Hi, as usual we are publishing a release candidate two weeks before the final version of the major strongSwan 4.5 release. A lot of new features made it into the new release:
- IKEv2 becomes the default key exchange mode ------------------------------------------- In 2010 we commemorate the five year anniversary of the orignal IKEv2 RFC 4306. Actually it has been replaced in September by its mature successor RFC 5996 which specifies the protocol in much more detail. Therefore starting with strongSwan 4.5 the default keyexchange=ike option will be equivalent to keyexchange=ikev2. If you still want to use the old IKEv1 protocol then you must explicitly define keyexchange=ikev1. But we think that the time has definitively come for IKEv1 to go into retirement and to cede its place to the much more robust, powerful and versatile IKEv2 protocol! - IKEv2 AEAD ciphersuites supported by new ctr, ccm and gcm plugins ----------------------------------------------------------------- The new plugins provide Counter Mode (CTR), Counter Mode with CBC-MAC (CCM) and Galois/Counter Mode (GCM) based on existing CBC encryption implementations. CTR and CCM can be used with either AES or Camellia and GCM with AES. On overview of all supported algorithms can be found on our wiki: http://wiki.strongswan.org/projects/strongswan/wiki/CipherSuiteExamples - IKEv2 smartcard support ----------------------- The new pkcs11 plugin brings full Smartcard support to the IKEv2 daemon and the "ipsec pki" utility using one or more PKCS#11 libraries. It currently supports RSA private and public key operations and loads X.509 certificates from tokens. - EAP-TLS support --------------- Implemented a general purpose TLS stack based on crypto and credential primitives of libstrongswan. libtls supports TLS versions 1.0, 1.1 and 1.2, ECDHE-ECDSA/RSA, DHE-RSA and RSA key exchange algorithms and RSA/ECDSA based client authentication. Based on libtls, the eap-tls plugin brings certificate-based EAP authentication for client and server. It is compatible to Windows 7 IKEv2 Smartcard authentication and the OpenSSL based FreeRADIUS EAP-TLS backend. Example with FreeRADIUS AAA server: http://www.strongswan.org/uml/testresults45rc/ikev2/rw-eap-tls-radius/ Example with a strongSwan gateway doing EAP-TLS only authentication: http://www.strongswan.org/uml/testresults45rc/ikev2/rw-eap-tls-only/ - EAP-TTLS support ---------------- EAP-TTLS uses strong EAP-TLS authentication for the server and potentially weak password-based client authentication (EAP-MD5, etc.) over a secure TLS tunnel: Example with FreeRADIUS AAA server: http://www.strongswan.org/uml/testresults45rc/ikev2/rw-eap-ttls-radius/ Example with a strongSwan gateway doing EAP-TLS only authentication: http://www.strongswan.org/uml/testresults45rc/ikev2/rw-eap-ttls-only/ - Trusted Network Connect support ------------------------------- Implemented the TNCCS 1.1 Trusted Network Connect protocol using the libtnc library on the strongSwan client and server side via the tnccs_11 plugin and optionally connecting to a t...@fhh-enhanced FreeRADIUS AAA server. Depending on the resulting TNC Recommendation, strongSwan clients are granted access to a network behind a strongSwan gateway (allow), are put into a remediation zone (isolate) or are blocked (none), respectively. Example with t...@fhh-enhanced FreeRADIUS AAA server: http://www.strongswan.org/uml/testresults45rc/ikev2/rw-eap-tnc-radius/ Example with a strongSwan gateway doing EAP-TLS only authentication: http://www.strongswan.org/uml/testresults45rc/ikev2/rw-eap-tnc/ Group membership attributes are used to assign clients either to the 'rw-allow' or 'rw-isolate' subnets, respectively. As an alternative non-complying clients can be blocked from access: Example with t...@fhh-enhanced FreeRADIUS AAA server: http://www.strongswan.org/uml/testresults45rc/ikev2/rw-eap-tnc-radius-block/ Example with a strongSwan gateway doing EAP-TLS only authentication: http://www.strongswan.org/uml/testresults45rc/ikev2/rw-eap-tnc-block/ Any number of Integrity Measurement Collector/Verifier pairs can be attached via the tnc-imc and tnc-imv charon plugins. - Multiple RADIUS servers ----------------------- The RADIUS plugin eap-radius now supports multiple RADIUS servers for redundant setups. Servers are selected by a defined priority, server load and availability. http://wiki.strongswan.org/projects/strongswan/wiki/EapRadius - LED plugin ---------- If you plan to throw a party, you can now dance to the beat of your IKEv2 packets. The simple led plugin controls hardware LEDs through the Linux LED subsystem. It currently shows activity of the IKE daemon and is a good example how to implement a simple event listener. - XAUTH with ModeConfig bug fix ----------------------------- Fixed a bug not releasing a virtual IP address to a pool if the XAUTH identity was different from the IKE identity. - Pluto uses kernel-netlink plugin -------------------------------- The pluto now uses the kernel-netlink plugin to configure and monitor IPsec policies and security associations in the Linux 2.6 kernel - Created man page for strongswan.conf ----------------------------------- The increasing number of strongswan.conf options which up to now were only listed on our wiki: http://wiki.strongswan.org/projects/strongswan/wiki/StrongswanConf are now also documented by man strongswan.conf Enjoy the new release and please report back any problems or questions that you might encounter. Best regards Andreas Steffen, Tobias Brunner, Martin Willi The strongSwan Team ====================================================================== Andreas Steffen [email protected] strongSwan - the Linux VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]== _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
