strongSwan - Design by Margo Galas <galas (at) solnet (dot) ch>

Main Sponsors

secunet

secunet

revosec

Hochschule für Technik Rapperswil

strongSwan 5.2.0 Released

We are proud to announce the release of strongSwan 5.2.0, which brings a native Windows port, a more flexible configuration and control interface and many other new features and fixes.


Native strongSwan Port to Windows

strongSwan has been ported to the Windows platform. Using a MinGW toolchain, many parts of the strongSwan codebase run natively on Windows 7 / 2008 R2 and newer releases.

charon-svc implements a Windows IKE service based on libcharon, the kernel-iph and kernel-wfp plugins act as networking and IPsec backend on the Windows platform. socket-win provides a native IKE socket implementation, while winhttp fetches CRL and OCSP information using the WinHTTP API.

New Configuration and Control Interface

The new vici plugin provides a Versatile IKE Configuration Interface for the charon IKE daemon. Using the stable IPC interface, external applications can configure, control and monitor the IKE daemon. Instead of scripting the ipsec tool and generating ipsec.conf files, third party applications can use the new interface for more control and better reliability.

Built upon the libvici client library, swanctl implements the first user of the VICI interface. Together with a swanctl.conf configuration file, connections can be defined, loaded and managed. swanctl provides a portable, complete IKE configuration and control interface for the command line.

We added several swanctl examples to our testing environment.

Collecting ISO/IEC 19770-2:2014 Software Identification (SWID) Tags

The SWID IMC can extract all installed packages from the dpkg (Debian, Ubuntu, etc.), rpm (Fedora, RedHat, etc.), or pacman (Arch Linux, Manjaro, etc.) package managers, respectively, using the swidGenerator which generates SWID tags according to the new ISO/IEC 19770-2:2014 standard.

The SWID IMV implements a JSON-based REST API which allows the exchange of SWID tags and Software IDs with the strongTNC policy manager.

This is demonstrated in the tnccs-20-pdp-eap and tnccs-20-pt-tls test cases.

Remote Attestation and General TNC Upgrades

The Attestation IMC/IMV pair supports the IMA-NG measurement format introduced with the Linux 3.13 kernel. The new aikgen tool generates an Attestation Identity Key bound to a TPM.

All IMVs now share the access requestor ID, device ID and product info of an access requestor via a common imv_session object. The PT-EAP transport protocol (RFC 7171) for Trusted Network Connect has also been implemented.

Other Notable Changes

  • The ipsec.conf replay_window option defines connection specific IPsec replay windows. Original patch courtesy of Zheng Zhong and Christophe Gouault from 6Wind.
  • The parsers for ipsec.conf and strongswan.conf have been rewritten, you'll find more details in the changelog.
  • Support for late IKEv1 connection switching based on the XAuth username has been added.
  • Added support to parse SSH public keys from files configured in left|rightsigkey.
  • RDNs in Distinguished Names parsed from strings must now either be separated by a comma or a slash, not both. If the DN starts with a slash (or whitespace and a slash) slashes will be assumed as separator, commas otherwise.
  • Support for IPComp was added to the kernel-pfkey plugin (FreeBSD, Mac OS X, Linux), patch courtesy of Francois ten Krooden.
  • The NetworkManager frontend gained support for PSK authentication.

Download it from here - a more extensive changelog can be found on our wiki.