+strongswan-5.7.0
+----------------
+
+- The pki tool accepts a xmppAddr otherName as a subjectAlternativeName using
+ the syntax --san xmppaddr:<jid>.
+
+- Implementation of RFC 8412 "Software Inventory Message and Attributes (SWIMA)
+ for PA-TNC"
+
+- Added support for fuzzing the PA-TNC (RFC 5792) and PB-TNC (RFC 5793) NEA
+ protocols on Google's OSS-Fuzz infrastructure.
+
+
+strongswan-5.6.3
+----------------
+
+- Fixed a DoS vulnerability in the IKEv2 key derivation if the openssl plugin is
+ used in FIPS mode and HMAC-MD5 is negotiated as PRF.
+ This vulnerability has been registered as CVE-2018-10811.
+
+- Fixed a vulnerability in the stroke plugin, which did not check the received
+ length before reading a message from the socket. Unless a group is configured,
+ root privileges are required to access that socket, so in the default
+ configuration this shouldn't be an issue.
+ This vulnerability has been registered as CVE-2018-5388.
+
+⁻ CRLs that are not yet valid are now ignored to avoid problems in scenarios
+ where expired certificates are removed from CRLs and the clock on the host
+ doing the revocation check is trailing behind that of the host issuing CRLs.
+
+- The issuer of fetched CRLs is now compared to the issuer of the checked
+ certificate.
+
+- CRL validation results other than revocation (e.g. a skipped check because
+ the CRL couldn't be fetched) are now stored also for intermediate CA
+ certificates and not only for end-entity certificates, so a strict CRL policy
+ can be enforced in such cases.
+
+- In compliance with RFC 4945, section 5.1.3.2, certificates used for IKE must
+ now either not contain a keyUsage extension (like the ones generated by pki)
+ or have at least one of the digitalSignature or nonRepudiation bits set.
+
+- New options for vici/swanctl allow forcing the local termination of an IKE_SA.
+ This might be useful in situations where it's known the other end is not
+ reachable anymore, or that it already removed the IKE_SA, so retransmitting a
+ DELETE and waiting for a response would be pointless. Waiting only a certain
+ amount of time for a response before destroying the IKE_SA is also possible
+ by additionally specifying a timeout.
+
+- When removing routes, the kernel-netlink plugin now checks if it tracks other
+ routes for the same destination and replaces the installed route instead of
+ just removing it. Same during installation, where existing routes previously
+ weren't replaced. This should allow using traps with virtual IPs on Linux.
+
+- The dhcp plugin only sends the client identifier option if identity_lease is
+ enabled. It can also send identities of up to 255 bytes length, instead of
+ the previous 64 bytes. If a server address is configured, DHCP requests are
+ now sent from port 67 instead of 68 to avoid ICMP port unreachables.
+
+- Roam events are now completely ignored for IKEv1 SAs.
+
+- ChaCha20/Poly1305 is now correctly proposed without key length. For
+ compatibility with older releases the chacha20poly1305compat keyword may be
+ included in proposals to also propose the algorithm with a key length.
+
+- Configuration of hardware offload of IPsec SAs is now more flexible and allows
+ a new mode, which automatically uses it if the kernel and device support it.
+
+- SHA-2 based PRFs are supported in PKCS#8 files as generated by OpenSSL 1.1.
+
+- The pki --verify tool may load CA certificates and CRLs from directories.
+
+- Fixed an issue with DNS servers passed to NetworkManager in charon-nm.
+
+
+strongswan-5.6.2
+----------------
+
+- Fixed a DoS vulnerability in the parser for PKCS#1 RSASSA-PSS signatures that
+ was caused by insufficient input validation. One of the configurable
+ parameters in algorithm identifier structures for RSASSA-PSS signatures is the
+ mask generation function (MGF). Only MGF1 is currently specified for this
+ purpose. However, this in turn takes itself a parameter that specifies the
+ underlying hash function. strongSwan's parser did not correctly handle the
+ case of this parameter being absent, causing an undefined data read.
