and hmac functions during pluto startup. Failure of a self-test
currently issues a warning only but does not exit pluto [yet].
+- Support for SHA2-256/384/512 PRF and HMAC functions in IKEv2.
+
- Full support of CA information sections. ipsec listcainfos
now shows all collected crlDistributionPoints and OCSP
accessLocations.
+- Refactored core of the IKEv2 message processing code, allowing better
+ code reuse and separation.
+
+- Virtual IP support in IKEv2 using INTERNAL_IP4/6_ADDRESS configuration
+ payload. Additionally, the INTERNAL_IP4/6_DNS attribute is interpreted
+ by the requestor and installed in a resolv.conf file.
+
+- The IKEv2 daemon charon installs a route for each IPsec policy to use
+ the correct source address even if an application does not explicitly
+ specify it.
+
+- Integrated the EAP framework into charon which loads pluggable EAP library
+ modules. The ipsec.conf parameter authby=eap initiates EAP authentication
+ on the client side, while the "eap" parameter on the server side defines
+ the EAP method to use for client authentication.
+ A generic client side EAP-Identity module and an EAP-SIM authentication
+ module using a third party card reader implementation are included.
+
+- Added client side support for cookies.
+
+- Integrated the fixes done at the IKEv2 interoperability bakeoff, including
+ strict payload order, correct INVALID_KE_PAYLOAD rejection and other minor
+ fixes to enhance interoperability with other implementations.
strongswan-4.0.7
----------------
! exchanges
! - merge of EAP authentication code / plugin loader
! - merge of the virtual IP support currently in the pipeline
- ! - merge of the experimental "mediated double-NAT" support
- ! - write an IETF draft for this feature
!
Mar ! - interface in charon for the new SMP management interface
! - full certificate support
! - Cookie support, other fixes to mature against DoS
+ ! - merge of the experimental "mediated double-NAT" support
+ ! - write an IETF draft for this feature
!
Apr ! - start porting efforts of IKEv1 into charon
! - support of IKEv1 messages and payloads in charon
Denail of service
-----------------
-- Cookie support
+- Cookie support on server
- thread exhaustion (multiple messages to a single IKE_SA)
Certificate support
-------------------
- New trustchain mechanism?
-- proper CERTREQ support
- proper handling of multiple certificate payloads (import order)
- synchronized CRL fetcher
-- OCSP support
- Smartcard interface
- Attribute certificates
----------------
- add a Rekey-Counter for SAs in "statusall"
- ipsec statusall bytecount
-- detach console after first keyingtry
- proper handling of CTRL+C console detach (SIG_PIPE)
Misc
----
- retry transaction on failure while keyingtries > 1
+- PFS support for creating/rekeying CHILD_SAs
+- Address pool/backend for virtual IP assignement
if negotiation is never to be attempted or accepted (useful for shunt-only conns).
Digital signatures are superior in every way to shared secrets. In IKEv2, the
two ends must not agree on this parameter, it is relevant for the own
-authentication method only.
+authentication method only. IKEv2 additionally supports the value
+.B eap,
+which indicates an initiator to request EAP authentication. The EAP method to
+use is selected by the server (see
+.B eap).
.TP
.B compress
whether IPComp compression of content is proposed on the connection
it is the system's hostname (if that is supported by a TXT record in its forward domain), or otherwise it is undefined.
.TP
.B leftsourceip
-Not supported in IKEv2 yet.
+The internal source IP to use in a tunnel, also known as virtual IP. If the
+value is
+.B %modeconfig
+or
+.B %config,
+an address is requested from the peer.
.TP
.B leftsubnetwithin
Not relevant for IKEv2, as subnets are narrowed.
<http://www.freeswan.org>
by Henry Spencer. Extended for the strongSwan project
<http://www.strongswan.org>
-by Andreas Steffen. Update to respect IKEv2 specific configuration
+by Andreas Steffen. Updated to respect IKEv2 specific configuration
by Martin Willi.
.SH BUGS
.PP
projects / thirdparty / strongswan.git / commitdiff
