3 issues   (3 closed — 0 open)

Version 4.1.4

  • The pluto IKEv1 daemon now exhibits the same behaviour as its
    IKEv2 companion charon by inserting an explicit route via the
    _updown script only if a sourceip exists. This is admissible
    since routing through the IPsec tunnel is handled automatically
    by NETKEY's IPsec policies. As a consequence the left|rightnexthop
    parameter is not required any more.
  • The new IKEv1 parameter right|leftallowany parameters helps to handle
    the case where both peers possess dynamic IP addresses that are
    usually resolved using DynDNS or a similar service.

    The configuration

    can be used by the initiator to start up a connection to a peer
    by resolving into the currently allocated IP address.
    Thanks to the rightallowany flag the connection behaves later on

    so that the peer can rekey the connection as an initiator when his
    IP address changes. An alternative notation is

    which will implicitly set rightallowany=yes.

  • ipsec starter now fails more gracefully in the presence of parsing
    errors. Flawed ca and conn section are discarded and pluto is started
    if non-fatal errors only were encountered. If
    cannot be resolved by DNS then right=%any will be used so that passive
    connections as a responder are still possible.
  • The new pkcs11initargs parameter that can be placed in the
    setup config section of /etc/ipsec.conf allows the definition
    of an argument string that is used with the PKCS#11 C_Initialize()
    function. This non-standard feature is required by the NSS softoken
    library. This patch was contributed by Robert Varga.
  • Fixed a bug in ipsec starter introduced by strongswan-2.8.5
    which caused a segmentation fault in the presence of unknown
    or misspelt keywords in ipsec.conf. This bug fix was contributed
    by Robert Varga.
  • Partial support for MOBIKE in IKEv2. The initiator acts on interface/
    address configuration changes and updates IKE and IPsec SAs dynamically.
Issues by