Projects / strongSwan / Releases

All releases of strongSwan

  •  08 May 2006 08:59
Avatar

    Release Notes: This version supports both the existing IKEv1 (RFC 2409) as well as the new IKEv2 (RFC 4306) Internet Key Exchange protocols. In the ipsec.conf configuration file, IKEv2 connections are designated by the parameter keyexchange=ikev2, whereas the default keyexchange=ike or keyexchange=ikev1 will handle an IKEv1 connection. Currently, RSA authentication based on locally loaded X.509 certificates is supported.

    •  26 Apr 2006 07:48
    Avatar

      Release Notes: Automatic insertion and deletion of VPN passthrough firewall rules is done upon successful setup or teardown, respectively, of an IPsec connection. This feature is activated by the leftfirewall=yes parameter and uses the default _updown script. Support for mixed PSK/RSA roadwarrior authentication was added.

      •  12 Apr 2006 16:55
      Avatar

        Release Notes: The new _updown_policy template supports the IPsec policy matching rules of iptables-1.3.5. Making use of the PLUTO_REQID environment variable set by the IKE daemon pluto upon the establishment of an IPsec connection, the updown script inserts dynamic iptables firewall rules that pass only packets coming out from or going into a VPN tunnel.

        •  13 Mar 2006 11:39
        Avatar

          Release Notes: If the native netkey IPsec stack of the Linux 2.6 kernel is used, then "ipsec status" now displays the precise time interval that has elapsed since the last use of each active eroute. This information is also used by the Dead Peer Detection protocol to detect recent ESP traffic. strongSwan's "ipsec" runlevel startup script now calls the fast "ipsec starter" command. The starter's parser was extended to recognize the "auth=ah" option in ipsec.conf.

          •  13 Feb 2006 18:53
          Avatar

            Release Notes: This release fixes a long-standing bug with road warrior connections that use right=%any with preshared keys (PSK) and define a rightid containing a hostname or email address. All ipsec auto command options have been integrated into the ipsec command (e.g. ipsec status). Two new features have been added: ipsec status now shows for each IPsec SA the number of transmitted bytes, and the unstructuredName field is now fully supported in the distinguished name of certificates.

            •  23 Jan 2006 08:17
            Avatar

              Release Notes: The fast IPSec starter was completed and now supports recursive includes using the also keyword. This makes modular structuring of the connection definitions in ipsec.conf possible. The following startup commands are supported: ipsec start|update|reload|stop|restart.

              •  09 Jan 2006 12:37
              Avatar

                Release Notes: A new "ipsec starter" utility that sets up and updates connections much faster then the existing awk-based "ipsec setup" script was added. It also provides an update option that only reloads connections that have changed in ipsec.conf. "ipsec start --auto_update 60" automatically checks for changes every 60 seconds. Thus if the %defaultroute parameter is used to designate Pluto's own IP address, then dynamic address or network interface changes can be handled without the need to restart Pluto.

                •  15 Nov 2005 14:53
                Avatar

                  Release Notes: CA certificates stored on a smartcard or USB crypto token are now automatically loaded during system startup, thus eliminating the need to copy them manually into the /etc/ipsec.d/cacerts/ directory. This facilitates the configuration of strongSwan client installations so that a user can now just plug in her personal token or smartcard to start a VPN session. strongSwan is not affected by the NISCC Vulnerability Advisory 273756/NISCC/ISAKMP. Therefore, this release does not contain any security fixes.

                  •  01 Nov 2005 22:33
                  Avatar

                    Release Notes: The "ipsec whack --scencrypt" command now computes RSA encryption in software using the public key fetched from the smartcard if the PKCS#11 library used (e.g. the OpenSC library) does not implement the C_Encrypt() function. This feature can be used to protect hard disk encryption keys with the same PIN used for the VPN. The "scepclient" command now allows you to define the validity of a self-signed certificate using the --days, --startdate, and --enddate options. The default validity has been changed from one year to five years.

                    •  05 Oct 2005 09:25
                    Avatar

                      Release Notes: A new pkcs11proxy=yes parameter was added, which opens the PKCS#11 smartcard interface to other applications for RSA encryption and decryption via the whack interface. The proxy interface can be used for securing symmetric encryption keys required by the dm-crypt disk encryption schemes. During system installation, a private RSA key and a self-signed certificate containing the hostname are now automatically created by the new scepclient function, thus facilitating the first steps in setting up a simple VPN connection.

                      Screenshot

                      Project Spotlight

                      episoder

                      A tool to tell you about new episodes of your favourite TV shows.

                      Screenshot

                      Project Spotlight

                      BalanceNG

                      A modern software IP load balancer.