The strongSwan 5.0.1 release refines the 5.0 branch and comes with a bunch of new features.
The leftsourceip option now accepts a comma separated combination of %config4, %config6 or fixed IP addresses to request from the responder. Likewise the rightsourceip option accepts multiple explicitly specified or referenced named address pools. The new ip-two-pools-v4v6 test scenario illustrates the use of these options.
An extended PTS Attestation IMC/IMV pair provides full evidence of the Linux Integrity Measurement Architecture (IMA) measurement process. All pertinent file information of a Linux OS can be collected and stored in an SQL database. More information can be found in the conference paper Andreas presented at the recent Linux Security Summit held in San Diego.
The new unity plugin brings support for parts of the IKEv1 Cisco Unity Extensions. As client, charon will narrow traffic selectors to received Split-Include attributes and automatically install IPsec bypass policies for received Local-LAN attributes. As server, charon sends Split-Include attributes for leftsubnet definitions containing multiple subnets to Unity-aware clients. The use of this plugin is illustrated in the new rw-cert-unity test scenario.
On account of supporting the EAP-Nak payload charon, as a client, is now able to select a specific EAP method configured with leftauth from the server. Servers can use the eap-dynamic plugin to dynamically select an EAP method supported/requested by clients. An example for this is provided in the new rw-eap-dynamic test scenario.
The new xauth-pam plugin can authenticate IKEv1 XAuth and Hybrid authenticated clients against any PAM service. The IKEv2 eap-gtc plugin does not use PAM directly anymore, but instead can use any XAuth backend to verify credentials including xauth-pam.
With the strongswan.conf options charon.interfaces_ignore and charon.interfaces_use the network interfaces used by the daemon can be configured. Events generated for ignored interfaces (for routing, address change etc.) are ignored and packets received on them are dropped. The charon.install_virtual_ip_on option allows specifying on which network interface virtual IP addresses will be installed.