strongSwan - Design by Margo Galas <galas (at) solnet (dot) ch>

Main Sponsors

secunet

codelabs

strongSwan 5.5.0 Released

We are proud to announce the release of strongSwan 5.5.0 which offers TPM 2.0 support, improved handling of IKEv2 exchange collisions, manual priorities for IPsec policies and several other new features and fixes.


Support for TPM 2.0

The new libtpmtss library offers support for both TPM 1.2 and TPM 2.0 Trusted Platform Modules. This allows the Attestation IMC/IMV pair to do TPM 2.0 based attestation.

Improved Handling of IKEv2 Exchange Collisions

The behavior during IKEv2 exchange collisions has been improved or fixed in several corner cases and support for TEMPORARY_FAILURE and CHILD_SA_NOT_FOUND notifies, as defined by RFC 7296, has been added (#379, #464, #876, #1293). The behavior is tested with a series of new unit tests.

Changes Regarding IPsec Policies

IPsec policy priorities can be set manually (e.g. for high-priority drop policies) and outbound policies may be restricted to a network interface. These options are only configurable via swanctl.conf. An example is provided in the swanctl/manual-prio scenario.

The scheme for the automatically calculated default priorities has also been changed and now considers port masks, which were added with 5.4.0 (for details see d3af3b799f).

FWD policies are now installed in both directions with regards to the traffic selectors (9c12635252). Because such "outbound" FWD policies could conflict with "inbound" FWD policies of other SAs (as, for example, in the swanctl/net2net-gw or the ikev2/ip-two-pools-db scenarios) they are installed with a lower priority and don't have a reqid set, which allows kernel plugins to distinguish between the two and prefer those with a reqid.

DNS Server Refcounting

DNS servers installed by the resolve plugin are now refcounted, which fixes its use with make-before-break reauthentication. Any output written to stderr/stdout by resolvconf is now logged.

Other Notable Fixes

  • Enhanced the functionality of the swanctl --list-conns command by listing IKE_SA and CHILD_SA reauthentication and rekeying settings and EAP/XAuth identities and EAP types.
  • For outbound IPsec SAs no replay window is configured anymore.
  • The interface used in routes installed with IPsec policies should now be determined more accurately.
  • When using unique marks (mark=%unique) the allocated mark is now correctly passed to the updown script.
  • INITIAL_CONTACT notifies are now also considered when IKEv2 clients are authenticated with EAP.

Download Complete Changelog