Release Notes: This version includes plugin modules for IKEv2 EAP-AKA and EAP-MD5 authentication as well as basic support for vendor specific EAP methods using the Expanded EAP type 254.
Release Notes: IKEv2 repeated authentication (RFC 4478) was implemented to force, for example, EAP clients to periodically re-establish an IKE_SA. Support of IPv6 IPsec connections was fully tested, including seamless integration of ip6tables firewall rules. The Web-based strongSwan Manager now allows the interactive starting and stopping of IKE and CHILD SAs.
Release Notes: This release adds strongSwan Manager, a FastCGI Web application that interacts with the IKEv2 daemon charon via an XML interface. An SQLite configuration backend was introduced and will provide the configuration interface for strongSwan Manager in future releases.
Release Notes: Support of the IKEv2-based MOBIKE protocol (RFC 4555) allows dynamic IP address changes and multi-homing without re-establishing the IPsec tunnels. For IKEv1, the introduction of the rightallowany=yes option or, as an alternative, the right=%peer.foo.bar wildcard improves the re-establishment of IPsec connections after a dynamic address change in a host which registers its address with DynDNS.
Release Notes: IKEv2 now supports automatic HTTP- and/or LDAP-based fetching of certificate revocation lists using URIs extracted from CRL distribution points. CRLs can optionally be cached with the cachecrls=yes option. strongSwan now fully supports cookies in the presence of DoS attacks. New IKEv1 features include the addition of a special NAT-T Vendor ID that allows interoperability with Windows 2003 Server. The --enable-nat-transport option activates NAT traversal for IPsec transport mode.
Release Notes: This release has been thoroughly tested at the third IKEv2 Interoperability Workshop and beside the traditional IKEv1 capabilities, offers nearly complete support of IKEv2. New IKEv2 features are the assignment of virtual IPs via the configuration payload, the basic EAP authentication framework, as well as the implementation of the Online Certificate Status Protocol (OCSP).
Release Notes: This release features full XAUTH server and client support in conjunction with IKEv1 RSA or PSK Main Mode authentication. Verification of user credentials is possible either via a custom XAUTH plugin module or through XAUTH entries in ipsec.secrets.
Release Notes: This release features full XAUTH server and client support in conjunction with IKEv1 RSA or PSK Main Mode authentication. Verification of user credentials is possible either via a custom XAUTH plugin module or through XAUTH entries in ipsec.secrets. IKEv2 configuration of IPsec Transport Mode is now possible. IKEv2 reauthentication (reauth=true) has been implemented.
Release Notes: The implementation of the IKE Mode Config push mode allows interoperability with Cisco VPN gateways. By setting "modeconfig=push", strongSwan will wait for the peer to push down a virtual IP address that can be used within an IPsec tunnel. The default value of the new keyword is "modeconfig=pull". The command "ipsec statusall" now shows "DPD active" for all ISAKMP Security Associations that are under active Dead Peer Detection control.
Release Notes: Many new features have been added to the IKEv2 charon daemon: support for pre-shared keys, 3DES- or AES-protected RSA private key files, 3DES encryption for IKEv2, SHA-2 hashes in X.509 certificate signatures, automatic insertion of firewall passthrough rules for VPN traffic, IPv6-in-IPv6 tunnels, and dead peer detection with clear, hold, or restart options. IKEv2 now allows for mixed-mode authentication in which the VPN server sends a certificate, and VPN clients use personal pre-shared secrets.