+ This vulnerability has been registered as CVE-2018-6459.
+
+- The previously negotiated DH group is reused when rekeying an SA, instead of
+ using the first group in the configured proposals, which avoids an additional
+ exchange if the peer selected a different group via INVALID_KE_PAYLOAD when
+ the SA was created initially.
+ The selected DH group is also moved to the front of all sent proposals that
+ contain it and all proposals that don't are moved to the back in order to
+ convey the preference for this group to the peer.
+
+- Handling of MOBIKE task queuing has been improved. In particular, the response
+ to an address update is not ignored anymore if only an address list update or
+ DPD is queued.
+
+- The fallback drop policies installed to avoid traffic leaks when replacing
+ addresses in installed policies are now replaced by temporary drop policies,
+ which also prevent acquires because we currently delete and reinstall IPsec
+ SAs to update their addresses.
+
+- Access X.509 certificates held in non-volatile storage of a TPM 2.0
+ referenced via the NV index.
+
+- Adding the --keyid parameter to pki --print allows to print private keys
+ or certificates stored in a smartcard or a TPM 2.0.
+
+- Fixed proposal selection if a peer incorrectly sends DH groups in the ESP
+ proposals during IKE_AUTH and also if a DH group is configured in the local
+ ESP proposal and charon.prefer_configured_proposals is disabled.
+
+- MSKs received via RADIUS are now padded to 64 bytes to avoid compatibility
+ issues with EAP-MSCHAPv2 and PRFs that have a block size < 64 bytes (e.g.
+ AES-XCBC-PRF-128).
+
+- The tpm_extendpcr command line tool extends a digest into a TPM PCR.
+
+- Ported the NetworkManager backend from the deprecated libnm-glib to libnm.
+
+- The save-keys debugging/development plugin saves IKE and/or ESP keys to files
+ compatible with Wireshark.
+
+
+strongswan-5.6.1
+----------------
+
+- In compliance with RFCs 8221 and 8247 several algorithms were removed from the
+ default ESP/AH and IKEv2 proposals, respectively (3DES, Blowfish and MD5 from
+ ESP/AH, MD5 and MODP-1024 from IKEv2). These algorithms may still be used in
+ custom proposals.
+
+- Added support for RSASSA-PSS signatures. For backwards compatibility they are
+ not used automatically by default, enable charon.rsa_pss to change that. To
+ explicitly use or require such signatures with IKEv2 signature authentication
+ (RFC 7427), regardless of whether that option is enabled, use ike:rsa/pss...
+ authentication constraints.
+
+- The pki tool can optionally sign certificates/CRLs with RSASSA-PSS via the
+ `--rsa-padding pss` option.
+
+- The sec-updater tool checks for security updates in dpkg-based repositories
+ (e.g. Debian/Ubuntu) and sets the security flags in the IMV policy database
+ accordingly. Additionally for each new package version a SWID tag for the
+ given OS and HW architecture is created and stored in the database.
+ Using the sec-updater.sh script template the lookup can be automated
+ (e.g. via an hourly cron job).
+
+- The introduction of file versions in the IMV database scheme broke file
+ reference hash measurements. This has been fixed by creating generic product
+ versions having an empty package name.
+
+- A new timeout option for the systime-fix plugin stops periodic system time
+ checks after a while and enforces a certificate verification, closing or
+ reauthenticating all SAs with invalid certificates.
+
+- The IKE event counters, previously only available via ipsec listcounters, may
+ now be queried/reset via vici and the new swanctl --counters command. They are
+ provided by the new optional counters plugin.
+
+- Class attributes received in RADIUS Access-Accept messages may optionally be
+ added to RADIUS accounting messages.
+
+- Inbound marks may optionally be installed on the SA again (was removed with
+ 5.5.2) by enabling the mark_in_sa option in swanctl.conf.
