configured interface.
* UTF-8 encoded passwords are supported via EAP-MSCHAPv2, which internally uses an UTF-16LE
encoding to calculate the NT hash (#3014).
* Properly delete temporary drop policies (used when updating IP addresses of SAs) if manual priorities are
used, which was broken since version:5.6.2 (commit:8e31d65730).
* Avoid overwriting _start_action_ when parsing the inactivity timeout in the _vici_ plugin (#2954).
* Fixed the automatic termination of reloaded _vici_ connections with _start_action=start_, which was broken
since version:5.6.3 (commit:71b22c250f).
* The lookup for shared secrets for IKEv1 SAs via [[sql]] plugin should now work better (commit:6ec9f68f32).
* Fixed a race condition in the trap manager between installation and removal of a policy (commit:69cbe2ca3f).
* Compilation of the _kernel-netlink_ plugin has been fixed updates on old kernels (< 2.6.39), which was caused
by the HW offload changes (commit:c7f579fa17).
* Several IKEv2 protocol details are now handled more strictly: Unrequested virtual IPs are ignored,
@CFG_REPLY@ payloads are ignored if no @CFG_REQUEST@ payloads were sent, a @USE_TRANSPORT_MODE@ notify
received from the responder is checked against the local configuration.
release date.
* The @systemd@ service units have been renamed. The modern unit, which was called _strongswan-swanctl_,
is now called _strongswan_ (the previous name is configured as alias in the unit, for which a symlink is
created when the unit is enabled). The legacy unit is now called _strongswan-starter_.
* Support for XFRM interfaces (available since Linux 4.19) has been added, which are intended to
replace VTI devices (they are similar but offer several advantages, for instance, they are not bound
to an address or address family).
IPsec SAs and policies are associated with such interfaces via interface IDs that can be configured in
[[swanctl.conf]] (dynamic IDs may optionally be allocated for each SA and even direction). It's possible to
use separate interfaces for in- and outbound traffic (or only use an interface in one direction and regular
policies in the other).
Interfaces may be created dynamically via [[updown]]/[[vici]] scripts, or statically before or after establishing
the SAs. Routes must be added manually as needed (the daemon This will not install any routes for outbound
policies with an interface ID).
When moving XFRM interfaces to other network namespaces they retain access to the SAs and policies
installed in the original namespace, which allows providing IPsec tunnels for processes in other network
namespaces without giving them access to the IPsec keys or IKE credentials.
More information can be found on the page about [[RouteBasedVPN#XFRM-Interfaces-on-Linux|route-based VPNs]].
* Initiation of childless IKE_SAs is supported ("RFC 6023":https://tools.ietf.org/html/rfc6023). If enabled and supported by the responder,
no CHILD_SA is established during IKE_AUTH. Instead, all CHILD_SAs are created with CREATE_CHILD_SA
exchanges. This allows using a separate DH exchange even next major release, see "Roadmap":http://wiki.strongswan.org/projects/strongswan/roadmap for the first CHILD_SA, which is otherwise
created during IKE_AUTH with keys derived from the IKE_SA's key material.
The [[swanctl]] @--initiate@ command may be used to initiate only the IKE_SA via @--ike@ option if @--child@ is
omitted and the peer supports this extension.
* The [[NetworkManager]] backend and plugin support IPv6.
* The new _wolfssl_ plugin is a wrapper around the "wolfSSL":https://github.com/wolfSSL/wolfssl crypto library. Thanks to Sean Parkinson of
wolfSSL Inc. for the initial patch.
* IKE SPIs may optionally be labeled via the _charon.spi_mask|label_ options in [[strongswan.conf]]. This feature
was extracted from _charon-tkm_, however, now applies the mask/label in network order.
* The _openssl_ plugin supports ChaCha20-Poly1305 when built with OpenSSL 1.1.0.
* The PB-TNC finite state machine according to section 3.2 of "RFC 5793":https://tools.ietf.org/html/rfc5793 was not correctly implemented
when sending either a @CRETRY@ or @SRETRY@ batch. These batches can only be sent in the "Decided" state
and a @CRETRY@ batch can immediately carry all messages usually transported by a @CDATA@ batch. It is
currently not possible to send a @SRETRY@ batch since full-duplex mode for PT-TLS transport is not supported.
* Instead of marking IPv6 virtual IPs as deprecated, the _kernel-netlink_ plugin now uses address labels to
avoid that such addresses are used for non-VPN traffic (commit:00a953d090).
* The _agent_ plugin now creates sockets to the ssh/gpg-agent dynamically and does not keep them open,
which otherwise might prevent the agent from getting terminated.
* To avoid broadcast loops the [[forecast]] plugin now only reinjects packets that are marked or received from
the configured interface.
* UTF-8 encoded passwords are supported via EAP-MSCHAPv2, which internally uses an UTF-16LE
encoding to calculate the NT hash (#3014).
* Properly delete temporary drop policies (used when updating IP addresses of SAs) if manual priorities are
used, which was broken since version:5.6.2 (commit:8e31d65730).
* Avoid overwriting _start_action_ when parsing the inactivity timeout in the _vici_ plugin (#2954).
* Fixed the automatic termination of reloaded _vici_ connections with _start_action=start_, which was broken
since version:5.6.3 (commit:71b22c250f).
* The lookup for shared secrets for IKEv1 SAs via [[sql]] plugin should now work better (commit:6ec9f68f32).
* Fixed a race condition in the trap manager between installation and removal of a policy (commit:69cbe2ca3f).
* Compilation of the _kernel-netlink_ plugin has been fixed updates on old kernels (< 2.6.39), which was caused
by the HW offload changes (commit:c7f579fa17).
* Several IKEv2 protocol details are now handled more strictly: Unrequested virtual IPs are ignored,
@CFG_REPLY@ payloads are ignored if no @CFG_REQUEST@ payloads were sent, a @USE_TRANSPORT_MODE@ notify
received from the responder is checked against the local configuration.
release date.