Release Notes: The RFC 5793 Posture Broker Protocol compatible with Trusted Network Connect (PB-TNC) was implemented. IKE and ESP proposals as well as CRL distribution points can be stored in an SQL database. Connections can be started or routed automatically via the start_action database field. The IKEv2 daemon supports the INITIAL_CONTACT notification.
Release Notes: IKEv2 is now the default key exchange mode. IKEv2 EAP-TLS, EAP-TTLS, and EAP-TNC (Trusted Network Connect) authentication modes terminated either on a strongSwan gateway or a remote AAA server are supported. PKCS#11 smartcards are supported for IKEv2.
Release Notes: The new IKEv2 High Availability plugin provides load sharing and fail-over capabilities in a cluster of currently two nodes based on an extended ClusterIP Linux kernel module. IKEv1 and IKEv2 configuration support was added for the AES-GMAC authentication-only ESP cipher and for the Diffie-Hellman groups 22, 23, and 24. RAM-based virtual IP address pools are now also supported by the IKEv1 daemon. The dhcp and farp charon plugins allow tight integration of remote access clients into a local network by offering DHCP and ARP services.
Release Notes: Starting with the Linux 2.6.33 kernel, the SHA-256/384/512 HMAC ESP data integrity algorithms are now configured by strongSwan with the correct truncation length. Older kernels require a SHA-2 patch. The IKEv2 charon daemon has been ported to the Android platform. DNS and NBNS server information stored in an SQL database can be distributed to VPN clients via the IKEv1 Mode Config or the IKEv2 Configuration payload.
Release Notes: The IKEv1 pluto daemon can attach SQL-based address pools to deal out virtual IP addresses as a Mode Config server in either Pull or Push mode. In addition to time based rekeying, the IKEv2 charon daemon supports IPsec SA lifetimes based on processed volume measured in bytes or number of packets.
Release Notes: The IKEv2 charon daemon has been ported to FreeBSD and Mac OS X.
Release Notes: Optional integrity checksum tests are done over all strongSwan dynamic libraries and plugins during startup. The IKEv1 pluto daemon now supports the ESP authenticated encryption algorithms AES-GCM and AES-CCM.
Release Notes: The IKEv1 and IKEv2 daemons now share the same crypto framework. Either the built-in algorithms or the OpenSSL or GNU libgcrypt libraries can be used. During startup, self-tests for all cryptographic algorithms are executed. The IKEv1 daemon supports elliptic curve Diffie-Hellman groups and ECDSA signatures. Two minor DoS vulnerabilities in the ASN.1 parser were fixed.
Release Notes: This release fixes two DoS vulnerabilities in the charon daemon that were discovered by fuzzing techniques. A couple of bugs caused by the massive 4.3.0 refactoring were fixed.
Release Notes: This release implements IKEv2 Multiple Authentication Exchanges (RFC 4739). Refactored IKEv1 pluto code uses the libstrongswan library for basic functions. Up to two DNS and WINS servers to be sent via the IKEv1 ModeConfig protocol can thus be configured via strongswan.conf attributes.