We are proud to announce the release of strongSwan 5.2.1, which comes with support for systemd, IKEv2 fragmentation, segmentation of large PA-TNC attributes, a Ruby interface to vici and several other new features and fixes.
Support for systemd
The new charon-systemd IKE daemon implements an IKE daemon tailored for use with systemd. It avoids the dependency on ipsec starter and uses swanctl as configuration backend, building a simple and lightweight solution. Native systemd journal logging is supported.
We support the new IKEv2 Fragmentation mechanism as defined by RFC 7383 which avoids IP fragmentation of IKEv2 UDP datagrams exceeding the network's MTU size. This feature is activated by setting fragmentation=yes in ipsec.conf. Optionally the maximum IP packet size may be configured with the charon.fragment_size parameter in strongswan.conf.
Refer to the net2net-fragmentation scenario for an example.
Segmentation of large PA-TNC attributes
We implemented the TCG TNC IF-M Segmentation Proposal which allows to transfer potentially huge attributes amounting to several megabytes of measurement data like the TCG/SWID Tag [ID] Inventory or IETF/Installed Packages attributes via the PA-TNC, PB-TNC and either PT-EAP or PT-TLS NEA protocol stack. By default segmented attributes are just reconstructed on the receiving side from the individual segments with the exeception of the three attribute types mentioned above which can be parsed and processed incrementally as the segments arrive one-by-one.
The tnccs-20-pdp-eap test case shows an example scenario retrieving SWID tags from Debian-based hosts.
Ruby interface for vici
For the vici plugin a ruby gem has been added to allow ruby applications to control or monitor the IKE daemon. The vici documentation has been
updated to include a description of the available operations and some simple examples using both the libvici C interface and the ruby gem (see README.md).
Other Notable Changes
- The new ext-auth plugin calls an external script to implement custom IKE_SA authorization logic, courtesy of Vyronas Tsingaras.
- Paths to the ipsec.conf and ipsec.conf configuration files may be configured via strongswan.conf. The path to strongswan.conf may be passed via the
STRONGSWAN_CONFenvironment variable. Patches courtesy of Shea Levy.
- Support for IKEv1 fragmentation has been extended to Windows XP/7 clients, courtesy of Volker Rümelin.
- The MOBIKE code received several improvements.