Major Release


3 issues   (3 closed — 0 open)

Version 4.5.0

  • IMPORTANT: the default keyexchange mode 'ike' is changing with release 4.5
    from 'ikev1' to 'ikev2', thus commemorating the five year anniversary of the
    IKEv2 RFC 4306 and its mature successor RFC 5996. The time has definitively
    come for IKEv1 to go into retirement and to cede its place to the much more
    robust, powerful and versatile IKEv2 protocol!
    If you still like to use the old IKEv1 protocol then you must explicitly
    define keyexchange=ikev1.
  • Added new ctr, ccm and gcm plugins providing Counter, Counter with CBC-MAC
    and Galois/Counter Modes based on existing CBC implementations. These
    new plugins bring support for AES and Camellia Counter and CCM algorithms
    and the AES GCM algorithms for use in IKEv2. A list of all supported
    algorithms can be found here.
  • The new pkcs11 plugin brings full Smartcard support to the IKEv2 daemon and
    the ipsec pki utility using one or more PKCS#11 libraries. It currently supports
    RSA private and public key operations and loads X.509 certificates from
  • Implemented a general purpose TLS stack based on crypto and credential
    primitives of libstrongswan. libtls supports TLS versions 1.0, 1.1 and 1.2,
    ECDHE-ECDSA/RSA, DHE-RSA and RSA key exchange algorithms and RSA/ECDSA based
    client authentication.
  • The RADIUS plugin eap-radius now supports multiple RADIUS servers for
    redundant setups. Servers are selected by a defined priority, server load and
  • Applets for Maemo 5 (Nokia) allow to easily configure and control IKEv2
    based VPN connections with EAP authentication on supported devices.
  • The simple led plugin controls hardware LEDs through the Linux LED subsystem.
    It currently shows activity of the IKE daemon and is a good example how to
    implement a simple event listener.
  • The IKEv1 daemon pluto now uses the same kernel interfaces as the IKEv2
    daemon charon. As a result of this, pluto now supports xfrm marks which
    were introduced in charon with 4.4.1.
  • Improved MOBIKE behavior in several corner cases, for instance, if the
    initial responder moves to a different address.
  • Fixed left-/rightnexthop option, which was broken since 4.4.0.
  • Fixed a bug not releasing a virtual IP address to a pool if the XAUTH
    identity was different from the IKE identity.
  • Fixed the alignment of ModeConfig messages on 4-byte boundaries in the
    case where the attributes are not a multiple of 4 bytes (e.g. Cisco's
  • Fixed the interoperability of the socket_raw and socket_default
    charon plugins.
Issues by