2010-05-31 18:22:37 +02:00
|
|
|
Dear Customer,
|
|
|
|
|
|
- Updated to strongSwan 4.5.0 release, changes since 4.4.1 are:
* IMPORTANT: the default keyexchange mode 'ike' is changing with
release 4.5 from 'ikev1' to 'ikev2', thus commemorating the five
year anniversary of the IKEv2 RFC 4306 and its mature successor
RFC 5996. The time has definitively come for IKEv1 to go into
retirement and to cede its place to the much more robust, powerful
and versatile IKEv2 protocol!
* Added new ctr, ccm and gcm plugins providing Counter, Counter
with CBC-MAC and Galois/Counter Modes based on existing CBC
implementations. These new plugins bring support for AES and
Camellia Counter and CCM algorithms and the AES GCM algorithms
for use in IKEv2.
* The new pkcs11 plugin brings full Smartcard support to the IKEv2
daemon and the pki utility using one or more PKCS#11 libraries. It
currently supports RSA private and public key operations and loads
X.509 certificates from tokens.
* Implemented a general purpose TLS stack based on crypto and
credential primitives of libstrongswan. libtls supports TLS
versions 1.0, 1.1 and 1.2, ECDHE-ECDSA/RSA, DHE-RSA and RSA key
exchange algorithms and RSA/ECDSA based client authentication.
* Based on libtls, the eap-tls plugin brings certificate based EAP
authentication for client and server. It is compatible to Windows
7 IKEv2 Smartcard authentication and the OpenSSL based FreeRADIUS
EAP-TLS backend.
* Implemented the TNCCS 1.1 Trusted Network Connect protocol using
the libtnc library on the strongSwan client and server side via
the tnccs_11 plugin and optionally connecting to a TNC@FHH-enhanced
FreeRADIUS AAA server. Depending on the resulting TNC Recommendation,
strongSwan clients are granted access to a network behind a
strongSwan gateway (allow), are put into a remediation zone (isolate)
or are blocked (none), respectively.
Any number of Integrity Measurement Collector/Verifier pairs can be
attached via the tnc-imc and tnc-imv charon plugins.
* The IKEv1 daemon pluto now uses the same kernel interfaces as the
IKEv2 daemon charon. As a result of this, pluto now supports xfrm
marks which were introduced in charon with 4.4.1.
* The RADIUS plugin eap-radius now supports multiple RADIUS servers
for redundant setups. Servers are selected by a defined priority,
server load and availability.
* The simple led plugin controls hardware LEDs through the Linux LED
subsystem. It currently shows activity of the IKE daemon and is a
good example how to implement a simple event listener.
* Improved MOBIKE behavior in several corner cases, for instance,
if the initial responder moves to a different address.
* Fixed left-/rightnexthop option, which was broken since 4.4.0.
* Fixed a bug not releasing a virtual IP address to a pool if the
XAUTH identity was different from the IKE identity.
* Fixed the alignment of ModeConfig messages on 4-byte boundaries
in the case where the attributes are not a multiple of 4 bytes
(e.g. Cisco's UNITY_BANNER).
* Fixed the interoperability of the socket_raw and socket_default
charon plugins.
* Added man page for strongswan.conf
- Adopted spec file, removed obsolete error range patch.
OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=20
2010-11-16 13:10:30 +01:00
|
|
|
please note, that the strongswan release 4.5 changes the keyexchange mode
|
|
|
|
|
to IKEv2 as default -- from strongswan-4.5.0/NEWS:
|
|
|
|
|
"[...]
|
|
|
|
|
IMPORTANT: the default keyexchange mode 'ike' is changing with release 4.5
|
|
|
|
|
from 'ikev1' to 'ikev2', thus commemorating the five year anniversary of the
|
|
|
|
|
IKEv2 RFC 4306 and its mature successor RFC 5996. The time has definitively
|
|
|
|
|
come for IKEv1 to go into retirement and to cede its place to the much more
|
|
|
|
|
robust, powerful and versatile IKEv2 protocol!
|
|
|
|
|
[...]"
|
|
|
|
|
|
|
|
|
|
This requires adoption of either the "conn %default" or all other IKEv1
|
|
|
|
|
"conn" sections in the /etc/ipsec.conf to use explicit:
|
|
|
|
|
|
|
|
|
|
keyexchange=ikev1
|
|
|
|
|
|
2014-11-21 13:01:59 +01:00
|
|
|
The charon daemon in strongswan 5.x versions supports IKEv1 and IKEv2,
|
|
|
|
|
thus a separate pluto IKEv1 daemon is not needed / not shipped any more.
|
- Updated to strongSwan 4.5.0 release, changes since 4.4.1 are:
* IMPORTANT: the default keyexchange mode 'ike' is changing with
release 4.5 from 'ikev1' to 'ikev2', thus commemorating the five
year anniversary of the IKEv2 RFC 4306 and its mature successor
RFC 5996. The time has definitively come for IKEv1 to go into
retirement and to cede its place to the much more robust, powerful
and versatile IKEv2 protocol!
