- A new default configuration file layout is introduced (with full backward compatibility).
The new default strongswan.conf file mainly includes config snippets from the
strongswan.d and strongswan.d/charon directories (the latter containing snippets
for all plugins). The snippets, with commented defaults, are automatically generated
and installed, if they don't exist yet. They are also installed in
$prefix/share/strongswan/templatesso existing files can be compared to
the current defaults.
- As an alternative to the non-extensible charon.load setting, the plugins
to load in charon (and optionally other applications) can now be determined
via the charon.plugins.<name>.load setting for each plugin (enabled in the
new default strongswan.conf file via the charon.load_modular option).
The load setting optionally takes a numeric priority value that allows
reordering the plugins (otherwise the default plugin order is preserved).
- All strongswan.conf settings that were formerly defined in library specific
"global" sections are now application specific (e.g. settings for plugins in
libstrongswan.plugins can now be set only for charon in charon.plugins).
The old options are still supported, which now allows to define defaults for
all applications in the libstrongswan section.
- The ntru libstrongswan plugin supports NTRUEncrypt as a post-quantum
computer IKE key exchange mechanism. The implementation is based on the
ntru-crypto library from the NTRUOpenSourceProject. The supported security
strengths are ntru112, ntru128, ntru192, and ntru256. Since the private DH
group IDs 1030..1033 have been assigned, the strongSwan Vendor ID must be
sent (charon.send_vendor_id = yes) in order to use NTRU.
- Defined a TPMRA remote attestation workitem and added support for it to the
- Compatibility issues between IPComp (compress=yes) and leftfirewall=yes as
well as multiple subnets in left|rightsubnet have been fixed.
- When enabling its session strongswan.conf option, the xauth-pam plugin opens
and closes a PAM session for each established IKE_SA. Patch courtesy of Andrea Bonomi.
- The strongSwan unit testing framework has been rewritten without the check
dependency for improved flexibility and portability. It now properly supports
multi-threaded and memory leak testing and brings a bunch of new test cases.
- The NetworkManager frontend gained support for PSK authentication.
- If charon.plugins.stroke.prevent_loglevel_changes is enabled, the stroke plugin prevents
log level changes via ipsec stroke.
- The inactivity counter is reset with every rekeying, which means that the inactivity timeout
must be smaller than the rekeying interval to have any effect (d048a319df).
- SQL schemas and example data (IMV) are now distributed and installed in
- A method to register custom proposal keyword parsers has been added (568e302260).
- A deadlock was fixed when installing trap policies (bb492d80b5).