Version 5.0.3¶

• The new ipseckey plugin enables authentication based on trustworthy public
  keys stored as IPSECKEY resource records in the DNS and protected by DNSSEC.
  To do so it uses a DNSSEC enabled resolver, like the one provided by the new
  unbound plugin, which is based on libldns and libunbound. Both plugins were
  created by Reto Guadagnini. Examples: ikev2/net2net-dnssec ikev2/rw-dnssec

• Implemented the TCG TNC IF-IMV 1.4 draft making access requestor identities
  available to an IMV. The OS IMV stores the AR identity together with the
  device ID in the attest database.

• The openssl plugin now uses the AES-NI accelerated version of AES-GCM
  if the hardware supports it.

• The eap-radius plugin can now assign virtual IPs to IKE clients using the
  Framed-IP-Address attribute by using the %radius named pool in the
  rightsourceip ipsec.conf option. Cisco Banner attributes are forwarded to
  Unity-capable IKEv1 clients during mode config. charon now sends Interim
  Accounting updates if requested by the RADIUS server, reports
  sent/received packets in Accounting messages, and adds a Terminate-Cause
  to Accounting-Stops.

• The recently introduced ipsec listcounters command can report connection
  specific counters by passing a connection name, and global or connection
  counters can be reset by the ipsec resetcounters command.

• The tnc-ifmap plugin has been reimplemented without any dependency to
  the Apache Axis2/C library. Several configuration options have been changed.

• The strongSwan libpttls library provides an experimental implementation of
  PT-TLS (RFC 6876), a Posture Transport Protocol over TLS.

• The charon systime-fix plugin can disable certificate lifetime checks on
  embedded systems if the system time is obviously out of sync after bootup.
  Certificates lifetimes get checked once the system time gets sane, closing
  or reauthenticating connections using expired certificates.

• The ikedscp ipsec.conf option can set DiffServ code points on outgoing
  IKE packets.

• The new xauth-noauth plugin allows to use basic RSA or PSK authentication with
  clients that cannot be configured without XAuth authentication. The plugin
  simply concludes the XAuth exchange successfully without actually performing
  any authentication. Therefore, to use this backend it has to be selected
  explicitly with rightauth2=xauth-noauth.

• The new charon-tkm IKEv2 daemon delegates security critical operations to a
  separate process. This has the benefit that the network facing daemon has no
  knowledge of keying material used to protect child SAs. Thus subverting
  charon-tkm does not result in the compromise of cryptographic keys.
  The extracted functionality has been implemented from scratch in a minimal TCB
  (trusted computing base) in the Ada programming language. Further information
  can be found at http://www.codelabs.ch/tkm/.

• Multiple certificates can be configured for left|rightcert in ipsec.conf. The daemon
  chooses the certificate based on the received certificate requests, if possible,
  before enforcing the first.

• Mutual EAP authentication has been fixed when it is not used as first authentication
  round.

• The NetworkManager backend (charon-nm) uses a TUN device to satisfy NM's need
  for a network device. This fixes LP:872824.

• A route is installed for shunt policies (passthrough/drop). This fixes some combinations
  of shunt policies and virtual IP addresses as locally generated traffic wouldn't match
  the shunt policy anymore due to the route installed with the VIP. Also, the unity plugin
  includes the local address in split-exclude shunt policies.

• Added an option (charon.plugins.ha.autobalance) to balance a HA cluster automatically.

• Most parts of the android plugin (the backend for the Android VPN applet patch) have
  been removed and the remaining DNS handler has been moved to the new android-dns plugin.

• Several IKEv1 corner cases have been fixed (e2857be8, f836d433, 3dc9d427, 9d9042d6,
  0235914d, 8a0a1ae8, ac48d9e4).

• Alignment issues in the kernel-netlink plugin have been fixed and the Netlink XFRM message
  attribute handling has been refactored.

• The duplicheck plugin tracks multiple IKE_SAs when checking state to avoid any
  race conditions (9c84bbcb).

• The --disable-defaults configure option allows to disable all features
  that are enabled by default.

• The charon.plugins.stroke.timeout strongswan.conf option allows to define a timeout in ms
  for any stroke command.

• ipsec statusall reports the number of processed IPsec packets.

• Reloading secrets from ipsec.secrets with ipsec rereadsecrets is now done atomically.

• Supplementary groups are initialized using initgroups(3) when running as unprivileged user.

• Fixed handling of IPv6 SQL address pools if multiple pools are assigned to rightsourceip.

• Fixed stroke loglevel any (96a2d207).