- The new libtpmtss library offers support for both TPM 1.2 and TPM 2.0 Trusted Platform Modules.
This allows the Attestation IMC/IMV pair to do TPM 2.0 based attestation.
- The behavior during IKEv2 exchange collisions has been improved/fixed in several corner cases
and support for
CHILD_SA_NOT_FOUNDnotifies, as defined by RFC 7296,
has been added (#379, #464, #876, #1293). The behavior is tested with a series of new unit tests.
- IPsec policy priorities can be set manually (e.g. for high-priority drop policies) and outbound
policies may be restricted to a network interface. These options are only configurable via swanctl.conf.
An example is provided in the swanctl/manual-prio scenario.
- The scheme for the automatically calculated default priorities has been changed and now also
considers port masks, which were added with 5.4.0 (for details see d3af3b799f).
- FWD policies are now installed in both directions in regards to the traffic selectors (9c12635252).
Because such "outbound" FWD policies could conflict with "inbound" FWD policies of other SAs (as, for
example, in the swanctl/net2net-gw or the ikev2/ip-two-pools-db scenarios) they are installed
with a lower priority and don't have a reqid set, which allows kernel plugins to distinguish between the
two and prefer those with a reqid.
- How the interface for routes installed with policies is determined has changed (96b1fab53c). In most
cases the interface over which the other peer is reached is now used, not the interface on which the local
address (or the source IP) is installed. However, that might be the same interface depending on the
configuration (i.e. in practice there will often not be a change).
- No routes are installed anymore for drop policies and policies with port/protocol selector (e7369a9dc5).
- For outbound IPsec SAs no replay window is configured anymore.
- When using unique marks (mark=%unique) the allocated mark is now correctly passed to the
updown script (b210369314).
- Enhanced the functionality of the swanctl --list-conns command by listing IKE_SA and CHILD_SA
reauthentication and rekeying settings and EAP/XAuth identities and EAP types.
- Fixed an interoperability issue with Windows Server 2012 R2 gateways after modifying the default IKE
proposal with 5.4.0 (fae18fd201, also explained in the changelog of the Android app).
- DNS servers installed by the resolve plugin are now refcounted, which should fix its use with
make-before-break reauthentication. Any output written to stderr/stdout by resolvconf is now logged.
- Negotiation of ESN with IKEv1 is supported (40bb4677f7).
- The default plugin load list may now be modified by specifying the individual load setting of a plugin.
- Fixed how mappings are stored in the eap-simaka-pseudonym plugin (5005325020).
- Support for BoringSSL and OpenSSL 1.1.0 has been added.
- Notes for developers:
- The methods in the kernel interfaces have been changed to take structs instead of long lists of arguments.
- Similarly the constructors for
child_cfg_tnow take structs.
- We now use the standard unsigned integer types (e.g.
- The testing environment now uses images based on Debian jessie (stable).