+
+
+strongswan-5.6.0
+----------------
+
+- Fixed a DoS vulnerability in the gmp plugin that was caused by insufficient
+ input validation when verifying RSA signatures, which requires decryption
+ with the operation m^e mod n, where m is the signature, and e and n are the
+ exponent and modulus of the public key. The value m is an integer between
+ 0 and n-1, however, the gmp plugin did not verify this. So if m equals n the
+ calculation results in 0, in which case mpz_export() returns NULL. This
+ result wasn't handled properly causing a null-pointer dereference.
+ This vulnerability has been registered as CVE-2017-11185.
+
+- New SWIMA IMC/IMV pair implements the "draft-ietf-sacm-nea-swima-patnc"
+ Internet Draft and has been demonstrated at the IETF 99 Prague Hackathon.
+
+- The IMV database template has been adapted to achieve full compliance
+ with the ISO 19770-2:2015 SWID tag standard.
+
+- The sw-collector tool extracts software events from apt history logs
+ and stores them in an SQLite database to be used by the SWIMA IMC.
+ The tool can also generate SWID tags both for installed and removed
+ package versions.
+
+- The pt-tls-client can attach and use TPM 2.0 protected private keys
+ via the --keyid parameter.
+
+- libtpmtss supports Intel's TSS2 Architecture Broker and Resource
+ Manager interface (tcti-tabrmd).
+
+- The new eap-aka-3gpp plugin implements the 3GPP MILENAGE algorithms
+ in software. K (optionally concatenated with OPc) may be configured as
+ binary EAP secret.
+
+- CHILD_SA rekeying was fixed in charon-tkm and was slightly changed: The
+ switch to the new outbound IPsec SA now happens via SPI on the outbound
+ policy on Linux, and in case of lost rekey collisions no outbound SA/policy
+ is temporarily installed for the redundant CHILD_SA.
+
+- The new %unique-dir value for mark* settings allocates separate unique marks
+ for each CHILD_SA direction (in/out).
+
+
+strongswan-5.5.3
+----------------
+
+- Fixed a DoS vulnerability in the gmp plugin that was caused by insufficient
+ input validation when verifying RSA signatures. More specifically,
+ mpz_powm_sec() has two requirements regarding the passed exponent and modulus
+ that the plugin did not enforce, if these are not met the calculation will
+ result in a floating point exception that crashes the whole process.
+ This vulnerability has been registered as CVE-2017-9022.
+
+- Fixed a DoS vulnerability in the x509 plugin that was caused because the ASN.1
+ parser didn't handle ASN.1 CHOICE types properly, which could result in an
+ infinite loop when parsing X.509 extensions that use such types.
+ This vulnerability has been registered as CVE-2017-9023.
+
+- The behavior during IKEv2 CHILD_SA rekeying has been changed in order to avoid
+ traffic loss. The responder now only installs the new inbound SA and delays
+ installing the outbound SA until it receives the DELETE for the replaced
+ CHILD_SA. Similarly, the inbound SA of the replaced CHILD_SA is not removed
+ for a configurable amount of seconds (charon.delete_rekeyed_delay) after the
+ DELETE has been processed to reduce the chance of dropping delayed packets.
+
+- The code base has been ported to Apple's ARM64 iOS platform, whose calling
+ conventions for variadic and regular functions are different. This means
+ assigning non-variadic functions to variadic function pointers does not work.
+ To avoid this issue the enumerator_t interface has been changed and the
+ signatures of the callback functions for enumerator_create_filter(), and the
+ invoke_function() and find_first() methods on linked_list_t have been changed.
+ The return type of find_first() also changed from status_t to bool.
+
+- Added support for fuzzing the certificate parser provided by the default
+ plugins (x509, pem, gmp etc.) on Google's OSS-Fuzz infrastructure. Several
+ issues found while fuzzing these plugins were fixed.
+
+- Two new options have been added to charon's retransmission settings:
+ retransmit_limit and retransmit_jitter. The former adds an upper limit to the
+ calculated retransmission timeout, the latter randomly reduces it.
