-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
The Libreswan Project has released libreswan-3.23 This is a feature and maintenance release. New Features: MOBIKE support (RFC 4555) via mobike=yes|no using XFRM_MIGRATE IKEv2 split DNS support (draft-ietf-split-dns) via modecfg* options Postquantim Preshared Keys (PPK) support via ppk=yes|no (draft-ietf-ipsecme-qr-ikev2-01) Improved Multi-domain server support using IDr payloads New IPsec SA options decap-dscp=yes|no and nopmtudisc=yes|no Important bugfixes: Updated nic-offload= support updown now adds/removes IP addresses with "scope 50" pthread handling fixes for busy servers Fix unique marks accidentally setting -1 Compatibility changes: modecfgdns1= and modecfgdns2= merged into a new modecfgdns= option modecfgdomain= option renamed to modecfgdomains= You can download libreswan via https at: https: //download.libreswan.org/libreswan-3.23.tar.gz https: //download.libreswan.org/libreswan-3.23.tar.gz.asc The full changelog is available at: https: //download.libreswan.org/CHANGES Please report bugs either via one of the mailinglists or at our bug tracker: https: //lists.libreswan.org/ https: //bugs.libreswan.org/ Binary packages for RHEL/EPEL and Debian/Ubuntu can be found at https: //download.libreswan.org/binaries/ Binary packages for Fedora and Debian should be available in their respective repositories a few days after this release. See also https://libreswan.org/ v3.23 (January 25, 2018) * IKEv2: MOBIKE support (RFC 4555) [Antony/Paul] * IKEv2: Add support for modecfgdns= and modecfgdomains= like for IKEv1 [Paul] * IKEv2: EXPERIMENTAL: Support for Postquantim Preshared Keys [Vukasin Karadzic] based on draft-ietf-ipsecme-qr-ikev2-01 (using private use numbers) new option: ppk=yes|no|insist (default no) * pluto: Fix DEFAULT_RUNDIR to be set so it is really configurable [Tuomo] * pluto: Add support IDr payload (You Tarzan, me Jane) [Paul] * pluto: pass state to send_crypto_helper_request() [Andrew] * pluto: Internal time/scheduling changes, micro-seconds logging [Andrew] * pluto: make counts of states consistently "unsigned" [Hugh] * pluto/lib: Remove obsoleted/unused %myid support [Paul] * pluto: add --impair replay-forward,replay-backward [Andrew] * pluto: add --impair dup-incoming-packets [Andrew] * pluto: Rework nic offload detection code [Aviv Heller] * pluto: Retry send on -EAGAIN in check_msg_errqueue() (upto 32x) [Paul/Hugh] * pluto: Pull latest kernel traffic counters before logging/deleting SA [Paul] * pluto: STF_INLINE, STF_TOOMUCHCRYPTO no longer needed in helpers [Andrew] * pluto: Replace socket queues with a simple queue and mutex+cont [Andrew] * pluto: Do not send DPD/liveness probes for replaced inactive IPsec SAs [Paul] * pluto: crypto processing cleanup [Andrew] * XFRM: XFRM_MIGRATE support, used for MOBIKE [Antony] * XFRM: Listen to NETLINK_ROUTE messages from kernel for MOBIKE [Antony] * XFRM: Fix unique marks accidentally setting -1 instead of random [Paul] * XFRM: Only install IPv6 holes when system has configured IPv6 [Antony] * XFRM: Add support for decap-dscp=yes|no (default no) [Paul] * XFRM: Add support for nopmtudisc=yes|no (default no) [Paul] * KLIPS: Support kernels 4.14+ with renamed dev->priv_destructor [Paul] * KLIPS: updown fixes for IPv6 default route and metric/mtu settings [Wolfgang] * SECCOMP: Update syscall whitelist for use of libunbound [Paul] * IKEv1: better handle ESP with no integrity vs unknown integrity [Andrew] * IKEv1: Fix packet retransmit code wrf timeouts vs duplucates [Andrew] * IKEv1: Prevent duplicate responder states on retransmision [Andrew] * IKEv1: Don't linger R1 states for 1h but use configured timeouts [Paul] * IKEv2: nat_traversal_change_port_lookup() code moved [Antony] * IKEv2: Macros could misinterpret some IKE/IPsec states [Paul/Antony] * IKEv2: Updated Group transforms to comply with RFC 8247 [Paul] * PAM: Don't cancel pam threads (unsupported!) but drop results instead [Andrew] * _updown: Fix resolv.conf handling (github #130) [Tuomo] * _updown: Fix POINTPOINT interfaces not to use nexthop [Tuomo] * _updown.netkey: Add source ip to dev lo by default [Tuomo] * Makefiles: Fix INC_MANDIR to be share/man and add FINALMANDIR [Tuomo] * packaging: Move debian/ to packaging ('make deb' still works) [Antony] * contrib: Added ipsec-dyndns to demonstrante how push an IPSECKEY [Paul] * Bugtracker bugs fixed: #313: changesource in updown_klips doesn't respect PLUTO_METRIC [Wolfgang] #314: IPv6 default route is deleted by mistake [Wolfgang] -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iQIcBAEBCgAGBQJaaqNfAAoJEIX/S0OzD8b5ZL4P/RRIiqZnRJKdIHkOHpgcY+e8 fMM79EpiSK95UGNnFoGcbOOh3V9YANH6A3gGjQCBflWBByluTYySK3wYuvAMmR8V ypk3BKxHntDuWwMzAHb95BxD44W0UV0rbLC26i1tLOTuM4Mc1/9AsKamq8cYxHMq DHPQXsteoDn49wnRsuJtQ9aUHMdsseqx5Ac5xbw0stamYf4hHxyPepD/jK1LHVzY UktBr1nDhFfqSKMcXVj9bA85hcvxF09/3fBo1bmm1+BiRYuffQ/tF4pQ5daQ80VI 3sYNlCJuW0IY0qnir8vp/DW4sn8mgbK3ula7mL+iw3uyccfkD794QAWceFJPPu50 /NoJLAc1/M9RvhKjT1+xsFm+sHH9OuQuVut8IddqgodyWMGUJ1hQfqndYdOdccuH 0lS3rH7jn2OsUwUCu0w+HmPYi2yNtr0YiCFFAj2B8HqD08vOENd8grVtK/wTdyPA NBpOPs1d5GX5Pvnzrbn9YPx6S10ka/kfi+p73AHhW8aIo2YxK3BBpyMghTNVyExK SM8NIjjthmm3vI5XBnIWg0GkIznkjgsVlW2ihynM4ppDPSNqbWQ2azdfFa5NRXrp ueMLrHiDNSSxQ7fZ5nWIs+4rYgaDct3Evw6RJ1LAZxkcGi0FR9c5LkLiQmjGx4o3 Ece0B6Grn5n3S7MHPLki =z2RT -----END PGP SIGNATURE----- _______________________________________________ Swan-announce mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan-announce _______________________________________________ Swan-dev mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan-dev
