Release Notes: The strongSwan Trusted Network Connect functionality supports all IETF Standard PA-TNC attributes and a new OS IMC/IMV pair using these attributes to transfer Linux or Android operating system information. Interoperability with Windows XP has been improved by supporting PKCS#7 certificate containers and legacy NAT traversal protocols. The test framework has been migrated from User Mode Linux to KVM, making it faster and more robust.
Release Notes: IKEv2 is now the default key exchange mode. IKEv2 EAP-TLS, EAP-TTLS, and EAP-TNC (Trusted Network Connect) authentication modes terminated either on a strongSwan gateway or a remote AAA server are supported. PKCS#11 smartcards are supported for IKEv2.
Release Notes: The IKEv1 and IKEv2 daemons now share the same crypto framework. Either the built-in algorithms or the OpenSSL or GNU libgcrypt libraries can be used. During startup, self-tests for all cryptographic algorithms are executed. The IKEv1 daemon supports elliptic curve Diffie-Hellman groups and ECDSA signatures. Two minor DoS vulnerabilities in the ASN.1 parser were fixed.
Release Notes: This release implements IKEv2 Multiple Authentication Exchanges (RFC 4739). Refactored IKEv1 pluto code uses the libstrongswan library for basic functions. Up to two DNS and WINS servers to be sent via the IKEv1 ModeConfig protocol can thus be configured via strongswan.conf attributes.
Release Notes: Major performance improvements were made by introducing hash table lookups, allowing the setup of thousands of IKEv2 connections in seconds. Smartcard support for IKEv2 connections was added using the OpenSSL Engine API.
Release Notes: The new dbus-based nm plugin fully integrates strongSwan into the VPN connections menu of NetworkManager 0.7. Separate EAP identities are supported in all IKEv2 EAP authentication protocols.
Release Notes: Support was added for elliptic curve Diffie-Hellman groups and X.509 certificates with ECDSA keys via an optional OpenSSL plugin. MOBIKE now correctly migrates ESP sequence numbers when doing IPsec SA updates.
Release Notes: The IKEv2 charon daemon now implements virtual IP address pools. The light version uses, for example, rightsourceip=10.3.0.0/22 to create a pool with 1022 addresses in volatile memory that are assigned on a first come, first served basis; whereas the advanced version uses rightsourceip=%poolname to reference an address pool in an SQLite or MySQL database which binds leases either statically or with a predefined timeout to a specific IKEv2 ID.
Release Notes: Support for "Hash and URL" encoded IKEv2 certificate payloads was added. Instead of the certificates themselves, only an URL pointing to them is transmitted, thus avoiding IP fragmentation of IKE datagrams due to large certificates. The IKEv1 pluto daemon now supports the ESP encryption algorithm Camellia and the authentication algorithm AES_XCBC_MAC.
Release Notes: The IKEv2 keying daemon has become modular and thus more extensible. Plugins for MySQL and SQLite allow you to store configurations and user credentials in a relational database. All cryptographic algorithms have been implemented as plugins, so that any software or hardware-accelerated crypto module can be attached during runtime.