Blog

Release and vulnerability announcements for strongSwan

strongSwan 6.0.5 Released

We are happy to announce the release of strongSwan 6.0.5, which fixes a vulnerability in the eap-ttls plugin, supports forwarding certain ICMP errors that don't match the negotiated traffic selectors and comes with several other improvements and fixes.

release6.0.x

Vulnerability in eap-ttls Plugin (CVE-2026-25075)

A vulnerability in the eap-ttls plugin related to processing EAP-TTLS AVPs was fixed. Due to a missing length check that can cause an integer underflow, this could lead to resource exhaustion or a crash. All strongSwan versions since 4.5.0 are affected.

More information is provided in a separate blog entry.

Forwarding ICMP Error Messages

ICMP error messages, such Destination Unreachable or Time Exceeded, may get sent from an IP address that's not covered by the negotiated traffic selectors/IPsec policies. So these will generally get dropped, which can hamper error handling or PMTUD for hosts at the other end of the IPsec tunnel.

The body of an ICMP error message contains the first part of the packet that caused it. Since Linux v6.9, the kernel supports forwarding such ICMP errors by matching the header of that partial packet against the policies to decide whether to forward it. The kernel only does this for ICMP types 3 (Destination Unreachable) and 11 (Time Exceeded) for IPv4 and types 1 (Destination unreachable), 2 (Packet too big), and 3 (Time exceeded) for IPv6. All codes for these types are included (e.g. type 3 code 4, Fragmentation required and DF flag set, for IPv4).

This kernel behavior can now be enabled for a Child SA with the new icmp option. Depending on whether hosts behind VPN gateways can send or need to receive ICMP errors, it has to be enabled on both ends. Note that this is a local option, nothing is negotiated with the peer.

Note that when generating an ICMP error on the IPsec host itself, the kernel currentl yuses a source IP that's technically incorrect. Instead of using one of its own local addresses, it uses the destination address of the packet that caused the error as source. This will be fixed in a future kernel release (likely v7.1).

Examples can be found in the ikev2/net2net-icmp-forward and ipv6/net2net-icmp-forward-ikev2 test scenarios.

Other Notable Features and Fixes

  • The charon-cmd toll now supports childless IKE SA initiation with the --childless option, which takes an optional force argument to abort the initiation if the peer doesn't support the extension. It now also supports IKEv2 PSK authentication to interoperate with some public test servers.
  • The dhcp plugin now keeps track of address leases across make-before-break reauthentications to avoid releasing the address when the old SA is terminated, which could e.g. mess with DNS resolution or even cause the IP to get reassigned to a different client.
  • When installing routes, the kernel-netlink plugin previously defaulted to setting the peer's address as next hop if there was no actual next hop found. This caused issues in certain cases (e.g. for routes over point-to-point interfaces). Instead, the next hop is now omitted if at least an interface was found.
  • Some short options for commands of the swanctl and pki tools have been renamed due to conflicts with shared options that are now handled globally (see the full changelog for details).
  • Default plugins for swanctl have been changed and a new configure option for distributions that package plugins separately can avoid distracting error messages for the tool (and pki).
  • Fixed several regressions introduced with changes in 6.0.2 and 6.0.3.

Download Complete Changelog