Changelog for 4.3.x

Version 4.3.6

  • The IKEv2 daemon supports RFC 3779 IP address block constraints
    carried as a critical X.509v3 extension in the peer certificate.
  • The ipsec pool --add|del dns|nbns command manages DNS and NBNS name
    server entries that are sent via the IKEv1 Mode Config or IKEv2
    Configuration Payload to remote clients.
  • The Camellia cipher can be used as an IKEv1 encryption algorithm.
  • The IKEv1 and IKEV2 daemons now check certificate path length constraints.
  • The new ipsec.conf conn option "inactivity" closes a CHILD_SA if no traffic
    was sent or received within the given interval. To close the complete IKE_SA
    if its only CHILD_SA was inactive, set the global strongswan.conf option
    "charon.inactivity_close_ike" to yes.
  • More detailed IKEv2 EAP payload information in debug output
  • IKEv2 EAP-SIM and EAP-AKA share joint libsimaka library
  • Added required userland changes for proper SHA256 and SHA384/512 in ESP that
    will be introduced with Linux 2.6.33. The "sha256"/"sha2_256" keyword now
    configures the kernel with 128 bit truncation, not the non-standard 96
    bit truncation used by previous releases. To use the old 96 bit truncation
    scheme, the new "sha256_96" proposal keyword has been introduced.
  • Fixed IPComp in tunnel mode (IKEv2 only), stripping out the duplicated outer header. This
    change makes IPcomp tunnel mode connections incompatible with previous
    releases; disable compression on such tunnels.
  • Fixed BEET mode connections on recent kernels by installing SAs with
    appropriate traffic selectors, based on a patch by Michael Rossberg.
  • Using extensions (such as BEET mode) and crypto algorithms (such as twofish,
    serpent, sha256_96) allocated in the private use space now require that we
    know its meaning, i.e. we are talking to strongSwan. Use the new
    "charon.send_vendor_id" option in strongswan.conf to let the remote peer know
    this is the case.

    The same strongSwan Vendor ID hash is now also used by the IKEv1
    pluto daemon.

  • Experimental support for draft-eronen-ipsec-ikev2-eap-auth, where the
    responder omits public key authentication in favor of a mutual authentication
    method. To enable EAP-only authentication, set rightauth=eap on the responder
    to rely only on the MSK constructed AUTH payload. This not-yet standardized
    extension requires the strongSwan vendor ID introduced above.
  • The IKEv1 daemon ignores the Juniper SRX notification type 40001, thus
    allowing interoperability.

Version 4.3.5

  • The IKEv1 pluto daemon can now use SQL-based address pools to deal out
    virtual IP addresses as a Mode Config server. The pool capability has been
    migrated from charon's sql plugin to a new attr-sql plugin which is loaded
    by libstrongswan and which can be used by both daemons either with a SQLite
    or MySQL database and the corresponding plugin.
  • In addition to time based rekeying, charon supports IPsec SA lifetimes based
    on processed volume or number of packets. They new ipsec.conf paramaters
    'lifetime' (an alias to 'keylife'), 'lifebytes' and 'lifepackets' handle
    SA timeouts, while the parameters 'margintime' (an alias to rekeymargin),
    'marginbytes' and 'marginpackets' trigger the rekeying before a SA expires.
    The existing parameter 'rekeyfuzz' affects all margins.
  • The new 'ipsec pki' tool provides a set of commands to maintain a public
    key infrastructure. It currently supports operations to create RSA and ECDSA
    private/public keys, calculate fingerprints and issue or verify certificates.
  • The EAP-AKA plugin can use different backends for USIM/quintuplet
    calculations, very similar to the EAP-SIM plugin. The existing 3GPP2 software
    implementation has been migrated to a separate plugin.
  • The IKEv2 daemon charon gained basic PGP support. It can use locally installed
    peer certificates and can issue signatures based on RSA private keys.
  • If no CA/Gateway certificate is specified in the NetworkManager plugin,
    charon uses a set of trusted root certificates preinstalled by distributions.
    The directory containing CA certificates can be specified using the
    --with-nm-ca-dir=path configure option.

IKEv1 fixes

  • Fixed smartcard-based authentication in the pluto daemon which was broken by
    the ECDSA support introduced with the 4.3.2 release.
  • Fixed the broken parsing of PKCS#7 wrapped certificates by the pluto daemon.
  • A patch contributed by Heiko Hund fixes mixed IPv6 in IPv4 and vice versa
    tunnels established with the IKEv1 pluto daemon.
  • The pluto daemon now uses the libstrongswan x509 plugin for certificates and
    CRLs and the struct id type was replaced by identification_t used by charon
    and the libstrongswan library.

IKEv2 fixes

  • Fixed the encoding of the Email relative distinguished name in left|rightid
  • Charon uses a monotonic time source for statistics and job queueing, behaving
    correctly if the system time changes (e.g. when using NTP).
  • Plugin names have been streamlined: EAP plugins now have a dash after eap
    (e.g. eap-sim), as it is used with the --enable-eap-sim ./configure option.
    Plugin configuration sections in strongswan.conf now use the same name as the
    plugin itself (i.e. with a dash). Make sure to update "load" directives and
    the affected plugin sections in existing strongswan.conf files.
  • The private/public key parsing and encoding has been split up into
    separate pkcs1, pgp, pem and dnskey plugins. The public key implementation
    plugins gmp, gcrypt and openssl can all make use of them.

