Version 5.0.1¶

• Introduced the sending of the standard IETF Assessment Result
  PA-TNC attribute by all strongSwan Integrity Measurement Verifiers.

• Extended PTS Attestation IMC/IMV pair to provide full evidence of
  the Linux IMA measurement process. All pertinent file information
  of a Linux OS can be collected and stored in an SQL database.

• The PA-TNC and PB-TNC protocols can now process huge data payloads
  >64 kB by distributing PA-TNC attributes over multiple PA-TNC messages
  and these messages over several PB-TNC batches. As long as no
  consolidated recommandation from all IMVs can be obtained, the TNC
  server requests more client data by sending an empty SDATA batch.

• The rightgroups2 ipsec.conf option can require group membership during
  a second authentication round, for example during XAuth authentication
  against a RADIUS server.

• The xauth-pam backend can authenticate IKEv1 XAuth and Hybrid authenticated
  clients against any PAM service. The IKEv2 eap-gtc plugin does not use
  PAM directly anymore, but can use any XAuth backend to verify credentials,
  including xauth-pam.

• The new unity plugin brings support for some parts of the IKEv1 Cisco Unity
  Extensions. As client, charon narrows traffic selectors to the received
  Split-Include attributes and automatically installs IPsec bypass policies
  for received Local-LAN attributes. As server, charon sends Split-Include
  attributes for leftsubnet definitions containing multiple subnets to Unity-
  aware clients.

• An EAP-Nak payload is returned by clients if the gateway requests an EAP
  method that the client does not support. Clients can also request a specific
  EAP method by configuring that method with leftauth in ipsec.conf.

• The eap-dynamic plugin handles EAP-Nak payloads returned by clients and uses
  these to select a different EAP method supported/requested by the client.
  The plugin initially requests the first registered method or the first method
  configured with charon.plugins.eap-dynamic.preferred in strongswan.conf.

• The new left|rightdns ipsec.conf options specify connection specific DNS servers to
  request/respond in IKEv2 configuration payloads or IKEv2 mode config. leftdns
  can be any (comma separated) combination of %config4 and %config6 to request
  multiple servers, both for IPv4 and IPv6. rightdns takes a list of DNS server
  IP addresses to return.

• The left|rightsourceip options now accept multiple addresses or pools.
  leftsourceip can be any (comma separated) combination of %config4, %config6
  or fixed IP addresses to request. rightsourceip accepts multiple explicitly
  specified or referenced named pools.

• Multiple connections can now share a single address pool when they use the
  same definition in one of the rightsourceip pools.

• The strongswan.conf options charon.interfaces_ignore and charon.interfaces_use
  allow one to configure the network interfaces used by the daemon.

• The kernel-netlink plugin supports the new strongswan.conf option
  charon.install_virtual_ip_on, which specifies the interface on which
  virtual IP addresses will be installed. If it is not specified the current behavior
  of using the outbound interface is preserved.

• The kernel-netlink plugin tries to keep the current source address when
  looking for valid routes to reach other hosts.

• The autotools build has been migrated to use a config.h header. strongSwan
  development headers will get installed during "make install" if
  --with-dev-headers has been passed to ./configure.

• All crypto primitives gained return values for most operations, allowing
  crypto backends to fail, for example when using hardware accelerators.

• The UDP ports used by charon can be configured via ./configure or the
  charon.port and charon.port_nat_t options in strongswan.conf,
  if ports are configure to 0 they will be allocated randomly.

• The NetworkManager backend (charon-nm) uses random source ports
  to avoid conflicts with regular charon.

• With uniqueids=never configured in ipsec.conf INITIAL_CONTACT notifies are ignored.
  Even with uniqueids=no configured the daemon will delete existing IKE_SAs with the same
  peer upon receipt of an INITIAL_CONTACT notify. This new option allows to ignore these notifies.

• Prefixing the identity configured with rightid with a % character prevents initiators
  from sending an IDr payload in the IKE_AUTH exchange. Later the configured identity will
  not only be checked against the returned IDr, but also against other identities contained
  in the responder's certificate.

• Non-"/0" subnet sizes are accepted for traffic selectors starting at 0.0.0.0.

• Job handling in controller_t was fixed, which occasionally caused crashes on ipsec up/down.

• Caching of relations in validated certificate chains can be disabled with the
  libstrongswan.cert_cache strongswan.conf option.

• Logging of multi-line log messages was fixed in situations where more than one logger
  was registered.

• Fixed transmission EAP-MSCHAPv2 user name if it contains a domain part.

• Added an option to enforce the configured destination address for DHCP packets.