Hi developers, here is our latest developers release for the major strongSwan 4.5.0 version which is going to offer tons of new features:
- PKCS #11 smartcard support for IKEv2 ------------------------------------ The new "pkcs11" plugin brings full smartcard support to the IKEv2 daemon and the "ipsec pki" utility using one or more PKCS #11 libraries. It currently supports RSA private and public key operations and loads X.509 certificates from tokens. - General Purpose TLS stack ------------------------- We implemented a general purpose TLS stack based on crypto and credential primitives of libstrongswan. "libtls" supports TLS versions 1.0, 1.1, and 1.2, ECDHE-ECDSA/RSA, DHE-RSA and RSA key exchange algorithms and RSA/ECDSA based client authentication. - IKEv2 EAP-TLS support --------------------- Based on "libtls", the "eap-tls" plugin brings certificate based EAP authentication for client and server. It is compatible to Windows 7 IKEv2 smartcard authentication and the OpenSSL based FreeRADIUS EAP-TLS backend. Example scenarios: http://www.strongswan.org/uml/testresults45dr/ikev2/rw-eap-tls-only/ http://www.strongswan.org/uml/testresults45dr/ikev2/rw-eap-tls-radius/ - IKEv2 EAP-TTLS support ---------------------- Based on "libtls" and the "eap-tls" plugin, the "eap-ttls" plugin brings certificate based EAP-TLS server authentication combined with tunneled EAP-MD5 client authentication. Alternative EAP client authentication methods can be configured via the strongswan.conf option charon.plugins.eap-ttls.phase2_method. A strongSwan EAP-TTLS client can interoperate with a FreeRADIUS AAA server. http://www.strongswan.org/uml/testresults45dr/ikev2/rw-eap-ttls-only/ http://www.strongswan.org/uml/testresults45dr/ikev2/rw-eap-ttls-radius/ - Future support of Trusted Network Connect (TNC) ----------------------------------------------- As a preparation for the full support of Trusted Network Connect (TNC) using the EAP-TTLS protected EAP-TNC transport protocol (IF-T), a proof-of-concept version of the IF-TNCCS 1.1 broker protocol was created that interoperates with a tr...@fhh 0.7.0 enhanced FreeRADIUS server. (For info on the t...@fhh project see http://trust.inform.fh-hannover.de/joomla/index.php/projects/tncfhh Example EAP-TNC scenario: http://www.strongswan.org/uml/testresults45dr/ikev2/rw-eap-tnc-radius/ Full TNC support will become available with the strongSwan 4.6.0 release sometime next year. - Pluto supports fixed reqids and xfrm marks ------------------------------------------ The pluto IKEv1 daemon now uses the kernel-netlink plugin to configure and monitor IPsec policies and security associations in the Linux 2.6 kernel. Therefore the fixed reqid and xfrm features introduced some time ago in the kernel-netlink plugin are now available to pluto. Example scenarios: http://www.strongswan.org/uml/testresults45dr/ikev1/nat-two-rw-mark/ http://www.strongswan.org/uml/testresults45dr/ikev1/net2net-same-nets/ http://www.strongswan.org/uml/testresults45dr/ikev1/rw-mark-in-out/ - IKEv2 CTR, CCM and GCM mode support ----------------------------------- Added new "ctr", "ccm" and "gcm" plugins providing Counter, Counter with CBC-MAC and Galois/Counter Modes based on existing CBC implementations. These new plugins bring support for AES and Camellia Counter and CCM algorithms and the AES GCM algorithms for use in IKEv2. http://wiki.strongswan.org/projects/strongswan/wiki/CipherSuiteExamples Please test the new features and give us feedback! The strongSwan Team: Tobias Brunner, Martin Willi and Andreas Steffen ====================================================================== Andreas Steffen [email protected] strongSwan - the Linux VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]== _______________________________________________ Dev mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/dev
