-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 The Libreswan Project has released libreswan 4.2 This is a minor feature and bugfix release. This release introduces IKEv2 Labeled IPsec support as defined in draft-ietf-ipsecme-labeled-ipsec. A new auto=keep allows for a responder/server to wait for a dynamic peer to connect, and then treat it as auto=start to keep the connection up. The new global option ikev1-policy= enables libreswan to drop all IKEv1 packets. To reduce traffic interruption during a libreswan restart, the whack shutdown option now takes the option --leave-state which can be specified to leave the kernel state intact as long as possible. The main bugfixes are re-introducing the "BAD MICROSOFT" proposal required for L2TP/IPsec with old Windows machines, A bugfix when IKEv1/XAUTH needs to retransmit packets, some NAT and MOBIKE ephemeral port fixes and a re-introduction of two old aliased option named that are still in use by NetworkManager-libreswan for IKEv1. This latest version of libreswan can be downloaded from: https://download.libreswan.org/libreswan-4.2.tar.gz https://download.libreswan.org/libreswan-4.2.tar.gz.asc The full changelog is available at: https://download.libreswan.org/CHANGES Please report bugs either via one of the mailinglists or at our bug tracker: https://lists.libreswan.org/ https://bugs.libreswan.org/ Binary packages for RHEL/CentOS can be found at: https://download.libreswan.org/binaries/ Binary packages for Fedora and Debian should be available in their respective repositories a few days after this release. See also https://libreswan.org/ v4.2 (February 2, 2021) * IKEv2: Support for IKEv2 Labeled IPsec [Hugh, Sahana, Paul, Kavinda Wewegama] * IKEv2: MOBIKE could cause assertion failure due to eroute ownership [Paul] * IKEv2: MOBIKE and NAT port update code interfered with each other [Andrew] * IKEv1: Re-enable questionable Microsoft proposals to fix L2TP/IPsec [Paul] * IKEv1: Do not load IKEv1 conns when IKEv1 support not compiled in [Paul] * IKEv1: Fix XAUTH: re-transmit when sending CFG request [Andrew] * pluto: New config setup option ikev1-policy=<accept|drop|reject> [Paul] * pluto: Change default ikelifetime from 1h to 8h [Paul] * pluto: Add ignore-peer-dns=yes|no and whack --ignore-peer-dns [Paul] * pluto: Startup could take long time closing fd's (github#373) [Andrew] * pluto: IKEv2 connection could accidentally retry as IKEv1 [Andrew] * pluto: change default IKE SA lifetime from 1h to 8h [Paul] Resolves: github#362, github#405, hwdsl2/setup-ipsec-vpn#912 * pluto: Revived conns can try to quickly re-use existing NAT mapping. Can be used with new auto=keep [Paul, Andrew] * pluto: Don't complain about DNS names starting with number [Paul] * pluto: Re-implement Labeled IPsec for IKEv1 [Paul, Sahana] * pluto: Support for --shutdown --leave-state [Paul] * whack: add very raw --processstatus [Andrew] * whack: no longer require --ipv6 when specifying raw IPv6 host addresses * libswan: Re-introduce xauthusername/remote_peer_type for NM-libreswan [Paul] * initsystem: fix docker/podman startup with sysvinit [Paul] * initsystem: ensure non-testing namespaces work with systemd [Paul] * initsystem: systemd support for ipsec whack --shutdown --leave-state [Paul] * pluto: prefer IPv4 over IPv6 when performing DNS lookups [Andrew] * building: Support for compiling without IKEv1 via USE_IKEv1=false [Paul] * building: Various clang compiler related fixes [Timm Baeder] * building: fix NetBSD arm64 build [Andrew] * testing: many updates [Andrew, Paul] -----BEGIN PGP SIGNATURE----- iQJHBAEBCgAxFiEEkH55DyXB6OVhzXO1hf9LQ7MPxvkFAmAaE1cTHHRlYW1AbGli cmVzd2FuLm9yZwAKCRCF/0tDsw/G+e/mD/9Ju7tZZl3v6+844OottqUCT4FmmKDz wA8ygb8oQ4qG6djqkwWOMevfepdbIsEftbOuhKL5U3x227LwBXB3yiaAn1QAWaEY /idHM4m3+YSme7FXodZwlAG5G7muzSZQULi2/Oi4vCbxLV/cBzDpHHUPz7OIYqtc nJAVLKEzrVVaLSPZ2UYe33S7zgHTno+Z99ZNEHIhxWbmkCBjNvIJF1C76Wyt9ZIK aqIAQQk/aWPz8Fo3YTpajergIS3QcEjpZ+pSvYVWUEQZpgDsvd8q2c4eVjB5YbcG m3eTadztv/SBv0QaxdDkmRoRUk5mn83YLxnfW14diZpMaYhFL9IrwJfl/z+D8LY0 ULK2oUcB2S5voioSeXDamEu6SJcSRsiyIVKihARfFgQbGsLR/rurvi3N88e0GuiB w3vx9EvIwiZL9mh9kvbNZoHxqeIzYVGOBDbkIa2QWuV6KShFUS/8zrEQcCL0Cxc4 bqwLrGTIGLGtPRdy5Bgq+jC38KXDvXx14FgrGmiHoalaNd+/8fXSVxEiv9L1IHx2 CwIfkJK22k5cxdVMBvKKD7V8Q9WKN7UuazWW2yQLj/qwi2RWUDIh7r3EGsrT9vZ+ tiimPMWqm9zjtx+2JUmT4Zr6Y7G6E56u38t67lTNnxIItQwIMT97hsm924BMPC3E CiTc9bzXE+nYGQ== =edYw -----END PGP SIGNATURE----- _______________________________________________ Swan-announce mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan-announce _______________________________________________ Swan-dev mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan-dev
