Software update: strongSwan 4.3.6

Various protocols can be used to secure connections over public networks, such as the widely used ipsec. StrongSwan is an ipsec implementation for Linux systems, whose 4.2 and 4.3 wings target the current 2.6 Linux kernel. Support for ikev1, ikev2 and ipv6 is provided, as on this page can be read. The developers have now released strongSwan 4.3.6. Since the previous entry in the Meuktracker, the following changes have been made:

Version 4.3.6:

• The IKEv2 daemon supports RFC 3779 IP address block constraints carried as a critical X.509v3 extension in the peer certificate.
• The ipsec pool –add|del dns|nbns command manages DNS and NBNS name server entries that are sent via the IKEv1 Mode Config or IKEv2 Configuration Payload to remote clients.
• The Camellia cipher can be used as an IKEv1 encryption algorithm.
• The IKEv1 and IKEV2 daemons now check certificate path length constraints.
• The new ipsec.conf conn option “inactivity” closes a CHILD_SA if no traffic was sent or received within the given interval. To close the complete IKE_SA if its only CHILD_SA was inactive, set the global strongswan.conf option “charon.inactivity_close_ike” to yes.
• More detailed IKEv2 EAP payload information in debug output
• IKEv2 EAP-SIM and EAP-AKA share joint libsimaka library
• Added required userland changes for proper SHA256 and SHA384/512 in ESP that will be introduced with Linux 2.6.33. The “sha256″/”sha2_256” keyword now configures the kernel with 128 bit truncation, not the non-standard 96 bit truncation used by previous releases. To use the old 96 bit truncation scheme, the new “sha256_96” proposal keyword has been introduced.
• Fixed IPComp in tunnel mode, stripping out the duplicated outer header. This change makes IPcomp tunnel mode connections incompatible with previous releases; disable compression on such tunnels.
• Fixed BEET mode connections on recent kernels by installing SAs with appropriate traffic selectors, based on a patch by Michael Rossberg.
• Using extensions (such as BEET mode) and crypto algorithms (such as twofish, serpent, sha256_96) allocated in the private use space now require that we know its meaning, ie we are talking to strongSwan. Use the new “charon.send_vendor_id” option in strongswan.conf to let the remote peer know this is the case.
• Experimental support for draft-eronen-ipsec-ikev2-eap-auth, where the responder omits public key authentication in favor of a mutual authentication method. To enable EAP-only authentication, set rightauth=eap on the responder to rely only on the MSK constructed AUTH payload. This not-yet standardized extension requires the strongSwan vendor ID introduced above.
• The IKEv1 daemon ignores the Juniper SRX notification type 40001, thus allowing interoperability.