- Support for "Hash and URL" encoded certificate payloads has been implemented
in the IKEv2 daemon charon. Using the "certuribase" option of a CA section
allows to assign a base URL to all certificates issued by the specified CA.
The final URL is then built by concatenating that base and the hex encoded
SHA1 hash of the DER encoded certificate. Note that this feature is disabled
by default and must be enabled using the option "charon.hash_and_url".
- The IKEv2 daemon charon now supports the "uniqueids" option to close multiple
IKE_SAs with the same peer. The option value "keep" prefers existing
connection setups over new ones, where the value "replace" replaces existing
- The crypto factory in libstrongswan additionaly supports random number
generators, plugins may provide other sources of randomness. The default
plugin reads raw random data from /dev/(u)random.
- Extended the credential framework by a caching option to allow plugins
persistent caching of fetched credentials. The "cachecrl" option has been
- The new trustchain verification introduced in 4.2.0 has been parallelized.
Threads fetching CRL or OCSP information no longer block other threads.
- A new IKEv2 configuration attribute framework has been introduced allowing
plugins to provide virtual IP addresses, and in the future, other
configuration attribute services (e.g. DNS/WINS servers).
- The stroke plugin has been extended to provide virtual IP addresses from
a pool defined in ipsec.conf. The "rightsourceip" parameter now accepts
address pools in CIDR notation (e.g. 10.1.1.0/24). The parameter also accepts
the value "%poolname", where "poolname" identifies a pool provided by a
- Fixed compilation on uClibc and a couple of other minor bugs.
- Set DPD defaults in ipsec starter to dpd_delay=30s and dpd_timeout=150s.
- The IKEv1 pluto daemon now supports the ESP encryption algorithm CAMELLIA
with key lengths of 128, 192, and 256 bits, as well as the authentication
algorithm AES_XCBC_MAC. Configuration example: esp=camellia192-aesxcbc.