Andreas Steffen wrote: > Hi, > > we are happy to announce the first release candidate of the > forthcoming strongSwan 4.4 release. This major version offers the > following new features: > > * IKEv2 High Availability > ----------------------- > > The IKEv2 High Availability plugin has been integrated. It provides > load sharing and fail-over capabilities in a cluster of currently > two nodes, based on an extended ClusterIP kernel module. More > information is available at > > http://wiki.strongswan.org/projects/strongswan/wiki/HighAvailability > > The development of the High Availability functionality was sponsored > by secunet Security Networks AG. > > > * Diffie-Hellman Groups 22, 23, 24 with prime order subgroups > ----------------------------------------------------------- > > Added support for Diffie-Hellman groups 22, 23 and 24 to the gmp, > gcrypt and openssl plugins, usable by both pluto and charon. The > new proposal keywords are > > modp1024s160, modp2048s224, and modp2048s256 > > as the following IKEv1 and IKEv2 example scenarios show: > > http://www.strongswan.org/uml/testresults44rc/ikev1/alg-modp-subgroup/ > > http://www.strongswan.org/uml/testresults44rc/ikev2/alg-modp-subgroup/ > > Thanks to Joy Latten from IBM for her contribution. > > > * RAM-based virtual IP address pools for pluto > -------------------------------------------- > > The pluto daemon inherited the popular RAM-based virtual IP > address pool functionality from the charon daemon. The directive > > rightsourceip=<subnet> > > defines a subnet from which addresses dynamically are allocated > as the following example scenario shows > > http://www.strongswan.org/uml/testresults44rc/ikev1/ip-pool/ > > > * DHCP and ARP Proxy support > -------------------------- > > The new dhcp plugin queries virtual IP addresses for clients from > a DHCP server using broadcasts or a defined server using the > > charon.plugins.dhcp.server = > > strongswan.conf option. Additionally DNS/WINS server information > is served to clients if the DHCP server provides such information. > The plugin is used in ipsec.conf configurations with the setting > > rightsourceip=%dhcp. > > A new plugin called farp handles ARP responses for virtual IP > addresses handed out to clients by the IKEv2 daemon charon. > The plugin lets a road-warrior act as a client on the local LAN > if it uses a virtual IP from the responders subnet, e.g. acquired > via the dhcp plugin. The following example scenarios show the use > of the dhcp and farp plugins: > > http://www.strongswan.org/uml/testresults44rc/ikev2/dhcp-dynamic/ > > http://www.strongswan.org/uml/testresults44rc/ikev2/dhcp-static-client-id/ > > http://www.strongswan.org/uml/testresults44rc/ikev2/dhcp-static-mac/ > > http://www.strongswan.org/uml/testresults44rc/ikev2/farp/ > > > * Arbitrary IKEv2 source and destination ports > -------------------------------------------- > > The existing IKEv2 socket implementations have been migrated to the > socket-default and the socket-raw plugins. The new socket-dynamic > plugin binds sockets dynamically to ports configured via the > > left|rightikeport > > ipsec.conf connection parameters. > > > * Android Support > --------------- > > The android plugin stores received DNS server information as > "net.dns" system properties, as used by the Android platform. > Thanks to the new libcharon library the IKEv2 charon daemon > can now be built monolithically. For more information on the > Android build see > > http://wiki.strongswan.org/projects/strongswan/wiki/Android > > > * Storage of public and private keys in PEM format > ------------------------------------------------ > > The ipsec pki --gen and --pub commands now allow the output of > private and public keys in PEM format using the --outform pem > command line option. > > Please give the new features a try and report any problems quickly. > ETA for the stable strongSwan 4.4.0 release is the beginning of May. > > Best regards from the strongSwan team > > Andreas Steffen, Tobias Brunner & Martin Willi > > ====================================================================== > Andreas Steffen [email protected] > strongSwan - the Linux VPN Solution! www.strongswan.org > Institute for Internet Technologies and Applications > University of Applied Sciences Rapperswil > CH-8640 Rapperswil (Switzerland) > ===========================================================[ITA-HSR]== > > _______________________________________________ > Dev mailing list > [email protected] > https://lists.strongswan.org/mailman/listinfo/dev
Hi all, in respect to testing 4.4.0rc1 I found the following: 1. The ipsec pki --self command could use the --outform pem too imho. 2. Furthermore I found that after compiling strongswan for openwrt (see below for ./configure) using 4.3.6 I get an error the first time strongswan starts: r...@openwrt:/# ipsec start Starting strongSwan 4.3.6 IPsec [starter]... /usr/sbin/ipsec: unknown IPsec command `scepclient' (`ipsec --help' for list) r...@openwrt:/# ipsec start Starting strongSwan 4.3.6 IPsec [starter]... charon is already running (/var/run/charon.pid exists) -- skipping charon start starter is already running (/var/run/starter.pid exists) -- no fork done 4.4.0rc1 does not give the unknown command message, however it gives a segfault instead... Note that in this case I compiled 4.3.6 with --disable-tools, whereas I did not disable tools with 4.4.0rc1. recompiled 4.3.6 without --disable-tools and it did not give any errors (although seemed to take a little longer to start up the first time). 3. After installation of 4.3.6, listalgs works: r...@openwrt:/# ipsec listalgs List of registered IKEv2 Algorithms: encryption: AES_CBC CAMELLIA_CBC 3DES_CBC RC5_CBC IDEA_CBC CAST_CBC BLOWFISH_CBC DES_CBC DES_ECB NULL integrity: AES_XCBC_96 HMAC_SHA1_96 HMAC_SHA1_128 HMAC_SHA1_160 HMAC_SHA2_256_128 HMAC_MD5_96 HMAC_MD5_128 HMAC_SHA2_384_192 HMAC_SHA2_512_256 hasher: HASH_SHA1 HASH_MD2 HASH_MD4 HASH_MD5 HASH_SHA224 HASH_SHA256 HASH_SHA384 HASH_SHA512 prf: PRF_AES128_XCBC PRF_HMAC_SHA2_256 PRF_HMAC_SHA1 PRF_HMAC_MD5 PRF_HMAC_SHA2_384 PRF_HMAC_SHA2_512 dh-group: MODP_2048 MODP_1536 ECP_256 ECP_384 ECP_521 ECP_224 ECP_192 MODP_3072 MODP_4096 MODP_6144 MODP_8192 MODP_1024 MODP_768 However this stays blank in 4.4.0rc1. (as the --disable-tools should not interfere with this and the /etc/strongswan.conf seems the same, I do not understand why the openssl plugin is not loaded.) Kind regards, Jan Willem Beusink ---- 4.3.6: $ ./configure --target=mipsel-openwrt-linux --host=mipsel-openwrt-linux --build=i486-linux-gnu --program-prefix= --program-suffix= --prefix=/usr --exec-prefix=/usr --bindir=/usr/bin --sbindir=/usr/sbin --libexecdir=/usr/lib --sysconfdir=/etc --datadir=/usr/share --localstatedir=/var --mandir=/usr/man --infodir=/usr/info --disable-nls --disable-ipv6 --with-random-device=/dev/random --with-urandom-device=/dev/urandom --enable-curl --disable-aes --disable-des --disable-md5 --disable-sha1 --disable-sha2 --disable-fips-prf --disable-gmp --disable-pubkey --disable-pluto --disable-tools --enable-openssl --disable-pkcs1 --with-routing-prio=220 --with-routing-table=220 --disable-static _______________________________________________ Dev mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/dev
