Software update: strongSwan 4.3.5

Spread the love

Various protocols can be used to secure connections over public networks, such as the widely used ipsec. StrongSwan is an ipsec implementation for Linux systems, whose 4.2 and 4.3 wings target the current 2.6 Linux kernel. Support for ikev1, ikev2 and ipv6 is provided, as on this page can be read. The developers have released strongSwan 4.3.5 and provided the following list of changes since the previous entry in the Meuktracker:

Version 4.3.5:

  • The IKEv1 pluto daemon can now use SQL-based address pools to deal out virtual IP addresses as a Mode Config server. The pool capability has been migrated from charon’s sql plugin to a new attr-sql plugin which is loaded by libstrongswan and which can be used by both daemons either with a SQLite or MySQL database and the corresponding plugin.
  • Plugin names have been streamlined: EAP plugins now have a dash after eap (eg eap-sim), as it is used with the –enable-eap-sim ./configure option. Plugin configuration sections in strongswan.conf now use the same name as the plugin itself (ie with a dash). Make sure to update “load” directives and the affected plugin sections in existing strongswan.conf files.
  • The private/public key parsing and encoding has been split up into separate pkcs1, pgp, pem and dnskey plugins. The public key implementation plugins gmp, gcrypt and openssl can all make use of them.
  • The EAP-AKA plugin can use different backends for USIM/quintuplet calculations, very similar to the EAP-SIM plugin. The existing 3GPP2 software implementation has been migrated to a separate plugin.
  • The IKEv2 daemon charon gained basic PGP support. It can use locally installed peer certificates and can issue signatures based on RSA private keys.
  • The new ‘ipsec pki’ tool provides a set of commands to maintain a public key infrastructure. It currently supports operations to create RSA and ECDSA private/public keys, calculate fingerprints and issue or verify certificates.
  • Charon uses a monotonic time source for statistics and job queuing, behaving correctly if the system time changes (eg when using NTP).
  • In addition to time based rekeying, charon supports IPsec SA lifetimes based on processed volume or number of packets. They new ipsec.conf paramaters ‘lifetime’ (an alias to ‘keylife’), ‘lifebytes’ and ‘lifepackets’ handle SA timeouts, while the parameters ‘margintime’ (an alias to rekeymargin), ‘marginbytes’ and ‘marginpackets’ trigger the rekeying before a SA expires. The existing parameter ‘rekeyfuzz’ affects all margins.
  • If no CA/Gateway certificate is specified in the NetworkManager plugin, charon uses a set of trusted root certificates preinstalled by distributions. The directory containing CA certificates can be specified using the –with-nm-ca-dir=path configure option.
  • Fixed the encoding of the Email relative distinguished name in left|rightid statements.
  • Fixed the broken parsing of PKCS#7 wrapped certificates by the pluto daemon.
  • Fixed smartcard-based authentication in the pluto daemon which was broken by the ECDSA support introduced with the 4.3.2 release.
  • A patch contributed by Heiko Hund fixes mixed IPv6 in IPv4 and vice versa tunnels established with the IKEv1 pluto daemon.
  • The pluto daemon now uses the libstrongswan x509 plugin for certificates and CRls and the struct id type was replaced by identification_t used by charon and the libstrongswan library.

Version 4.3.4:

  • IKEv2 charon daemon ported to FreeBSD and Mac OS X. Installation details can be found on wiki.strongswan.org.
  • ipsec statusall shows the number of bytes transmitted and received over ESP connections configured by the IKEv2 charon daemon.
  • The IKEv2 charon daemon supports include files in ipsec.secrets.

Version number 4.3.5
Release status Final
Operating systems Linux
Website strongSwan
Download http://download.strongswan.org/strongswan-4.3.5.tar.gz
File size 3.50MB
License type GPL
You might also like