For peers that don't send the EAP_ONLY_AUTHENTICATION notify but still expect to use EAP-only authentication, the charon.force_eap_only_authentication option can be enabled to force this type of authentication even on non-compliant peers.
DH groups are properly handled during migration of CHILD_SA-creating tasks when reestablishing (may have caused DH groups in the proposal sent during IKE_AUTH).
The vici plugin stores all CA certificates in one location, which avoids issues with unloading authority sections or clearing all credentials (GH#172).
When unloading a vici connection with start_action=start, any related IKE_SAs without children are now terminated (including those in CONNECTING state).
The hashtable implementation has been changed so it maintains insertion order (the old implementation, including the get_match() method and a new feature to sort keys, has been migrated to the hashlist_t class). This was mainly done so the vici plugin can store its connections in a hashtable, which makes managing high numbers of connections faster.
The default maximum size for vici messages (512 KiB) can now be changed via VICI_MESSAGE_SIZE_MAX compile option.
IPv6 virtual IPs are now always enumerated, ignoring the charon.prefer_temporary_addrs setting, which should fix route installation if the latter is enabled.
The version as obtained from the Git repository (via git describe) on which a build is based can now be used in executables (--enable-git-version). Tarballs include a text file with that information cached.
Connectivity with the Android client got a lot more stable on Android 6+ where the system aggressively suspends apps when the device is idle (Doze mode). We now use a custom scheduler that uses Android's AlarmManager, which allows waking up the app even if the system put it to sleep. It does require adding the app to the system's battery optimization whitelist, which is requested from the user automatically if necessary. With this, NAT keepalives and rekeyings are now scheduled accurately, with little changes to the battery usage (#3364). There are some related changes that could be useful outside of the Android client:
It's possible to use other clocks than CLOCK_MONOTONIC (e.g. CLOCK_BOOTTIME) via TIME_CLOCK_ID compile option if clock_gettime() is available and pthread_condattr_setclock() supports that clock (Android's bionic C library e.g. only supports CLOCK_MONOTONIC and CLOCK_REALTIME while the kernel would support CLOCK_BOOTTIME via clock_gettime()).
When using a clock that includes time spent suspended, the new charon.keep_alive_dpd_margin option may be used to trigger a DPD instead of a NAT keepalive if too much time has passed.
Another option (charon.check_current_path) allows forcing a DPD exchange to check if the current path still works whenever changes to interfaces/addresses are detected.