Release Notes: A vulnerability in the Dead Peer Detection (RFC 3706) code was found affecting all strongSwan releases (CVE-2009-0790). A malicious or expired ISAKMP R_U_THERE or R_U_THERE_ACK DPD packet can cause the pluto IKEv1 daemon to crash and restart. The new server-side IKEv2 EAP RADIUS plugin relays EAP messages to and from a RADIUS server. It has been successfully tested with a FreeRadius server using EAP-MD5 and EAP-SIM.
Release Notes: A couple of minor bugs in the IKEv1 and IKEv2 daemons were fixed.
Release Notes: IKEv2 interoperability with the Windows 7 Agile VPN client was improved by allowing the configuration of up to two DNS and NBNS servers that are forewarded to the client via the IKEv2 configuration payload. The IKEv2 EAP-MSCHAP v2 authentication protocol is supported.
Release Notes: Bugfixes for broken ESP NULL encryption and a missing list of connection definitions in the IPsec statusall output.
Release Notes: Major performance improvements were made by introducing hash table lookups, allowing the setup of thousands of IKEv2 connections in seconds. Smartcard support for IKEv2 connections was added using the OpenSSL Engine API.
Release Notes: There is mobile IPv6 support for securing Binding Updates and tunneled traffic between Mobile Node and Home Agent. This release includes Mobile Node address migration based on MIGRATE kernel messages sent by the mip6d daemon. A modularized IPsec kernel interface supporting XFRM, PFKEY, and KLIPS messages was added. A significant performance improvement on multi-core platforms was made.
Release Notes: Several MOBIKE improvements were made. Changes in NAT mappings in DPD exchanges are detected. Events are handled if the kernel detects NAT mapping changes in UDP-encapsulated ESP packets (though this requires a kernel patch). Old addresses are reused in MOBIKE updates as long as possible. Other fixes were made.
Release Notes: This release fixes a denial of service vulnerability where an IKE_SA_INIT message with a Diffie-Hellman KE payload containing zeroes only could cause a crash of the IKEv2 charon daemon due to a NULL pointer returned by the mpz_export() function of the GNU Multi-Precision (GMP) library.
Release Notes: The new dbus-based nm plugin fully integrates strongSwan into the VPN connections menu of NetworkManager 0.7. Separate EAP identities are supported in all IKEv2 EAP authentication protocols.
Release Notes: The performance of the SQL-based virtual IP address pool has been improved. There is consistent logging of IKE SAs on the audit level. There are a couple of minor bugfixes.