Changelog for 4.1.x

Version 4.1.11

  • IKE rekeying in NAT situations did not inherit the NAT conditions
    to the rekeyed IKE_SA so that the UDP encapsulation was lost with
    the next CHILD_SA rekeying.
  • Wrong type definition of the next_payload variable in id_payload.c
    caused an INVALID_SYNTAX error on PowerPC platforms.
  • Implemented IKEv2 EAP-SIM server and client test modules that use
    triplets stored in a file. For details on the configuration see
    the scenario 'ikev2/rw-eap-sim-rsa'.

Version 4.1.10

  • Fixed error in the ordering of the certinfo_t records in the ocsp cache that
    caused multiple entries of the same serial number to be created.
  • Implementation of a simple EAP-MD5 module which provides CHAP
    authentication. This may be interesting in conjunction with certificate
    based server authentication, as weak passwords can't be brute forced
    (in contradiction to traditional IKEv2 PSK).
  • A complete software based implementation of EAP-AKA, using algorithms
    specified in 3GPP2 (S.S0055). This implementation does not use an USIM,
    but reads the secrets from ipsec.secrets. Make sure to read eap_aka.h
    before using it.
  • Support for vendor specific EAP methods using Expanded EAP types. The
    interface to EAP modules has been slightly changed, so make sure to
    check the changes if you're already rolling your own modules.

Version 4.1.9

  • The default _updown script now dynamically inserts and removes ip6tables
    firewall rules if leftfirewall=yes is set in IPv6 connections. New IPv6
    net-net and roadwarrior (PSK/RSA) scenarios for both IKEv1 and IKEV2 were
  • Implemented RFC4478 repeated authentication to force EAP/Virtual-IP clients
    to reestablish an IKE_SA within a given timeframe.
  • strongSwan Manager supports configuration listing, initiation and termination
    of IKE and CHILD_SAs.
  • Fixes and improvements to multithreading code.
  • IKEv2 plugins have been renamed to libcharon-* to avoid naming conflicts.
    Make sure to remove the old plugins in $libexecdir/ipsec, otherwise they get
    loaded twice.

Version 4.1.8

  • Removed recursive pthread mutexes since uClibc doesn't support them.

Version 4.1.7

  • In NAT traversal situations and multiple queued Quick Modes,
    those pending connections inserted by auto=start after the
    port floating from 500 to 4500 were erronously deleted.
  • Added a "forceencaps" connection parameter to enforce UDP encapsulation
    to surmount restrictive firewalls. NAT detection payloads are faked to
    simulate a NAT situation and trick the other peer into NAT mode (IKEv2 only).
  • Preview of strongSwan Manager, a web based configuration and monitoring
    application. It uses a new XML control interface to query the IKEv2 daemon
  • Experimental SQLite configuration backend which will provide the configuration
    interface for strongSwan Manager in future releases.
  • Further improvements to MOBIKE support.

Version 4.1.6

  • Since some third party IKEv2 implementations run into
    problems with strongSwan announcing MOBIKE capability per
    default, MOBIKE can be disabled on a per-connection-basis
    using the mobike=no option. Whereas mobike=no disables the
    sending of the MOBIKE_SUPPORTED notification and the floating
    to UDP port 4500 with the IKE_AUTH request even if no NAT
    situation has been detected, strongSwan will still support
    MOBIKE acting as a responder.
  • the default ipsec routing table plus its corresponding priority
    used for inserting source routes has been changed from 100 to 220.
    It can be configured using the --with-ipsec-routing-table and
    --with-ipsec-routing-table-prio options.
  • the --enable-integrity-test configure option tests the
    integrity of the libstrongswan crypto code during the charon
  • the --disable-xauth-vid configure option disables the sending
    of the XAUTH vendor ID. This can be used as a workaround when
    interoperating with some Windows VPN clients that get into
    trouble upon reception of an XAUTH VID without eXtended
    AUTHentication having been configured.
  • ipsec stroke now supports the rereadsecrets, rereadaacerts,
    rereadacerts, and listacerts options.

Version 4.1.5

  • If a DNS lookup failure occurs when resolving right=%<FQDN>
    or right=<FQDN> combined with rightallowany=yes then the
    connection is not updated by ipsec starter thus preventing
    the disruption of an active IPsec connection. Only if the DNS
    lookup successfully returns with a changed IP address the
    corresponding connection definition is updated.
  • Routes installed by the keying daemons are now in a separate
    routing table with the ID 100 to avoid conflicts with the main
    table. Route lookup for IKEv2 traffic is done in userspace to ignore
    routes installed for IPsec, as IKE traffic shouldn't get encapsulated.

Version 4.1.4

  • The pluto IKEv1 daemon now exhibits the same behaviour as its
    IKEv2 companion charon by inserting an explicit route via the
    _updown script only if a sourceip exists. This is admissible
    since routing through the IPsec tunnel is handled automatically
    by NETKEY's IPsec policies. As a consequence the left|rightnexthop
    parameter is not required any more.
  • The new IKEv1 parameter right|leftallowany parameters helps to handle
    the case where both peers possess dynamic IP addresses that are
    usually resolved using DynDNS or a similar service.

    The configuration

    can be used by the initiator to start up a connection to a peer
    by resolving into the currently allocated IP address.
    Thanks to the rightallowany flag the connection behaves later on

    so that the peer can rekey the connection as an initiator when his
    IP address changes. An alternative notation is

    which will implicitly set rightallowany=yes.

  • ipsec starter now fails more gracefully in the presence of parsing
    errors. Flawed ca and conn section are discarded and pluto is started
    if non-fatal errors only were encountered. If
    cannot be resolved by DNS then right=%any will be used so that passive
    connections as a responder are still possible.
  • The new pkcs11initargs parameter that can be placed in the
    setup config section of /etc/ipsec.conf allows the definition
    of an argument string that is used with the PKCS#11 C_Initialize()
    function. This non-standard feature is required by the NSS softoken
    library. This patch was contributed by Robert Varga.
  • Fixed a bug in ipsec starter introduced by strongswan-2.8.5
    which caused a segmentation fault in the presence of unknown
    or misspelt keywords in ipsec.conf. This bug fix was contributed
    by Robert Varga.
  • Partial support for MOBIKE in IKEv2. The initiator acts on interface/
    address configuration changes and updates IKE and IPsec SAs dynamically.

Earlier Versions

The changelog for versions before 4.1.4 can be found in the source:NEWS file.