* Added new ctr, ccm and gcm plugins providing Counter, Counter
with CBC-MAC and Galois/Counter Modes based on existing CBC
implementations. These new plugins bring support for AES and
Camellia Counter and CCM algorithms and the AES GCM algorithms
for use in IKEv2.
* The new pkcs11 plugin brings full Smartcard support to the IKEv2
daemon and the pki utility using one or more PKCS#11 libraries. It
currently supports RSA private and public key operations and loads
X.509 certificates from tokens.
* Implemented a general purpose TLS stack based on crypto and
credential primitives of libstrongswan. libtls supports TLS
versions 1.0, 1.1 and 1.2, ECDHE-ECDSA/RSA, DHE-RSA and RSA key
exchange algorithms and RSA/ECDSA based client authentication.
* Based on libtls, the eap-tls plugin brings certificate based EAP
authentication for client and server. It is compatible to Windows
7 IKEv2 Smartcard authentication and the OpenSSL based FreeRADIUS
EAP-TLS backend.
* Implemented the TNCCS 1.1 Trusted Network Connect protocol using
the libtnc library on the strongSwan client and server side via
the tnccs_11 plugin and optionally connecting to a TNC@FHH-enhanced
FreeRADIUS AAA server. Depending on the resulting TNC Recommendation,
strongSwan clients are granted access to a network behind a
strongSwan gateway (allow), are put into a remediation zone (isolate)
or are blocked (none), respectively.
Any number of Integrity Measurement Collector/Verifier pairs can be
attached via the tnc-imc and tnc-imv charon plugins.
* The IKEv1 daemon pluto now uses the same kernel interfaces as the
IKEv2 daemon charon. As a result of this, pluto now supports xfrm
marks which were introduced in charon with 4.4.1.
* The RADIUS plugin eap-radius now supports multiple RADIUS servers
for redundant setups. Servers are selected by a defined priority,
server load and availability.
* The simple led plugin controls hardware LEDs through the Linux LED
subsystem. It currently shows activity of the IKE daemon and is a
good example how to implement a simple event listener.
* Improved MOBIKE behavior in several corner cases, for instance,
if the initial responder moves to a different address.
* Fixed left-/rightnexthop option, which was broken since 4.4.0.
* Fixed a bug not releasing a virtual IP address to a pool if the
XAUTH identity was different from the IKE identity.
* Fixed the alignment of ModeConfig messages on 4-byte boundaries
in the case where the attributes are not a multiple of 4 bytes
(e.g. Cisco's UNITY_BANNER).
* Fixed the interoperability of the socket_raw and socket_default
charon plugins.
* Added man page for strongswan.conf
- Adopted spec file, removed obsolete error range patch.
OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=20
2010-11-16 13:10:30 +01:00
|
|
|
|
|
|
|
|
|
2014-11-21 13:01:59 +01:00
|
|
|
The strongswan package does not provide any files except of this README,
|
|
|
|
|
but triggers the installation of the charon daemon and the "traditional"
|
|
|
|
|
strongswan-ipsec package providing the "ipsec" script and service.
|
|
|
|
|
The ipsec.service is an alias link to the "strongswan.service" systemd
|
|
|
|
|
service unit and created by "systemctl enable strongswan.service".
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
There is a new strongswan-nm package with a NetworkManager specific charon-nm
|
|
|
|
|
binary controlling the charon daemon through D-Bus and designed to work using
|
|
|
|
|
the NetworkManager-strongswan graphical user interface.
|
- Updated to strongSwan 4.5.0 release, changes since 4.4.1 are:
* IMPORTANT: the default keyexchange mode 'ike' is changing with
release 4.5 from 'ikev1' to 'ikev2', thus commemorating the five
year anniversary of the IKEv2 RFC 4306 and its mature successor
RFC 5996. The time has definitively come for IKEv1 to go into
retirement and to cede its place to the much more robust, powerful
and versatile IKEv2 protocol!
