We are happy to announce the release of strongSwan 5.1.2, which brings a new default config file layout, a post-quantum computer key exchange method and several other new features and fixes.
New Configuration Layout
A new default configuration file layout is introduced (with full backward compatibility). The new default strongswan.conf file mainly includes configuration snippets from the new strongswan.d and strongswan.d/charon directories (the latter containing snippets for all installed plugins). The snippets, with commented defaults, are automatically generated and installed, if they don't exist yet. They are also installed in $prefix/share/strongswan so existing files can be compared to the current defaults.
The settings that were formerly defined in library specific "global" sections are now application specific. For instance, settings for plugins in libstrongswan.plugins can now be set only for the IKE daemon charon in charon.plugins. The old options are still supported, which now allows you to define defaults for all application in the libstrongswan section. All supported settings in strongswan.conf are documented on our wiki.
Extensible Plugin List
As an alternative to the non-extensible charon.load setting, the plugins to load in the IKE daemon charon can now be determined via the charon.plugins.<name>.load setting for each plugin. This behavior is enabled in the new default strongswan.conf file with the charon.load_modular option.
Post-quantum Computer Key Exchange Mechanism
The ntru plugin supports NTRUEncrypt as a post-quantum computer IKE key exchange mechanism. The implementation is based on the ntru-crypto library from the NTRUOpenSourceProject. The supported security strengths are ntru112, ntru128, ntru192, and ntru256. Since the private DH group IDs 1030..1033 have been assigned, the strongSwan Vendor ID must be sent (charon.send_vendor_id = yes) in order to use NTRU.
Custom Unit Testing Framework
The strongSwan unit testing framework has been rewritten without the check dependency for improved flexibility and portability. It now properly supports multi-threaded and memory leak testing and brings a bunch of new test cases.
Other Notable Changes
- When enabling its session strongswan.conf option, the xauth-pam plugin opens and closes a PAM session for each established IKE_SA. Patch courtesy of Andrea Bonomi.
- Compatibility issues between IPComp (compress=yes) and leftfirewall=yes as well as multiple subnets in left|rightsubnet have been fixed.
- The NetworkManager frontend gained support for PSK authentication.