strongSwan - Design by Margo Galas <galas (at) solnet (dot) ch>

Main Sponsors

secunet

codelabs

strongSwan 5.0.2 Released

The strongSwan 5.0.2 release brings many new and extended features.


New IKEv1 Features

Support for the proprietary IKEv1 fragmentation extension (Cisco flavor - as implemented by Cisco, racoon and Shrew) has been added. This was implemented because Apple's VPN client (racoon) in iOS 6.0.x sends fragments even if the responder does not support it. Fragments are always handled on receipt but only sent if supported by the peer and if enabled with the new fragmentation ipsec.conf option.

IKEv1 in charon can now parse certificates received in PKCS#7 containers and supports NAT traversal as used by Windows XP clients. Patches courtesy of Volker Rümelin.

New IKEv2 Features

IKEv2 proposals can now use a PRF algorithm different to that defined for integrity protection. If an algorithm with a "prf" prefix is defined explicitly (such as prfsha1 or prfsha256) no implicit PRF algorithm based on the integrity algorithm is added to the proposal.

New Trusted Network Connect Features

All IETF RFC Standard 5792 PA-TNC attributes have been implemented. A strongSwan OS IMC/IMV pair uses these attributes to transfer operating system information from a Linux client to a TNC server.

New Statistics Features

The new ipsec listcounters command prints a list of global counter values about received and sent IKE messages and rekeyings.

With the new lookip plugin fast lookups of tunnel information using a client's virtual IP can be performed. It can also send notifications about established or deleted tunnels. The ipsec lookip command can be used to query such information or to receive notifications.

The new error-notify plugin catches some common error conditions and allows an external application to receive notifications for them over a UNIX socket.

Extended Smartcard Features

Usually, the pkcs11 plugin automatically loads the correct certificate from a smartcard, based on the identity configured with leftid. In case this automatic selection is insufficient, for instance, if multiple certificates use the same subject, a specific certificate can now be loaded with the leftcert keyword for each conn section in ipsec.conf. The same is supported for CA certificates in ca sections.

Performance Testing

The load-tester plugin gained additional options for certificate generation and can load keys and multiple CA certificates from external files. Also, it can install a dedicated outer IP address for each tunnel, and tunnel initiation batches can be triggered and monitored externally using the ipsec load-tester tool.

Software Regression Testing and Simulation

The integration and regression test environment was updated and now uses KVM and reproducible guest images based on the latest Debian packages.

Other notable changes

  • PKCS#7 container parsing has been modularized, and the openssl plugin gained an alternative implementation to decrypt and verify such files. In contrast to our own DER parser, OpenSSL can handle BER files, which is required for interoperabilty of our scepclient with the EJBCA PKI software.
  • The new rdrand plugin provides a high quality / high performance random source using the Intel rdrand instruction supported by Ivy Bridge processors.
  • The charon daemon reloads the logger configuration from strongswan.conf if it receives a SIGHUP. Besides changing the configuration this allows to easily rotate log files created by file loggers without having to restart the daemon.
  • Resolving hosts by DNS name is now done in separate threads, which allows us to cancel these lookups (if getaddrinfo(3) is a cancellation point, anyway).

Download it from here - a more extensive changelog can be found on our wiki.