+
+- A bug in swanctl's --load-creds command was fixed that caused unencrypted
+ private keys to get unloaded if the command was called multiple times. The
+ load-key VICI command now returns the key ID of the loaded key on success.
+
+- The credential manager now enumerates local credential sets before global
+ ones. This means certificates supplied by the peer will now be preferred over
+ certificates with the same identity that may be locally stored (e.g. in the
+ certificate cache).
+
+- Added support for hardware offload of IPsec SAs as introduced by Linux 4.11
+ for hardware that supports this.
+
+- When building the libraries monolithically and statically the plugin
+ constructors are now hard-coded in each library so the plugin code is not
+ removed by the linker because it thinks none of their symbols are ever
+ referenced.
+
+- The pki tool loads the curve25519 plugin by default.
+
+
+strongswan-5.5.2
+----------------
+
+- Support of Diffie-Hellman group 31 using Curve25519 for IKE as defined
+ by RFC 8031.
+
+- Support of Ed25519 digital signature algorithm for IKEv2 as defined by
+ draft-ietf-ipsecme-eddsa. Ed25519-based public key pairs, X.509 certificates
+ and CRLs can be generated and printed by the pki tool.
+
+- The new "tpm" libtpmtss plugin allows to use persistent private RSA and ECDSA
+ keys bound to a TPM 2.0 for both IKE and TLS authentication. Using the
+ TPM 2.0 object handle as keyid parameter, the pki --pub tool can extract
+ the public key from the TPM thereby replacing the aikpub2 tool. In a similar
+ fashion pki --req can generate a PKCS#10 certificate request signed with
+ the TPM private key.
+
+- The pki tool gained support for generating certificates with the RFC 3779
+ addrblock extension. The charon addrblock plugin now dynamically narrows
+ traffic selectors based on the certificate addrblocks instead of rejecting
+ non-matching selectors completely. This allows generic connections, where
+ the allowed selectors are defined by the used certificates only.
+
+- In-place update of cached base and delta CRLs does not leave dozens
+ of stale copies in cache memory.
+
+- Several new features for the VICI interface and the swanctl utility: Querying
+ specific pools, enumerating and unloading keys and shared secrets, loading
+ keys and certificates from PKCS#11 tokens, the ability to initiate, install
+ and uninstall connections and policies by their exact name (if multiple child
+ sections in different connections share the same name), a command to initiate
+ the rekeying of IKE and IPsec SAs, support for settings previously only
+ supported by the old config files (plain pubkeys, dscp, certificate policies,
+ IPv6 Transport Proxy Mode, NT Hash secrets, mediation extension).
+
+ Important: Due to issues with VICI bindings that map sub-sections to
+ dictionaries the CHILD_SA sections returned via list-sas now have a unique
+ name, the original name of a CHILD_SA is returned in the "name" key of its
+ section.
+
+
+strongswan-5.5.1
+----------------
+
+- The newhope plugin implements the post-quantum NewHope key exchange algorithm
+ proposed in their 2015 paper by Erdem Alkim, Léo Ducas, Thomas Pöppelmann and
+ Peter Schwabe.
+
+- The libstrongswan crypto factory now offers the registration of Extended
+ Output Functions (XOFs). Currently supported XOFs are SHAKE128 and SHAKE256
+ implemented by the sha3 plugin, ChaCHa20 implemented by the chapoly plugin
+ and the more traditional MGF1 Mask Generation Functions based on the SHA-1,
+ SHA-256 and SHA-512 hash algorithms implemented by the new mgf1 plugin.
+
+- The pki tool, with help of the pkcs1 or openssl plugins, can parse private
+ keys in any of the supported formats without having to know the exact type.
+ So instead of having to specify rsa or ecdsa explicitly the keyword priv may
+ be used to indicate a private key of any type. Similarly, swanctl can load
+ any type of private key from the swanctl/private directory.
