The strongSwan 5.0.1 release refines the 5.0 branch and comes with a bunch of new features.
Support for multiple virtual IP addresses
The leftsourceip option now accepts a comma separated combination of %config4, %config6 or fixed IP addresses to request from the responder. Likewise the rightsourceip option accepts multiple explicitly specified or referenced named address pools. The new ip-two-pools-v4v6 test scenario illustrates the use of these options.
Extended Platform Trust Services Attestation
An extended PTS Attestation IMC/IMV pair provides full evidence of the Linux Integrity Measurement Architecture (IMA) measurement process. All pertinent file information of a Linux OS can be collected and stored in an SQL database. More information can be found in the conference paper Andreas presented at the recent Linux Security Summit held in San Diego.
Support for parts of the IKEv1 Cisco Unity Extensions
The new unity plugin brings support for parts of the IKEv1 Cisco Unity Extensions. As client, charon will narrow traffic selectors to received Split-Include attributes and automatically install IPsec bypass policies for received Local-LAN attributes. As server, charon sends Split-Include attributes for leftsubnet definitions containing multiple subnets to Unity-aware clients. The use of this plugin is illustrated in the new rw-cert-unity test scenario.
Support for client selected EAP method
On account of supporting the EAP-Nak payload charon, as a client, is now able to select a specific EAP method configured with leftauth from the server. Servers can use the eap-dynamic plugin to dynamically select an EAP method supported/requested by clients. An example for this is provided in the new rw-eap-dynamic test scenario.
Changes in PAM support
The new xauth-pam plugin can authenticate IKEv1 XAuth and Hybrid authenticated clients against any PAM service. The IKEv2 eap-gtc plugin does not use PAM directly anymore, but instead can use any XAuth backend to verify credentials including xauth-pam.
Configurable network interfaces
With the strongswan.conf options charon.interfaces_ignore and charon.interfaces_use the network interfaces used by the daemon can be configured. Events generated for ignored interfaces (for routing, address change etc.) are ignored and packets received on them are dropped. The charon.install_virtual_ip_on option allows specifying on which network interface virtual IP addresses will be installed.
Other notable changes
- All strongSwan Integrity Measurement Verifiers support sending the standard IETF Assessment Result PA-TNC attribute. The PA-TNC and PB-TNC protocols are now also able to process huge data payloads (> 64 kB) by distributing PA-TNC attributes over multiple PA-TNC messages and these messages over several PB-TNC batches.
- The rightgroups2 option can require group membership during a second authentication round, for example during XAuth authentication against a RADIUS server.
- Connection specific DNS servers can be requested/assigned with the left|rightdns options.
- Multiple connections can share a single explicitly defined address pool when they use the same definition in one of the rightsourceip pools.