strongSwan - Design by Margo Galas <galas (at) solnet (dot) ch>

Main Sponsors

secunet

codelabs

strongSwan 5.0.3 Released

The strongSwan 5.0.3 release comes with DNSSEC-based authentication, EAP-RADIUS improvements, Trusted Key Management support and many other new features and fixes.


DNSSEC-based Authentication

The new ipseckey plugin enables authentication based on trustworthy public keys stored as IPSECKEY resource records in the DNS and protected by DNSSEC. To do so it uses a DNSSEC enabled resolver, like the one provided by the new unbound plugin, which is based on libldns and libunbound. Both plugins were created by Reto Guadagnini. The new  net2net-dnssec and rw-dnssec test scenarios illustrate this feature.

EAP-RADIUS Improvements

The eap-radius plugin can now assign virtual IPs to IKE clients using the Framed-IP-Address attribute by using the %radius named pool in the rightsourceip ipsec.conf option. The new rw-eap-framed-ip-radius test scenario illustrates this feature. Cisco Banner attributes are forwarded to Unity-capable IKEv1 clients during mode config. The charon IKE daemon now sends Interim Accounting updates if requested by the RADIUS server. It also reports sent and received packets in Accounting messages, and adds a Terminate-Cause to Accounting-Stops.

Trusted Key Management Support

The new charon-tkm IKEv2 daemon delegates security critical operations to a separate process. This has the benefit that the network facing daemon has no knowledge of the keying material used to protect child SAs. Thus subverting charon-tkm does not result in the compromise of cryptographic keys. The extracted functionality has been implemented from scratch in a minimal TCB (trusted computing base) in the Ada programming language. Further information can be found at http://www.codelabs.ch/tkm/. Both components were created by Adrian Rüegsegger and Reto Bürki.

Improved Trusted Network Connect Features

The TCG TNC IF-IMV 1.4 draft has been implemented, which makes Access Requestor identities available to an IMV. The OS IMV stores the AR identity together with the device ID in the attest database.

The tnc-ifmap plugin has been reimplemented without any dependency to the Apache Axis2/C library, which improves interoperability with MAP servers by different vendors significantly.

With the strongSwan libpttls library an experimental implementation of PT-TLS (RFC 6876, A Posture Transport Protocol over TLS) is provided.

Dummy XAuth Authentication

For IKEv1 client implementations that can't be configured without XAuth (e.g. Apple iOS) the new xauth-noauth plugin provides a means to use basic RSA or PSK authentication. The plugin simply concludes the XAuth exchange successfully without actually performing any authentication. Therefore, to use this backend it has to be selected explicitly with rightauth2=xauth-noauth.

Certificate Lifetime Checks On Embedded Devices

With the charon systime-fix plugin certificate lifetime checks can be disabled on embedded systems if the system time is obviously out of sync after bootup. Certificates lifetimes get checked once the system time gets sane, closing or reauthenticating connections that use expired certificates.

Other Notable Changes

  • The openssl plugin now uses the AES-NI accelerated version of AES-GCM if the hardware supports it.
  • ipsec listcounters now provides connection specific counters when passed a connection name, and the ipsec resetcounters allows resetting global and connection-specific counters.
  • The ikedscp ipsec.conf option allows setting DiffServ code points on outbound IKE packets.
  • Multiple certificates can be configured for left|rightcert in ipsec.conf. The daemon chooses the certificate based on the received certificate requests, if possible, before enforcing the first.
  • The NetworkManager backend (charon-nm) uses a TUN device to satisfy NM's need for a network device. This fixes LP:872824.

Download it from here - a more extensive changelog can be found on our wiki.