Release Notes: The leftsourceip option now accepts a comma separated combination of %config4, %config6, or fixed IP addresses to request from the responder. Likewise, the rightsourceip option accepts multiple explicitly specified or referenced named address pools. TPM-based remote attestation has been extended to verify the complete measurements done by the Linux Integrity Measurement Architecture (IMA). Reference hash values of up to 10'000 Linux system files are stored in an SQLite database.
Release Notes: An extended EAP-RADIUS interfaces allows one to enforce Session-Timeout attributes using RFC4478 repeated authentication, and acts upon RADIUS Dynamic Authorization extensions (RFC 5176). Currently supported are disconnect requests and CoA messages containing a Session-Timeout. The tnc-pdp plugin implements a RADIUS server interface allowing a strongSwan TNC server to act as a Policy Decision Point.
Release Notes: The IKEv2 charon daemon allows one to define PASS and DROP shunt policies that, for example, prevent local traffic from going through IPsec connections or except certain protocols from IPsec encryption. A new IMC/IMV Scanner pair implements the RFC 5792 PA-TNC protocol. The Integrity Measurement Collector uses netstat to scan for open listening ports on the TNC client and sends a port list to the Integrity Measurement Verifier atttached to the TNC Server, which decides whether the client is admitted to the network based on a configurable port policy.
Release Notes: The IKEv2 daemon supports negotiation of Extended Sequence Numbers (ESN) in conjunction with the Linux 2.6.39 kernel. The whitelist plugin allows whitelisting of users with X.509 certificate credentials. The eap-sim-pcsc plugin implements a pcsc-lite based SIM card backend.
Release Notes: Optional integrity checksum tests are done over all strongSwan dynamic libraries and plugins during startup. The IKEv1 pluto daemon now supports the ESP authenticated encryption algorithms AES-GCM and AES-CCM.
Release Notes: A vulnerability in the Dead Peer Detection (RFC 3706) code was found affecting all strongSwan releases (CVE-2009-0790). A malicious or expired ISAKMP R_U_THERE or R_U_THERE_ACK DPD packet can cause the pluto IKEv1 daemon to crash and restart. The new server-side IKEv2 EAP RADIUS plugin relays EAP messages to and from a RADIUS server. It has been successfully tested with a FreeRadius server using EAP-MD5 and EAP-SIM.
Release Notes: IKEv2 interoperability with the Windows 7 Agile VPN client was improved by allowing the configuration of up to two DNS and NBNS servers that are forewarded to the client via the IKEv2 configuration payload. The IKEv2 EAP-MSCHAP v2 authentication protocol is supported.
Release Notes: There is mobile IPv6 support for securing Binding Updates and tunneled traffic between Mobile Node and Home Agent. This release includes Mobile Node address migration based on MIGRATE kernel messages sent by the mip6d daemon. A modularized IPsec kernel interface supporting XFRM, PFKEY, and KLIPS messages was added. A significant performance improvement on multi-core platforms was made.
Release Notes: The IKEv2 MOBIKE protocol can now be disabled on a per-connection basis using the mobike=no parameter in ipsec.conf. The --enable-integrity-test compile option computes a SHA-1 HMAC over the dynamic libstrongswan library which the IKEv2 daemon uses to verify the integrity of the crypto functions during runtime.
Release Notes: IKEv2 can now handle multiple certificates issued to the same peer ID. This allows for a smooth transition during certificate renewal. IKEv2 also supports IPSec policies based on intermediate certification authorities through the use of the rightca= parameter.