+
+- The pki tool can handle RSASSA-PKCS1v1.5-with-SHA-3 signatures using the
+ sha3 and gmp plugins.
+
+- The VICI flush-certs command flushes certificates from the volatile
+ certificate cache. Optionally the type of the certificates to be
+ flushed (e.g. type = x509_crl) can be specified.
+
+- Setting cache_crls = yes in strongswan.conf the vici plugin saves regular,
+ base and delta CRLs to disk.
+
+- IKE fragmentation is now enabled by default with the default fragment size
+ set to 1280 bytes for both IP address families.
+
+- libtpmtss: In the TSS2 API the function TeardownSocketTcti() was replaced by
+ tss2_tcti_finalize().
+
+
+strongswan-5.5.0
+----------------
+
+- The new libtpmtss library offers support for both TPM 1.2 and TPM 2.0
+ Trusted Platform Modules. This allows the Attestation IMC/IMV pair to
+ do TPM 2.0 based attestation.
+
+- The behavior during IKEv2 exchange collisions has been improved/fixed in
+ several corner cases and support for TEMPORARY_FAILURE and CHILD_SA_NOT_FOUND
+ notifies, as defined by RFC 7296, has been added.
+
+- IPsec policy priorities can be set manually (e.g. for high-priority drop
+ policies) and outbound policies may be restricted to a network interface.
+
+- The scheme for the automatically calculated default priorities has been
+ changed and now also considers port masks, which were added with 5.4.0.
+
+- FWD policies are now installed in both directions in regards to the traffic
+ selectors. Because such "outbound" FWD policies could conflict with "inbound"
+ FWD policies of other SAs they are installed with a lower priority and don't
+ have a reqid set, which allows kernel plugins to distinguish between the two
+ and prefer those with a reqid.
+
+- For outbound IPsec SAs no replay window is configured anymore.
+
+- Enhanced the functionality of the swanctl --list-conns command by listing
+ IKE_SA and CHILD_SA reauthentication and rekeying settings, and EAP/XAuth
+ identities and EAP types.
+
+- DNS servers installed by the resolve plugin are now refcounted, which should
+ fix its use with make-before-break reauthentication. Any output written to
+ stderr/stdout by resolvconf is now logged.
+
+- The methods in the kernel interfaces have been changed to take structs instead
+ of long lists of arguments. Similarly the constructors for peer_cfg_t and
+ child_cfg_t now take structs.
+
+
+strongswan-5.4.0
+----------------
+
+- Support for IKEv2 redirection (RFC 5685) has been added. Plugins may
+ implement the redirect_provider_t interface to decide if and when to redirect
+ connecting clients. It is also possible to redirect established IKE_SAs based
+ on different selectors via VICI/swanctl. Unless disabled in strongswan.conf
+ the charon daemon will follow redirect requests received from servers.
+
+- The ike: prefix enables the explicit configuration of signature scheme
+ constraints against IKEv2 authentication in rightauth, which allows the use
+ of different signature schemes for trustchain verification and authentication.
+
+- The initiator of an IKEv2 make-before-break reauthentication now suspends
+ online certificate revocation checks (OCSP, CRLs) until the new IKE_SA and all
+ CHILD_SAs are established. This is required if the checks are done over the
+ CHILD_SA established with the new IKE_SA. This is not possible until the
+ initiator installs this SA and that only happens after the authentication is
+ completed successfully. So we suspend the checks during the reauthentication
+ and do them afterwards, if they fail the IKE_SA is closed. This change has no
+ effect on the behavior during the authentication of the initial IKE_SA.
+
+- For the vici plugin a Vici:Session Perl CPAN module has been added to allow
+ Perl applications to control and/or monitor the IKE daemon using the VICI
+ interface, similar to the existing Python egg or Ruby gem.
+
+- Traffic selectors with port ranges can now be configured in the Linux kernel:
+ e.g. remote_ts = 10.1.0.0/16[tcp/20-23] local_ts = dynamic[tcp/32768-65535].
