Hi and thanks! I have successfully upgraded. I was following the git repository at https://github.com/libreswan/libreswan however these changes does not seem to be in there right?
Also I am still having issues described in this post https://lists.libreswan.org/pipermail/swan/2014/000826.html (i.e. multiple clients cannot connect from the same nat). Is this an outstanding issue still or a configuration problem? Kind regards Jonas 2015-06-15 15:32 GMT+02:00 Paul Wouters <[email protected]>: > > Hi, > > We have been a 3.14rc2 Release Candidate available for testing. > > As the changes between 3.13 and 3.14 are significant, we would like > to hear back from the community for any potential issues they find, > including the upgrade from 3.13 to 3.14rc2. This upgrade will also > upgrade the NSS database in /etc/ipsec.d from dbm format to sql format, > so please do backup /etc/ipsec.d before attempting an upgrade. > > The (not fully completed) changelog follows below. > > Paul > > * NSS: Major rewrite of PRF / PRFPLUS / integrity functions [Andrew] > * CAVS: Added programs/pluto/cavp for NIST CVAS testing [Andrew] > * IKEv2: authby=null support (draft-ietf-ipsecme-authnull) > [Paul/Antony/Hugh] > * IKEv2: leftid=%null support (draft-ietf-ipsecme-authnull) > [Paul/Antony/Hugh] > * IKEv2: whack and smc related time out fixes [Antony] > * IKEv2: do not pad IKE messages (fix interop w. InsideSecure) [Paul] > * IKEv2: Fix esp=camellia to use the IKEv2 IANA registry number for ESP > [Paul] > * IKEv2: Fix memory leaks in addresspool and child exchange sadb [Antony] > * IKEv2: Support for INVALID_KE DH group re-transmits [Paul/Hugh] > * IKEv2: if applicable, add CERTREQ payload to IKE_SA_INIT response > [Antony] > * IKEv1: Don't copy isakmp_sa from received packet [Paul] > * FIPS: Enforce crypto restrictions in FIPS mode (no md5,twofish, etc) > [Paul] > * XAUTH: retransmit user/password request in 10s (instead of 30s) > [Wolfgang] > * X509: Re-added CRL and OCSP support using NSS [Matt] > * X509: Expired certificate could crash pluto [Wolfgang] > * x509: New options: ocsp_enable= ocsp_strict= ocsp_timeout= [Matt] > ocsp_uri= and ocsp_trust_name= > * pluto: Converted select() loop to use libevent and subsecond timers > [Antony] > * pluto: Added retransmit-timeout= and retransmit-interval= [Antony] > * pluto: Greatly reduce time to retransmit from 20s to 0.5s [Antony] > * pluto: Support for IKEv1 and IKEv2 AES_CTR (ike=aes_ctr) [Andrew Cagney] > * pluto: Support for CBC/CTR test vectors using NSS [Andrew Cagney] > * pluto: Remove last weary old X.509 patch code and use NSS instead [Matt] > * pluto: Static IP support using passwd file with addresspool= [Wolfgang] > * pluto: major tidy of labeled ipsec code [Hugh] > * pluto: fixes for uninitialized fields in output struct [Hugh/Paul] > * pluto: audit format and log item update as per audit spec [Paul] > * pluto: simplify and clarify sa_copy_sa and friends [Hugh] > * pluto: small steps improving crypto helpers [Hugh] > * pluto: plutostderrlog= renamed to logfile= [Paul] > * pluto: plutostderrlogtime= renamed to logtime= [Paul] > * pluto: New option logappend=yes|no (default yes) [Paul] > * pluto: Removed obsoleted loopback= support [Paul] > * pluto/rsasigkey: added --seedbits option (and seedbits= option) [Paul] > * pluto: do not terminate_connection() in-flight [Hugh] > * pluto: don't use an expired reserved kernel SPI as fallback [Herbert Xu] > * pluto: Use "third best" monotime() on mismatched kernel/glibc headers > [Paul] > * pluto: removed bool inbound_only from delete_ipsec_sa() [Paul/Herbert] > * pluto: fix modecfg client/server status display (was swapped) [Herbert] > * pluto: NFLOG support via nflog-all= and nflog= keywords [Paul] > * pluto: Fix bogus "no RSA public key known for '%fromcert'" [Herbert Xu] > * libipsecconf: Improve parser for pipe case (with NM) [Hugh/Lubomir > Rintel] > * readwriteconf: improve error handling [Hugh] > * ipsec: ipsec --import does not need to run restorecon [Paul] > * ipsec: --checknss option automatically updates NSS DB to SQL [Matt] > * packaging: Various SPEC file fixes [Tuomo/Kim] > * packaging: Add v6neighbour-hole.conf for Neighbour Discovery hole [Paul] > * initsystems: run ipsec --checknss before start [Tuomo] > * building: overhaul of build system Makefiles (see mk/) [Andrew] > * testing: docker test type support [Antony] > * testing: test case updates/additions [Antony/Paul/Andrew/Matt] > * NETKEY: Increase netlink message buffer for larger SElinux labels [Paul] > * KLIPS: move udp_encap_enable() to not be within spinlock [Wolfgang] > * KLIPS: ipsec_rcv_decap_ipip broken for IPv6 lsb#227 [Frank Schmirler] > * KLIPS: Support for SHA2 via CryptoAPI [Wolfgang] > * KLIPS: Support for sha2_truncbug [Wolfgang] > * whack: New command ipsec whack --purgeocsp [Matt] > * whack: cleanup help text [Tuomo] > * _stackmanager: Don't load blacklisted modules (rhbz#1207689) [Paul/Tuomo] > * _updown: add proxy arp for cases where routing won't work > [Tuomo/Wolfgang] > * Bugtracker bugs fixed: > #260: libswan: extra safetey around same_id() when ID_FROMCERT is used > [Paul] > _______________________________________________ > Swan mailing list > [email protected] > https://lists.libreswan.org/mailman/listinfo/swan >
_______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
