Release and vulnerability announcements for strongSwan

strongSwan 5.1.0 Released

We are proud to release strongSwan 5.1.0, which brings many new and improved features and fixes a DoS vulnerability.

Denial-of-Service Vulnerability (CVE-2013-5018)

A denial-of-service vulnerability was fixed that could be triggered by special XAuth usernames and EAP identities (affected by this are 5.0.3 and 5.0.4), and local PEM files (all versions since 4.1.11).

More information is provided in a separate blog entry.

Easy-to-Use charon-cmd Command-Line IKE Client

The new charon-cmd command line IKE client can establish road warrior connections using IKEv1 or IKEv2 with different authentication profiles. It does not depend on any configuration files (no ipsec.conf nor ipsec.secrets but may use strongswan.conf options) and can be configured using a few simple command line options.

Support of PKCS#12 Private Key/Certificate Container Format

Extraction of certificates and private keys from PKCS#12 file is now provided by the new pkcs12 plugin or the openssl plugin. charon-cmd (--p12) as well as charon (via P12 token in ipsec.secrets) can make use of this new functionality.

Support of ssh-agent and other Public Key Formats

The sshkey plugin parses SSH public keys, which, together with the --agent option for charon-cmd, allows the use of ssh-agent for authentication.

To configure SSH public keys in ipsec.conf the left|rightrsasigkey options are replaced with left|rightsigkey, which now take public keys in one of three formats: SSH (RFC 4253, ssh: prefix), DNSKEY (RFC 3110, dns: prefix), PKCS#1 (the default, no prefix).

Trusted Network Connect (TNC) Policy Manager Interface

Using a SQL database interface, a TNC Policy Manager can generate specific measurement workitems for an arbitrary number of
Integrity Measurement Verifiers (IMVs), based on the history of the individual VPN users and/or client devices. 

We are currently working on the documentation and some demo examples for the new Python/Django-based strongTNC Policy Manager Tool implemented by the HSR students Stefan Rohner and Marco Tanner as part of their Bachelor Thesis.

IPsec ESP Userland Encryption with libipsec

The new kernel-libipsec plugin uses TUN devices and libipsec to provide IPsec processing in userland on Linux, FreeBSD and Mac OS X.

libipsec now supports AES-GCM, which will be automatically accelerated if the openssl plugin detects the Intel AES NI instruction set. Thus, libipsec is ideally suited for Suite B compliance on Mac OS X where the kernel does not offer ESP AES-GCM support.

Improvements for Mac OS X and FreeBSD

The kernel-pfroute networking backend has been greatly improved. It now can install virtual IPs on TUN devices on Mac OS X and FreeBSD, allowing these systems to act as client in common road warrior scenarios.

The new osx-attr plugin installs configuration attributes (currently DNS servers) via SystemConfiguration on Mac OS X. The keychain plugin provides certificates from the Mac OS X keychain service.

Other Notable Changes

Download it from here - a more extensive changelog can be found on our wiki.