Hi, we are proud to announce the release candidate of strongSwan 5.0.3. Again a lot of new features made it into our forthcoming release:
- Public Keys protected by DNSSEC stored in the Domain Name System ---------------------------------------------------------------- The new ipseckey plugin enables authentication based on trustworthy public keys stored as IPSECKEY resource records in the DNS and protected by DNSSEC. To do so it uses a DNSSEC enabled resolver, like the one provided by the unbound plugin, which is based on libldns and libunbound. Both plugins were created by Reto Guadagnini. https://www.strongswan.org/uml/testresults5rc/ikev2/rw-dnssec/ - Assignment of Virtual IPs by RADIUS Server ------------------------------------------ The eap-radius plugin can now assign virtual IPs to IKE clients using the Framed-IP-Address attribute by using the "%radius" named pool in the rightsourceip ipsec.conf option. https://www.strongswan.org/uml/testresults5rc/ikev2/rw-eap-framed-ip-radius/ - Improved RADIUS Account Records ------------------------------- charon now sends Interim Accounting updates if requested by the RADIUS server, reports sent/received packets in Accounting messages, and adds a Terminate-Cause to Accounting-Stops. https://www.strongswan.org/uml/testresults5rc/ikev2/rw-radius-accounting/ Fri Mar 22 22:48:55 2013 Acct-Status-Type = Stop Acct-Session-Id = "1363992527-1" NAS-Port-Type = Virtual Service-Type = Framed-User NAS-Port = 1 NAS-Port-Id = "rw-eap" NAS-IP-Address = 192.168.0.1 Called-Station-Id = "192.168.0.1[4500]" Calling-Station-Id = "192.168.0.100[4500]" User-Name = "carol" Framed-IP-Address = 10.3.0.1 Framed-IPv6-Prefix = fec3::1/128 Acct-Output-Octets = 7100 Acct-Output-Packets = 5 Acct-Input-Octets = 7100 Acct-Input-Packets = 5 Acct-Session-Time = 6 Acct-Terminate-Cause = User-Request NAS-Identifier = "strongSwan" Acct-Unique-Session-Id = "b4a2d1ea2b30f92c" Timestamp = 1363992535 - Improved IKE Statistics ----------------------- The "ipsec listcounters" command can report connection specific counters by passing a connection name, and global or connection counters can be reset by the "ipsec resetcounters" command. ipsec listcounters hsr-v4 List of IKE counters for 'hsr-v4': ikeInitRekey 0 ikeRspRekey 0 ikeChildSaRekey 0 ikeInInvalid 0 ikeInInvalidSpi 0 ikeInInitReq 0 ikeInInitRsp 2 ikeOutInitReq 2 ikeOutInitRsp 0 ikeInAuthReq 0 ikeInAuthRsp 2 ikeOutAuthReq 2 ikeOutAuthRsp 0 ikeInCrChildReq 0 ikeInCrChildRsp 0 ikeOutCrChildReq 0 ikeOutCrChildRsp 0 ikeInInfoReq 1 ikeInInfoRsp 1 ikeOutInfoReq 1 ikeOutInfoRsp 1 - Trusted Key Manager (TKM) ------------------------- The new charon-tkm IKEv2 daemon delegates security critical operations to a separate process. This has the benefit that the network facing daemon has no knowledge of keying material used to protect child SAs. Thus subverting charon-tkm does not result in the compromise of cryptographic keys. The extracted functionality has been implemented from scratch in a minimal TCB (trusted computing base) in the Ada programming language. Further information can be found at http://www.codelabs.ch/tkm/ and in the following research report: http://security.hsr.ch/mse/projects/2012_IKE-Separation.pdf - New xauth-noauth Plugin ----------------------- The new xauth-noauth plugin allows to use basic RSA or PSK authentication with clients that cannot be configured without IKEv1 XAuth authentication. The plugin simply concludes the XAuth exchange successfully without actually performing any authentication. To use this backend it has to be selected explicitly with rightauth2=xauth-noauth. - New systime-fix Plugin ---------------------- The charon systime-fix plugin can disable certificate lifetime checks on embedded systems if the system time is obviously out of sync after bootup. Certificates lifetimes get checked once the system time gets sane, closing or reauthenticating connections using expired certificates. - Hardware Acceleration of IKEv2 AES-GCM -------------------------------------- The openssl plugin now uses the AES-NI accelerated version of AES-GCM if the processor hardware supports it. - Support of the RFC 6876 PT-TLS Protocol (TCG TNC IF-T for TLS 2.0) ------------------------------------------------------------------ The strongSwan libpttls library provides an experimental implementation of PT-TLS (RFC 6876), a Posture Transport Protocol over TLS. - TNC IF-IMV 1.4 Draft Version Support ------------------------------------ Implemented the TCG TNC IF-IMV 1.4 draft making access requestor identities available to an IMV. The OS IMV stores the AR identity together with the device ID in the attest database. https://www.strongswan.org/uml/testresults5rc/tnc/tnccs-20-os/ Mar 22 19:49:10 moon charon: 14[IMV] IMV 1 "OS" created a state for IF-TNCCS 2.0 Connection ID 1: +long +excl -soh 14[IMV] over IF-T for Tunneled EAP 1.1 with maximum PA-TNC message size of 65490 bytes 14[IMV] user AR identity 'ca...@strongswan.org' authenticated by password Database query: ipsec attest --devices 5: cf5e4cbcc6e6a2db Mar 12 21:41:04 2013, 22, 0, 0, 4, 'Android 4.1.1' john - New ikedscp Configuration Option -------------------------------- The "ikedscp" ipsec.conf option can set DiffServ code points as defined by RFC 2474 on outgoing IKE packets. ikedscp = 000000 | <DSCP field> Please test our release candidate and report any problems. ETA for the stable 5.0.3 release is end of March 2013. Kind regards Andreas ====================================================================== Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]==
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Dev mailing list Dev@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/dev