Version 4.3.4

  • IKEv2 charon daemon ported to FreeBSD and Mac OS X. Installation details can
    be found on
  • ipsec statusall shows the number of bytes transmitted and received over
    ESP connections configured by the IKEv2 charon daemon.
  • The IKEv2 charon daemon supports include files in ipsec.secrets.

Version 4.3.3

  • The configuration option --enable-integrity-test plus the strongswan.conf
    option libstrongswan.integrity_test = yes activate integrity tests
    of the IKE daemons charon and pluto, libstrongswan and all loaded
    plugins. Thus dynamic library misconfigurations and non-malicious file
    manipulations can be reliably detected.
  • The new default setting libstrongswan.ecp_x_coordinate_only=yes allows
    IKEv1 interoperability with MS Windows using the ECP DH groups 19 and 20.
  • The IKEv1 pluto daemon now supports the AES-CCM and AES-GCM ESP
    authenticated encryption algorithms.
  • The IKEv1 pluto daemon now supports V4 OpenPGP keys.
  • The RDN parser vulnerability discovered by Orange Labs research team
    was not completely fixed in version 4.3.2. Some more modifications
    had to be applied to the asn1_length() function to make it robust.

Version 4.3.2

  • The new gcrypt plugin provides symmetric cipher, hasher, RNG, Diffie-Hellman
    and RSA crypto primitives using the LGPL licensed GNU gcrypt library.
  • libstrongswan features an integrated crypto selftest framework for registered
    algorithms. The test-vector plugin provides a first set of test vectors and
    allows pluto and charon to rely on tested crypto algorithms.
  • pluto can now use all libstrongswan plugins with the exception of x509 and xcbc.
    Thanks to the openssl plugin, the ECP Diffie-Hellman groups 19, 20, 21, 25, and
    26 as well as ECDSA-256, ECDSA-384, and ECDSA-521 authentication can be used
    with IKEv1.
  • Applying their fuzzing tool, the Orange Labs vulnerability research team found
    another two DoS vulnerabilities, one in the rather old ASN.1 parser of Relative
    Distinguished Names (RDNs) and a second one in the conversion of ASN.1 UTCTIME
    and GENERALIZEDTIME strings to a time_t value.

Version 4.3.1

  • The nm plugin now passes DNS/NBNS server information to NetworkManager,
    allowing a gateway administrator to set DNS/NBNS configuration on clients
  • The nm plugin also accepts CA certificates for gateway authentication. If
    a CA certificate is configured, strongSwan uses the entered gateway address
    as its idenitity, requiring the gateways certificate to contain the same as
    subjectAltName. This allows a gateway administrator to deploy the same
    certificates to Windows 7 and NetworkManager clients.
  • The command ipsec purgeike deletes IKEv2 SAs that don't have a CHILD SA.
    The command ipsec down <conn>{n} deletes CHILD SA instance n of connection
    <conn> whereas ipsec down <conn>{*} deletes all CHILD SA instances.
    The command ipsec down <conn>[n] deletes IKE SA instance n of connection
    <conn> plus dependent CHILD SAs whereas ipsec down <conn>[*] deletes all
    IKE SA instances of connection <conn>.
  • Fixed a regression introduced in 4.3.0 where EAP authentication calculated
    the AUTH payload incorrectly. Further, the EAP-MSCHAPv2 MSK key derivation
    has been updated to be compatible with the Windows 7 Release Candidate.
  • Refactored installation of triggering policies. Routed policies are handled
    outside of IKE_SAs to keep them installed in any case. A tunnel gets
    established only once, even if initiation is delayed due network outages.
  • Improved the handling of multiple acquire signals triggered by the kernel.
  • Fixed two DoS vulnerabilities in the charon daemon that were discovered by
    fuzzing techniques: 1) Sending a malformed IKE_SA_INIT request leaved an
    incomplete state which caused a null pointer dereference if a subsequent
    CREATE_CHILD_SA request was sent. 2) Sending an IKE_AUTH request with either
    a missing TSi or TSr payload caused a null pointer derefence because the
    checks for TSi and TSr were interchanged. The IKEv2 fuzzer used was
    developped by the Orange Labs vulnerability research team. The tool was
    initially written by Gabriel Campana and is now maintained by Laurent Butti.
  • Added support for AES counter mode in ESP in IKEv2 using the proposal
    keywords aes128ctr, aes192ctr and aes256ctr.
  • Further progress in refactoring pluto: Use of the curl and ldap plugins
    for fetching crls and OCSP. Use of the random plugin to get keying material
    from /dev/random or /dev/urandom. Use of the openssl plugin as an alternative
    to the aes, des, sha1, sha2, and md5 plugins. The blowfish, twofish, and
    serpent encryption plugins are now optional and are not enabled by default.

Version 4.3.0

  • Support for the IKEv2 Multiple Authentication Exchanges extension (RFC4739).
    Initiators and responders can use several authentication rounds (e.g. RSA
    followed by EAP) to authenticate. The new ipsec.conf leftauth/rightauth and
    leftauth2/rightauth2 parameters define own authentication rounds or setup
    constraints for the remote peer. See the ipsec.conf man page for more detials.
  • If glibc printf hooks (register_printf_function) are not available,
    strongSwan can use the vstr string library to run on non-glibc systems.
  • The IKEv2 charon daemon can now configure the ESP CAMELLIA-CBC cipher
  • Refactored the pluto and scepclient code to use basic functions (memory
    allocation, leak detective, chunk handling, printf_hooks, strongswan.conf
    attributes, ASN.1 parser, etc.) from the libstrongswan library.
  • Up to two DNS and WINS servers to be sent via IKEv1 ModeConfig can be
    configured in the pluto section of strongswan.conf.