Minor Release


18 issues   (18 closed — 0 open)

Version 5.0.1

  • Introduced the sending of the standard IETF Assessment Result
    PA-TNC attribute by all strongSwan Integrity Measurement Verifiers.
  • Extended PTS Attestation IMC/IMV pair to provide full evidence of
    the Linux IMA measurement process. All pertinent file information
    of a Linux OS can be collected and stored in an SQL database.
  • The PA-TNC and PB-TNC protocols can now process huge data payloads
    >64 kB by distributing PA-TNC attributes over multiple PA-TNC messages
    and these messages over several PB-TNC batches. As long as no
    consolidated recommandation from all IMVs can be obtained, the TNC
    server requests more client data by sending an empty SDATA batch.
  • The rightgroups2 ipsec.conf option can require group membership during
    a second authentication round, for example during XAuth authentication
    against a RADIUS server.
  • The xauth-pam backend can authenticate IKEv1 XAuth and Hybrid authenticated
    clients against any PAM service. The IKEv2 eap-gtc plugin does not use
    PAM directly anymore, but can use any XAuth backend to verify credentials,
    including xauth-pam.
  • The new unity plugin brings support for some parts of the IKEv1 Cisco Unity
    Extensions. As client, charon narrows traffic selectors to the received
    Split-Include attributes and automatically installs IPsec bypass policies
    for received Local-LAN attributes. As server, charon sends Split-Include
    attributes for leftsubnet definitions containing multiple subnets to Unity-
    aware clients.
  • An EAP-Nak payload is returned by clients if the gateway requests an EAP
    method that the client does not support. Clients can also request a specific
    EAP method by configuring that method with leftauth in ipsec.conf.
  • The eap-dynamic plugin handles EAP-Nak payloads returned by clients and uses
    these to select a different EAP method supported/requested by the client.
    The plugin initially requests the first registered method or the first method
    configured with charon.plugins.eap-dynamic.preferred in strongswan.conf.
  • The new left|rightdns ipsec.conf options specify connection specific DNS servers to
    request/respond in IKEv2 configuration payloads or IKEv2 mode config. leftdns
    can be any (comma separated) combination of %config4 and %config6 to request
    multiple servers, both for IPv4 and IPv6. rightdns takes a list of DNS server
    IP addresses to return.
  • The left|rightsourceip options now accept multiple addresses or pools.
    leftsourceip can be any (comma separated) combination of %config4, %config6
    or fixed IP addresses to request. rightsourceip accepts multiple explicitly
    specified or referenced named pools.
  • Multiple connections can now share a single address pool when they use the
    same definition in one of the rightsourceip pools.
  • The strongswan.conf options charon.interfaces_ignore and charon.interfaces_use
    allow one to configure the network interfaces used by the daemon.
  • The kernel-netlink plugin supports the new strongswan.conf option
    charon.install_virtual_ip_on, which specifies the interface on which
    virtual IP addresses will be installed. If it is not specified the current behavior
    of using the outbound interface is preserved.
  • The kernel-netlink plugin tries to keep the current source address when
    looking for valid routes to reach other hosts.
  • The autotools build has been migrated to use a config.h header. strongSwan
    development headers will get installed during "make install" if
    --with-dev-headers has been passed to ./configure.
  • All crypto primitives gained return values for most operations, allowing
    crypto backends to fail, for example when using hardware accelerators.
  • The UDP ports used by charon can be configured via ./configure or the
    charon.port and charon.port_nat_t options in strongswan.conf,
    if ports are configure to 0 they will be allocated randomly.
  • With uniqueids=never configured in ipsec.conf INITIAL_CONTACT notifies are ignored.
    Even with uniqueids=no configured the daemon will delete existing IKE_SAs with the same
    peer upon receipt of an INITIAL_CONTACT notify. This new option allows to ignore these notifies.
  • Prefixing the identity configured with rightid with a % character prevents initiators
    from sending an IDr payload in the IKE_AUTH exchange. Later the configured identity will
    not only be checked against the returned IDr, but also against other identities contained
    in the responder's certificate.
  • Non-"/0" subnet sizes are accepted for traffic selectors starting at
  • Job handling in controller_t was fixed, which occasionally caused crashes on ipsec up/down.
  • Caching of relations in validated certificate chains can be disabled with the
    libstrongswan.cert_cache strongswan.conf option.
  • Logging of multi-line log messages was fixed in situations where more than one logger
    was registered.
  • Fixed transmission EAP-MSCHAPv2 user name if it contains a domain part.
  • Added an option to enforce the configured destination address for DHCP packets.
Issues by