+ The port range must map to a port mask, though since the kernel does not
+ support arbitrary ranges.
+
+- The vici plugin allows the configuration of IPv4 and IPv6 address ranges
+ in local and remote traffic selectors. Since both the Linux kernel and
+ iptables cannot handle arbitrary ranges, address ranges are mapped to the next
+ larger CIDR subnet by the kernel-netlink and updown plugins, respectively.
+
+- Implemented IKEv1 IPv4/IPv6 address subnet and range identities that can be
+ used as owners of shared secrets.
+
+
+strongswan-5.3.5
+----------------
+
+- Properly handle potential EINTR errors in sigwaitinfo(2) calls that replaced
+ sigwait(3) calls with 5.3.4.
+
+- RADIUS retransmission timeouts are now configurable, courtesy of Thom Troy.
+
+
+strongswan-5.3.4
+----------------
+
+- Fixed an authentication bypass vulnerability in the eap-mschapv2 plugin that
+ was caused by insufficient verification of the internal state when handling
+ MSCHAPv2 Success messages received by the client.
+ This vulnerability has been registered as CVE-2015-8023.
+
+- The sha3 plugin implements the SHA3 Keccak-F1600 hash algorithm family.
+ Within the strongSwan framework SHA3 is currently used for BLISS signatures
+ only because the OIDs for other signature algorithms haven't been defined
+ yet. Also the use of SHA3 for IKEv2 has not been standardized yet.
+
+
+strongswan-5.3.3
+----------------
+
+- Added support for the ChaCha20/Poly1305 AEAD cipher specified in RFC 7539 and
+ RFC 7634 using the chacha20poly1305 ike/esp proposal keyword. The new chapoly
+ plugin implements the cipher, if possible SSE-accelerated on x86/x64
+ architectures. It is usable both in IKEv2 and the strongSwan libipsec ESP
+ backend. On Linux 4.2 or newer the kernel-netlink plugin can configure the
+ cipher for ESP SAs.
+
+- The vici interface now supports the configuration of auxiliary certification
+ authority information as CRL and OCSP URIs.
+
+- In the bliss plugin the c_indices derivation using a SHA-512 based random
+ oracle has been fixed, generalized and standardized by employing the MGF1 mask
+ generation function with SHA-512. As a consequence BLISS signatures unsing the
+ improved oracle are not compatible with the earlier implementation.
+
+- Support for auto=route with right=%any for transport mode connections has
+ been added (the ikev2/trap-any scenario provides examples).
+
+- The starter daemon does not flush IPsec policies and SAs anymore when it is
+ stopped. Already existing duplicate policies are now overwritten by the IKE
+ daemon when it installs its policies.
+
+- Init limits (like charon.init_limit_half_open) can now optionally be enforced
+ when initiating SAs via VICI. For this, IKE_SAs initiated by the daemon are
+ now also counted as half-open SAs, which, as a side-effect, fixes the status
+ output while connecting (e.g. in ipsec status).
+
+- Symmetric configuration of EAP methods in left|rightauth is now possible when
+ mutual EAP-only authentication is used (previously, the client had to
+ configure rightauth=eap or rightauth=any, which prevented it from using this
+ same config as responder).
+
+- The initiator flag in the IKEv2 header is compared again (wasn't the case
+ since 5.0.0) and packets that have the flag set incorrectly are again ignored.
+
+- Implemented a demo Hardcopy Device IMC/IMV pair based on the "Hardcopy
+ Device Health Assessment Trusted Network Connect Binding" (HCD-TNC)
+ document drafted by the IEEE Printer Working Group (PWG).
+
+- Fixed IF-M segmentation which failed in the presence of multiple small
+ attributes in front of a huge attribute to be segmented.
+
+
+strongswan-5.3.2
+----------------
+
+- Fixed a vulnerability that allowed rogue servers with a valid certificate
+ accepted by the client to trick it into disclosing its username and even
+ password (if the client accepts EAP-GTC). This was caused because constraints
+ against the responder's authentication were enforced too late.
