The new libtpmtss library offers support for both TPM 1.2 and TPM 2.0 Trusted Platform Modules. This allows the Attestation IMC/IMV pair to do TPM 2.0 based attestation.
The behavior during IKEv2 exchange collisions has been improved/fixed in several corner cases and support for TEMPORARY_FAILURE and CHILD_SA_NOT_FOUND notifies, as defined by RFC 7296, has been added (#379, #464, #876, #1293). The behavior is tested with a series of new unit tests.
IPsec policy priorities can be set manually (e.g. for high-priority drop policies) and outbound policies may be restricted to a network interface. These options are only configurable via swanctl.conf. An example is provided in the swanctl/manual-prio scenario.
The scheme for the automatically calculated default priorities has been changed and now also considers port masks, which were added with 5.4.0 (for details see d3af3b799f).
FWD policies are now installed in both directions in regards to the traffic selectors (9c12635252). Because such "outbound" FWD policies could conflict with "inbound" FWD policies of other SAs (as, for example, in the swanctl/net2net-gw or the ikev2/ip-two-pools-db scenarios) they are installed with a lower priority and don't have a reqid set, which allows kernel plugins to distinguish between the two and prefer those with a reqid.
How the interface for routes installed with policies is determined has changed (96b1fab53c). In most cases the interface over which the other peer is reached is now used, not the interface on which the local address (or the source IP) is installed. However, that might be the same interface depending on the configuration (i.e. in practice there will often not be a change).
No routes are installed anymore for drop policies and policies with port/protocol selector (e7369a9dc5).
For outbound IPsec SAs no replay window is configured anymore.
When using unique marks (mark=%unique) the allocated mark is now correctly passed to the updown script (b210369314).