- The new charon-systemd IKE daemon implements an IKE daemon tailored
for use with systemd. It avoids the dependency on ipsec starter and
uses swanctl as configuration backend, building a simple and
lightweight solution. Native systemd journal logging is supported.
- Support for the new IKEv2 Fragmentation mechanism as defined by
RFC 7383 has been added, which avoids IP fragmentation of
IKEv2 UDP datagrams exceeding the network's MTU size. This feature is
activated by setting fragmentation=yes in ipsec.conf and optionally
setting the maximum IP packet size with the charon.fragment_size
parameter in strongswan.conf.
- Support of the TCG TNC IF-M Attribute Segmentation specification proposal,
which allows to transfer potentially huge attributes amounting to several
megabytes of measurement data like the TCG/SWID Tag [ID] Inventory
or IETF/Installed Packages attributes via the PA-TNC, PB-TNC and
either PT-EAP or PT-TLS NEA protocol stack. By default segmented attributes
are just reconstructed on the receiving side from the individual segments
with the exeception of the three attribute types mentioned above which can
be parsed and processed incrementally as the segments arrive one-by-one.
A commented example can be found under PT-EAP-SWID.
- For the vici plugin a ruby gem has been added to allow ruby applications
to control or monitor the IKE daemon. The vici documentation has been
updated to include a description of the available operations and some simple
examples using both the libvici C interface and the ruby gem (see README.md).
- The new ext-auth plugin calls an external script to implement custom IKE_SA
authorization logic, courtesy of Vyronas Tsingaras.
- Paths to the ipsec.conf and ipsec.conf configuration files may be configured
via strongswan.conf. The path to strongswan.conf may be passed via the
STRONGSWAN_CONFenvironment variable. Patches courtesy of Shea Levy.
- Support for IKEv1 fragmentation has been extended to Windows XP/7 clients,
courtesy of Volker Rümelin.
- A static interval for interim RADIUS accounting updates can be configured for
the eap-radius plugin. It's overridden by any interval the RADIUS server returns
in the Access-Accept message, but it can be useful if RADIUS is only used for accounting.
- Fixed re-authentication when using IKEv1 Mode Config in push mode (cb98380fe9e4).
- Handle Quick Mode DELETES during a Quick Mode rekeying (cd9bba508bba).
- Fixed some Cisco Unity corner cases (rekeying and situations where no split-include attributes
are received), one fix didn't made it into this release though (#737).
- Fixed some IKEv1 interoperability issues (e.g. with proposal numbering and IPComp), see #661.
- Fixed a crash during reauthentication with multiple authentication rounds caused by the
incorrect use of
Also added a comment regarding the used of that function (see c641974de001).
- The kernel-pfkey plugin now reports packet counts (25fcbab6789c).
- If available the kernel-pfroute plugin uses RTM_IFANNOUNCE/IFAN_DEPARTURE events to
delete cached interfaces (see f80093e2ee65).
- The kernel-netlink plugin can set MTU and MSS on installed routes via settings in
strongswan.conf (these are global and affect all SAs).
- The kernel-netlink plugin optionally installs protocol and ports on transport mode
SAs (90e6675a657c) to enforce policies for inbound traffic. Enabling this prevents the use
of a single IPsec SA by more than one traffic selectors though.
- TESTS_SUITES_EXCLUDE option added to unit test runner.
- Added the source:testing/scripts/build-strongswan script to (relatively) quickly (re-)build
strongSwan in the testing environment.