Version 5.0.0¶
- The charon IKE daemon gained experimental support for the IKEv1 protocol.
Pluto has been removed from the 5.x series, and unless strongSwan is
configured with --disable-ikev1
or --disable-ikev2
, charon handles
both keying protocols. The feature-set of IKEv1 in charon is almost on par with
pluto, but currently does not support AH or bundled AH+ESP SAs. Beside
RSA/ECDSA, PSK and XAuth, charon also supports the Hybrid authentication
mode. Information for interoperability and migration is available on
our wiki. More details about the history and context of these changes
can be found in our related blog post.
- Charon's
bus_t
has been refactored so that loggers and other listeners are
now handled separately. The single lock was previously cause for deadlocks
if extensive listeners, such as the one provided by the updown plugin, wanted
to acquire locks that were held by other threads which in turn tried to log
messages, and thus were waiting to acquire the same lock currently held by
the thread calling the listener.
The implemented changes also allow the use of a read/write-lock for the
loggers which increases performance if multiple loggers are registered.
Besides several interface changes this last bit also changes the semantics
for loggers as these may now be called by multiple threads concurrently.
- Source routes are reinstalled if interfaces are reactivated or IP addresses
reappear.
- The thread pool (
processor_t
) now has more control over the lifecycle of
a job (see source:src/libstrongswan/processing/jobs/job.h for details).
In particular, it now controls the destruction of jobs after execution and
the cancellation of jobs during shutdown. Due to these changes the requeueing
feature, previously available to callback_job_t
only, is now available to all
jobs (in addition to a new rescheduling feature).
- In addition to trustchain key strength definitions for different public key
systems, the rightauth
ipsec.conf option now takes a list of signature
hash algorithms considered save for trustchain validation. For example,
the setting rightauth=rsa-2048-ecdsa-256-sha256-sha384-sha512
requires a trustchain that uses at least RSA-2048 or ECDSA-256 keys and
certificate signatures using SHA-256 or better.
- The NetworkManager charon plugin of previous releases is now provided by a
separate executable (charon-nm
) and it should work again with NM 0.9.
- scepclient was updated and it now works fine with Windows Server 2008 R2.
Among other things, support for multiple CA/RA certificates and configurable
digest/signature algorithms was added.
- Thanks to initial patches by Aleksandr Grinberg the openssl plugin now provides
PRFs and signers based on HMACs, and can also be used as RNG.
- The
left|rightallowany
ipsec.conf option previously available only for
IKEv1 is now also supported for IKEv2 connections.
- A strongswan.conf option to retry the initiation of an IKE_SA, if it failed due to a
failed DNS lookup, was added (charon.retry_initiate_interval
, disabled by default).
- The source address lookup for IPv6 addresses was fixed (this fixes MOBIKE with IPv6,
which was broken in some scenarios since 4.6.2).
- Installing IPsec policies with ports (
left|rightprotoport
) was fixed in the
PF_KEY kernel interface.