Changelog for 4.1.x¶
- IKE rekeying in NAT situations did not inherit the NAT conditions
to the rekeyed IKE_SA so that the UDP encapsulation was lost with
the next CHILD_SA rekeying.
- Wrong type definition of the next_payload variable in id_payload.c
caused an INVALID_SYNTAX error on PowerPC platforms.
- Implemented IKEv2 EAP-SIM server and client test modules that use
triplets stored in a file. For details on the configuration see
the scenario 'ikev2/rw-eap-sim-rsa'.
- Fixed error in the ordering of the certinfo_t records in the ocsp cache that
caused multiple entries of the same serial number to be created.
- Implementation of a simple EAP-MD5 module which provides CHAP
authentication. This may be interesting in conjunction with certificate
based server authentication, as weak passwords can't be brute forced
(in contradiction to traditional IKEv2 PSK).
- A complete software based implementation of EAP-AKA, using algorithms
specified in 3GPP2 (S.S0055). This implementation does not use an USIM,
but reads the secrets from ipsec.secrets. Make sure to read eap_aka.h
before using it.
- Support for vendor specific EAP methods using Expanded EAP types. The
interface to EAP modules has been slightly changed, so make sure to
check the changes if you're already rolling your own modules.
- The default _updown script now dynamically inserts and removes ip6tables
firewall rules if leftfirewall=yes is set in IPv6 connections. New IPv6
net-net and roadwarrior (PSK/RSA) scenarios for both IKEv1 and IKEV2 were
- Implemented RFC4478 repeated authentication to force EAP/Virtual-IP clients
to reestablish an IKE_SA within a given timeframe.
- strongSwan Manager supports configuration listing, initiation and termination
of IKE and CHILD_SAs.
- Fixes and improvements to multithreading code.
- IKEv2 plugins have been renamed to libcharon-* to avoid naming conflicts.
Make sure to remove the old plugins in $libexecdir/ipsec, otherwise they get
- Removed recursive pthread mutexes since uClibc doesn't support them.
- In NAT traversal situations and multiple queued Quick Modes,
those pending connections inserted by auto=start after the
port floating from 500 to 4500 were erronously deleted.
- Added a "forceencaps" connection parameter to enforce UDP encapsulation
to surmount restrictive firewalls. NAT detection payloads are faked to
simulate a NAT situation and trick the other peer into NAT mode (IKEv2 only).
- Preview of strongSwan Manager, a web based configuration and monitoring
application. It uses a new XML control interface to query the IKEv2 daemon
- Experimental SQLite configuration backend which will provide the configuration
interface for strongSwan Manager in future releases.
- Further improvements to MOBIKE support.
- Since some third party IKEv2 implementations run into
problems with strongSwan announcing MOBIKE capability per
default, MOBIKE can be disabled on a per-connection-basis
using the mobike=no option. Whereas mobike=no disables the
sending of the MOBIKE_SUPPORTED notification and the floating
to UDP port 4500 with the IKE_AUTH request even if no NAT
situation has been detected, strongSwan will still support
MOBIKE acting as a responder.
- the default ipsec routing table plus its corresponding priority
used for inserting source routes has been changed from 100 to 220.
It can be configured using the --with-ipsec-routing-table and
- the --enable-integrity-test configure option tests the
integrity of the libstrongswan crypto code during the charon
- the --disable-xauth-vid configure option disables the sending
of the XAUTH vendor ID. This can be used as a workaround when
interoperating with some Windows VPN clients that get into
trouble upon reception of an XAUTH VID without eXtended
AUTHentication having been configured.
- ipsec stroke now supports the rereadsecrets, rereadaacerts,
rereadacerts, and listacerts options.
- If a DNS lookup failure occurs when resolving right=%<FQDN>
or right=<FQDN> combined with rightallowany=yes then the
connection is not updated by ipsec starter thus preventing
the disruption of an active IPsec connection. Only if the DNS
lookup successfully returns with a changed IP address the
corresponding connection definition is updated.
- Routes installed by the keying daemons are now in a separate
routing table with the ID 100 to avoid conflicts with the main
table. Route lookup for IKEv2 traffic is done in userspace to ignore
routes installed for IPsec, as IKE traffic shouldn't get encapsulated.
- The pluto IKEv1 daemon now exhibits the same behaviour as its
IKEv2 companion charon by inserting an explicit route via the
_updown script only if a sourceip exists. This is admissible
since routing through the IPsec tunnel is handled automatically
by NETKEY's IPsec policies. As a consequence the left|rightnexthop
parameter is not required any more.
- The new IKEv1 parameter right|leftallowany parameters helps to handle
the case where both peers possess dynamic IP addresses that are
usually resolved using DynDNS or a similar service.
can be used by the initiator to start up a connection to a peer
by resolving peer.foo.bar into the currently allocated IP address.
Thanks to the rightallowany flag the connection behaves later on
so that the peer can rekey the connection as an initiator when his
IP address changes. An alternative notation is
which will implicitly set rightallowany=yes.
- ipsec starter now fails more gracefully in the presence of parsing
errors. Flawed ca and conn section are discarded and pluto is started
if non-fatal errors only were encountered. If right=%peer.foo.bar
cannot be resolved by DNS then right=%any will be used so that passive
connections as a responder are still possible.
- The new pkcs11initargs parameter that can be placed in the
setup config section of /etc/ipsec.conf allows the definition
of an argument string that is used with the PKCS#11 C_Initialize()
function. This non-standard feature is required by the NSS softoken
library. This patch was contributed by Robert Varga.
- Fixed a bug in ipsec starter introduced by strongswan-2.8.5
which caused a segmentation fault in the presence of unknown
or misspelt keywords in ipsec.conf. This bug fix was contributed
by Robert Varga.
- Partial support for MOBIKE in IKEv2. The initiator acts on interface/
address configuration changes and updates IKE and IPsec SAs dynamically.
The changelog for versions before 4.1.4 can be found in the source:NEWS file.