Hi, the release candidate for strongSwan 5.1.1 is available for download. The following new features have been added:
* Trusted Network Connect (TNC)
-----------------------------
- The lean stand-alone pt-tls-client can set up a RFC 6876 PT-TLS
session with a strongSwan policy enforcement point which uses the
tnc-pdp charon plugin.
- The new TCG TNC SWID IMC/IMV pair supports targeted SWID requests
for either full SWID Tag or concise SWID Tag ID inventories.
* New EAP-RADIUS Features
-----------------------
- The XAuth backend in the eap-radius plugin now supports multiple
XAuth exchanges for different credential types and display messages.
All user input gets concatenated and verified with a single
User-Password RADIUS attribute on the AAA. With an AAA supporting
it, one for example can implement Password+Token authentication
with proper dialogs on iOS and OS X clients.
- The eap-radius plugin supports forwarding of several Cisco Unity
specific RADIUS attributes in corresponding configuration payloads.
* IKEv1 Mode Config Push Mode
---------------------------
- charon supports IKEv1 Mode Config exchange in push mode. The
ipsec.conf modeconfig=push option enables it for both client
and server, the same way as pluto used it.
* IPsec Authentication Header (AH) Support
----------------------------------------
- Using the "ah" ipsec.conf keyword on both IKEv1 and IKEv2
connections, charon can negotiate and install Security Associations
integrity-protected by the Authentication Header protocol.
http://www.strongswan.org/uml/testresults5rc/ikev1/host2host-ah/
http://www.strongswan.org/uml/testresults5rc/ikev1/net2net-ah/
http://www.strongswan.org/uml/testresults5rc/ikev2/host2host-ah
http://www.strongswan.org/uml/testresults5rc/ikev2/net2net-ah/
Supported are plain AH(+IPComp) SAs only, but not the deprecated
RFC2401 style ESP+AH bundles.
* Multiple Address Ranges in left and right Options
-------------------------------------------------
- The left and right options in ipsec.conf can take multiple address
ranges and subnets. This allows connection matching against a
larger set of addresses, for example to use a different connection
for clients connecting from a internal network.
* Support for Brainpool Elliptic Curve DH Groups
----------------------------------------------
- For all those who have a queasy feeling about the NIST elliptic
curve set, the Brainpool curves introduced for use with IKE by
RFC 6932 might be a more trustworthy alternative.
http://www.strongswan.org/uml/testresults5rc/openssl-ikev2/alg-ecp-brainpool-high/
http://www.strongswan.org/uml/testresults5rc/openssl-ikev2/alg-ecp-brainpool-low/
* Correct Generation of IVs for AES-GCM Mode
------------------------------------------
- The generation of initialization vectors for IKE and ESP (when
using libipsec) is now modularized and IVs for e.g. AES-GCM are
now correctly allocated sequentially, while other algorithms like
AES-CBC still use random IVs.
* New Features supported by libipsec
----------------------------------
- The kernel-libipsec userland IPsec backend now supports usage
statistics, volume based rekeying and accepts ESPv3 style TFC
padded packets.
- With two new strongswan.conf options fwmarks can be used to
implement host-to-host tunnels with kernel-libipsec.
http://www.strongswan.org/uml/testresults5rc/libipsec/host2host-cert/
* CERT Resource Records protected by DNSSEC
-----------------------------------------
- The new dnscert plugin provides support for authentication via
CERT RRs that are protected via DNSSEC. The plugin was created by
Ruslan N. Marchenko.
http://www.strongswan.org/uml/testresults5rc/ikev2/net2net-dnscert/
* Miscellaneous
-------------
- Database transactions are now abstracted and implemented by the two
backends. If you use MySQL make sure all tables use the InnoDB
engine.
- load-tester supports transport mode connections and more complex
traffic selectors, including such using unique ports for each
tunnel.
- libstrongswan now can provide an experimental custom implementation
of the printf family functions based on klibc if neither Vstr nor
glibc style printf hooks are available. This can avoid the Vstr
dependency on some systems at the cost of slower and less complete
printf functions.
Please test the release candidate and give feedback if you are
running into any problems. ETA for the stable 5.1.1 release is
November 1, 2013.
Cheers
Andreas Steffen, Tobias Brunner & Martin Willi
The strongSwan Team
======================================================================
Andreas Steffen [email protected]
strongSwan - the Open Source VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
