- Introduced the sending of the standard IETF Assessment Result
PA-TNC attribute by all strongSwan Integrity Measurement Verifiers.
- Extended PTS Attestation IMC/IMV pair to provide full evidence of
the Linux IMA measurement process. All pertinent file information
of a Linux OS can be collected and stored in an SQL database.
- The PA-TNC and PB-TNC protocols can now process huge data payloads
>64 kB by distributing PA-TNC attributes over multiple PA-TNC messages
and these messages over several PB-TNC batches. As long as no
consolidated recommandation from all IMVs can be obtained, the TNC
server requests more client data by sending an empty SDATA batch.
rightgroups2ipsec.conf option can require group membership during
a second authentication round, for example during XAuth authentication
against a RADIUS server.
- The xauth-pam backend can authenticate IKEv1 XAuth and Hybrid authenticated
clients against any PAM service. The IKEv2 eap-gtc plugin does not use
PAM directly anymore, but can use any XAuth backend to verify credentials,
- The new unity plugin brings support for some parts of the IKEv1 Cisco Unity
Extensions. As client, charon narrows traffic selectors to the received
Split-Include attributes and automatically installs IPsec bypass policies
for received Local-LAN attributes. As server, charon sends Split-Include
leftsubnetdefinitions containing multiple subnets to Unity-
- An EAP-Nak payload is returned by clients if the gateway requests an EAP
method that the client does not support. Clients can also request a specific
EAP method by configuring that method with
- The eap-dynamic plugin handles EAP-Nak payloads returned by clients and uses
these to select a different EAP method supported/requested by the client.
The plugin initially requests the first registered method or the first method
- The new
left|rightdnsipsec.conf options specify connection specific DNS servers to
request/respond in IKEv2 configuration payloads or IKEv2 mode config. leftdns
can be any (comma separated) combination of
multiple servers, both for IPv4 and IPv6.
rightdnstakes a list of DNS server
IP addresses to return.
left|rightsourceipoptions now accept multiple addresses or pools.
leftsourceipcan be any (comma separated) combination of
or fixed IP addresses to request.
rightsourceipaccepts multiple explicitly
specified or referenced named pools.
- Multiple connections can now share a single address pool when they use the
same definition in one of the
- The strongswan.conf options
allow one to configure the network interfaces used by the daemon.
- The kernel-netlink plugin supports the new strongswan.conf option
charon.install_virtual_ip_on, which specifies the interface on which
virtual IP addresses will be installed. If it is not specified the current behavior
of using the outbound interface is preserved.
- The kernel-netlink plugin tries to keep the current source address when
looking for valid routes to reach other hosts.
- The autotools build has been migrated to use a config.h header. strongSwan
development headers will get installed during "make install" if
--with-dev-headershas been passed to ./configure.
- All crypto primitives gained return values for most operations, allowing
crypto backends to fail, for example when using hardware accelerators.
- The UDP ports used by charon can be configured via ./configure or the
charon.port_nat_toptions in strongswan.conf,
if ports are configure to
0they will be allocated randomly.
- The NetworkManager backend (charon-nm) uses random source ports
to avoid conflicts with regular charon.
uniqueids=neverconfigured in ipsec.conf INITIAL_CONTACT notifies are ignored.
uniqueids=noconfigured the daemon will delete existing IKE_SAs with the same
peer upon receipt of an INITIAL_CONTACT notify. This new option allows to ignore these notifies.
- Prefixing the identity configured with
%character prevents initiators
from sending an IDr payload in the IKE_AUTH exchange. Later the configured identity will
not only be checked against the returned IDr, but also against other identities contained
in the responder's certificate.
- Non-"/0" subnet sizes are accepted for traffic selectors starting at 0.0.0.0.
- Job handling in controller_t was fixed, which occasionally caused crashes on
- Caching of relations in validated certificate chains can be disabled with the
- Logging of multi-line log messages was fixed in situations where more than one logger
- Fixed transmission EAP-MSCHAPv2 user name if it contains a domain part.
- Added an option to enforce the configured destination address for DHCP packets.