|
Hi Andreas, looking at the Coupling plug-in, I'm wondering at the feature definition - or maybe I'm misunderstanding it. Suppose GW1 has 10 peers (on the new Whitelist plugin?), I would naturally set the Max value to 10. But if only 8 peers ever show up, I can end up with 7 peers using one cert per peer, and another peer allowed to use 3 certs. Which doesn't make a lot of sense per the described usage scenario. I believe this feature would be much more useful if the coupling were per-DN. And then I can envision it being extended in the future towards all sorts of opportunistic encryption scenarios. Thanks, Yaron On 05/09/2011 06:18 PM, Andreas Steffen wrote: Hi, the upcoming strongSwan 4.5.2 release is nearing completion. As a preview a first release candidate has been made available on our download site. Then new release offers the following new features:- The *whitelist* plugin for the IKEv2 daemon maintains an in-memory identity whitelist. Any connection attempt of peers not whitelisted will get rejected. The 'ipsec whitelist' utility provides a simple command line frontend for whitelist administration. http://wiki.strongswan.org/projects/strongswan/wiki/Whitelist - The *duplicheck* plugin provides a specialized form of duplicate checking, doing a liveness check on the old SA and optionally notify a third party application about detected duplicates. http://wiki.strongswan.org/projects/strongswan/wiki/Duplicheck - The *coupling* plugin permanently couples two or more devices by limiting authentication to previously used certificates. http://wiki.strongswan.org/projects/strongswan/wiki/CertCoupling - Duncan Salerno contributed the *eap-sim-pcsc* plugin implementing a pcsc-lite based SIM card backend. - The *eap-peap3 plugin implements Microsoft's EAP PEAPv0 protocol. Interoperates successfully with a FreeRADIUS server and Windows 7 Agile VPN clients. http://www.strongswan.org/uml/testresults45rc/ikev2/rw-eap-peap-mschapv2/index.html - In the case that the peer config and child config don't have the same name (usually in SQL database defined connections), ipsec up|route <peer config> starts|routes all associated child configs and ipsec up|route <child config> only starts|routes the specific child config. - The IKEv2 daemon charon rereads strongswan.conf on SIGHUP and instructs all plugins to reload. Currently only the *eap-radius* and the *attr* plugins support configuration reloading. - Added userland support to the IKEv2 daemon for Extended Sequence Numbers support coming with Linux 2.6.39. To enable ESN on a connection, add the 'esn' keyword to the proposal. The default proposal uses 32-bit sequence numbers only ('noesn'), and the same value is used if no ESN mode is specified. To negotiate ESN support with the peer, include both, e.g. esp=aes128-sha1-esn-noesn. - In addition to ESN, Linux 2.6.39 gained support for replay windows larger than 32 packets. The new global strongswan.conf option charon.replay_window configures the size of the replay window, in packets. - Linux 2.6.38 introduced the AF_ALG Crypto API which makes the crypto algorithms of the kernel available in userland. We have created a number of example scenario showing the use of the *af-alg* plugin for IKEv1 http://www.strongswan.org/uml/testresults45rc/af-alg-ikev1/index.html and IKEv2 http://www.strongswan.org/uml/testresults45rc/af-alg-ikev2/index.html Please test the release candidate and give us a feedback on any encountered problems. ETA for the stable release is in about 10 days. Kind regards Andreas ====================================================================== Andreas Steffen [email protected] strongSwan - the Linux VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]== _______________________________________________ Dev mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/dev |
_______________________________________________ Dev mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/dev
