Release Notes: This release features full XAUTH server and client support in conjunction with IKEv1 RSA or PSK Main Mode authentication. Verification of user credentials is possible either via a custom XAUTH plugin module or through XAUTH entries in ipsec.secrets. IKEv2 configuration of IPsec Transport Mode is now possible. IKEv2 reauthentication (reauth=true) has been implemented.
Release Notes: Major improvements were done for the monitoring, debugging, and logging functions for the IKEv2 keying daemon. Informational console output is now available during connection startup. IKEv1 Mode Config Push mode was backported from strongswan 2.8.0.
Release Notes: The implementation of the IKE Mode Config push mode allows interoperability with Cisco VPN gateways. By setting "modeconfig=push", strongSwan will wait for the peer to push down a virtual IP address that can be used within an IPsec tunnel. The default value of the new keyword is "modeconfig=pull". The command "ipsec statusall" now shows "DPD active" for all ISAKMP Security Associations that are under active Dead Peer Detection control.
Release Notes: Many new features have been added to the IKEv2 charon daemon: support for pre-shared keys, 3DES- or AES-protected RSA private key files, 3DES encryption for IKEv2, SHA-2 hashes in X.509 certificate signatures, automatic insertion of firewall passthrough rules for VPN traffic, IPv6-in-IPv6 tunnels, and dead peer detection with clear, hold, or restart options. IKEv2 now allows for mixed-mode authentication in which the VPN server sends a certificate, and VPN clients use personal pre-shared secrets.
Release Notes: Support was added for the ipsec route/unroute commands for IKEv2. This allows IKE_SAs and CHILD_SAs to be set up on demand when traffic to be tunnelled is detected by the kernel. Re-keying for IKE_SAs was added. As specified in the IKEv2 RFC, no re-authentication is done, only new keys are generated using perfect forward secrecy.
Release Notes: By defining the USE_NAT_TRAVERSAL compile-time option, segmentation faults in the eroute, klipsdebug, and other KLIPS-related auxiliary functions were fixed. "sha" and "sha1" are now treated as synonyms in the ike and esp algorithm configuration statements in ipsec.conf.
Release Notes: This release has achieved a large leap forward in its IKEv2 implementation: full support for X.509 certificate trust path verification including CRLs; transport protocol and port traffic selectors; NAT discovery and NAT traversal via UDP encapsulation and port floating, including graceful handling of peer IP address changes; and liveliness checks via a Dead Peer Detection scheme.
Release Notes: The mixed PSK/RSA roadwarrior detection capability introduced by the strongswan-2.7.0 release necessitated the pre-parsing of the IKE proposal payloads before any defined IKE Main Mode state had been established. Although bad proposal syntax was correctly being detected by the parser, the subsequent error handler didn't check the state pointer before logging current state information, causing an immediate crash of the pluto keying daemon due to a NULL pointer. This release fixes this vulnerability to malformed proposal payloads that could otherwise be exploited by Denial-of-Service attacks.
Release Notes: The IKEv2 daemon now supports the setup of host-to-host, net-to-net, and road warrior IPsec tunnel connections. Authentication is based on RSA signatures using locally loaded X.509 certificates. Child SA rekeying is possible, but for the time being should be treated as experimental. The make process has been rebuilt from scratch and uses autoconf. An IPv6 host-to-host scenario was added for IKEv1.
Release Notes: The following minor bugs were fixed. ipsec up|down|route|unroute could cause a pluto crash when used without a connection name. Unsuccessful name resolution when fetching a CRL via HTTP could cause a crash in the libcurl library on some 64-bit architectures. ipsec starter could not configure an ipsec0 PPP interface when used with Linux 2.4 KLIPS.