* Added new ctr, ccm and gcm plugins providing Counter, Counter
with CBC-MAC and Galois/Counter Modes based on existing CBC
implementations. These new plugins bring support for AES and
Camellia Counter and CCM algorithms and the AES GCM algorithms
for use in IKEv2.
* The new pkcs11 plugin brings full Smartcard support to the IKEv2
daemon and the pki utility using one or more PKCS#11 libraries. It
currently supports RSA private and public key operations and loads
X.509 certificates from tokens.
* Implemented a general purpose TLS stack based on crypto and
credential primitives of libstrongswan. libtls supports TLS
versions 1.0, 1.1 and 1.2, ECDHE-ECDSA/RSA, DHE-RSA and RSA key
exchange algorithms and RSA/ECDSA based client authentication.
* Based on libtls, the eap-tls plugin brings certificate based EAP
authentication for client and server. It is compatible to Windows
7 IKEv2 Smartcard authentication and the OpenSSL based FreeRADIUS
EAP-TLS backend.
* Implemented the TNCCS 1.1 Trusted Network Connect protocol using
the libtnc library on the strongSwan client and server side via
the tnccs_11 plugin and optionally connecting to a TNC@FHH-enhanced
FreeRADIUS AAA server. Depending on the resulting TNC Recommendation,
strongSwan clients are granted access to a network behind a
strongSwan gateway (allow), are put into a remediation zone (isolate)
or are blocked (none), respectively.
Any number of Integrity Measurement Collector/Verifier pairs can be
attached via the tnc-imc and tnc-imv charon plugins.
* The IKEv1 daemon pluto now uses the same kernel interfaces as the
IKEv2 daemon charon. As a result of this, pluto now supports xfrm
marks which were introduced in charon with 4.4.1.
* The RADIUS plugin eap-radius now supports multiple RADIUS servers
for redundant setups. Servers are selected by a defined priority,
server load and availability.
* The simple led plugin controls hardware LEDs through the Linux LED
subsystem. It currently shows activity of the IKE daemon and is a
good example how to implement a simple event listener.
* Improved MOBIKE behavior in several corner cases, for instance,
if the initial responder moves to a different address.
* Fixed left-/rightnexthop option, which was broken since 4.4.0.
* Fixed a bug not releasing a virtual IP address to a pool if the
XAUTH identity was different from the IKE identity.
* Fixed the alignment of ModeConfig messages on 4-byte boundaries
in the case where the attributes are not a multiple of 4 bytes
(e.g. Cisco's UNITY_BANNER).
* Fixed the interoperability of the socket_raw and socket_default
charon plugins.
* Added man page for strongswan.conf
- Adopted spec file, removed obsolete error range patch.
OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=20
2010-11-16 13:10:30 +01:00
|
|
|
It does not depend on the traditional starter scripts, but on the IKEv2
|
|
|
|
|
charon daemon and plugins only.
|
2010-05-31 18:22:37 +02:00
|
|
|
|
2014-11-21 13:01:59 +01:00
|
|
|
|
|
|
|
|
The stongswan-hmac package provides the fips hmac hash files, a _fipscheck
|
|
|
|
|
script and a /etc/strongswan.d/charon/zzz_fips-enforce.conf config file,
|
|
|
|
|
which disables all non-openssl algorithm implementations.
|
|
|
|
|
|
|
|
|
|
When fips operation mode is enabled in the kernel using the fips=1 boot
|
|
|
|
|
parameter, the strongswan fips checks are executed in front of any start
|
|
|
|
|
action of the "ipsec" script provided by the "strongswan-ipsec" package
|
|
|
|
|
and a verification problem causes a failure as required by fips-140-2.
|
|
|
|
|
Further, it is not required to enable the fips_mode in the openssl plugin
|
|
|
|
|
(/etc/strongswan.d/charon/openssl.conf); the kernel entablement enables
|
|
|
|
|
it automatically as needed.
|
|
|
|
|
|
|
|
|
|
The "ipsec _fipscheck" command allows to execute the fips checks manually
|
|
|
|
|
without a check if fips is enabled (/proc/sys/crypto/fips_enabled is 1),
|
|
|
|
|
e.g. for testing purposes.
|
|
|
|
|
|
|
|
|
|
|
2010-05-31 18:22:37 +02:00
|
|
|
Have a lot of fun...
|
2014-11-21 13:01:59 +01:00
|
|
|
|