+ This vulnerability has been registered as CVE-2015-4171.
+
+
+strongswan-5.3.1
+----------------
+
+- Fixed a denial-of-service and potential remote code execution vulnerability
+ triggered by IKEv1/IKEv2 messages that contain payloads for the respective
+ other IKE version. Such payload are treated specially since 5.2.2 but because
+ they were still identified by their original payload type they were used as
+ such in some places causing invalid function pointer dereferences.
+ The vulnerability has been registered as CVE-2015-3991.
+
+- The new aesni plugin provides CBC, CTR, XCBC, CMAC, CCM and GCM crypto
+ primitives for AES-128/192/256. The plugin requires AES-NI and PCLMULQDQ
+ instructions and works on both x86 and x64 architectures. It provides
+ superior crypto performance in userland without any external libraries.
+
+
+strongswan-5.3.0
+----------------
+
+- Added support for IKEv2 make-before-break reauthentication. By using a global
+ CHILD_SA reqid allocation mechanism, charon supports overlapping CHILD_SAs.
+ This allows the use of make-before-break instead of the previously supported
+ break-before-make reauthentication, avoiding connectivity gaps during that
+ procedure. As the new mechanism may fail with peers not supporting it (such
+ as any previous strongSwan release) it must be explicitly enabled using
+ the charon.make_before_break strongswan.conf option.
+
+- Support for "Signature Authentication in IKEv2" (RFC 7427) has been added.
+ This allows the use of stronger hash algorithms for public key authentication.
+ By default, signature schemes are chosen based on the strength of the
+ signature key, but specific hash algorithms may be configured in leftauth.
+
+- Key types and hash algorithms specified in rightauth are now also checked
+ against IKEv2 signature schemes. If such constraints are used for certificate
+ chain validation in existing configurations, in particular with peers that
+ don't support RFC 7427, it may be necessary to disable this feature with the
+ charon.signature_authentication_constraints setting, because the signature
+ scheme used in classic IKEv2 public key authentication may not be strong
+ enough.
+
+- The new connmark plugin allows a host to bind conntrack flows to a specific
+ CHILD_SA by applying and restoring the SA mark to conntrack entries. This
+ allows a peer to handle multiple transport mode connections coming over the
+ same NAT device for client-initiated flows. A common use case is to protect
+ L2TP/IPsec, as supported by some systems.
+
+- The forecast plugin can forward broadcast and multicast messages between
+ connected clients and a LAN. For CHILD_SA using unique marks, it sets up
+ the required Netfilter rules and uses a multicast/broadcast listener that
+ forwards such messages to all connected clients. This plugin is designed for
+ Windows 7 IKEv2 clients, which announces its services over the tunnel if the
+ negotiated IPsec policy allows it.
+
+- For the vici plugin a Python Egg has been added to allow Python applications
+ to control or monitor the IKE daemon using the VICI interface, similar to the
+ existing ruby gem. The Python library has been contributed by Björn Schuberg.
+
+- EAP server methods now can fulfill public key constraints, such as rightcert
+ or rightca. Additionally, public key and signature constraints can be
+ specified for EAP methods in the rightauth keyword. Currently the EAP-TLS and
+ EAP-TTLS methods provide verification details to constraints checking.
+
+- Upgrade of the BLISS post-quantum signature algorithm to the improved BLISS-B
+ variant. Can be used in conjunction with the SHA256, SHA384 and SHA512 hash
+ algorithms with SHA512 being the default.
+
+- The IF-IMV 1.4 interface now makes the IP address of the TNC access requestor
+ as seen by the TNC server available to all IMVs. This information can be
+ forwarded to policy enforcement points (e.g. firewalls or routers).
+
+- The new mutual tnccs-20 plugin parameter activates mutual TNC measurements
+ in PB-TNC half-duplex mode between two endpoints over either a PT-EAP or
+ PT-TLS transport medium.
+
+