Marius Tomaschewski
cf29eb7ccf
- The tnc-pdp plugin implements a RADIUS server interface allowing
a strongSwan TNC server to act as a Policy Decision Point.
- The eap-radius authentication backend enforces Session-Timeout
attributes using RFC4478 repeated authentication and acts upon
RADIUS Dynamic Authorization extensions, RFC 5176. Currently
supported are disconnect requests and CoA messages containing
a Session-Timeout.
- The eap-radius plugin can forward arbitrary RADIUS attributes
from and to clients using custom IKEv2 notify payloads. The new
radattr plugin reads attributes to include from files and prints
received attributes to the console.
- Added support for untruncated MD5 and SHA1 HMACs in ESP as used
in RFC 4595.
- The cmac plugin implements the AES-CMAC-96 and AES-CMAC-PRF-128
algorithms as defined in RFC 4494 and RFC 4615, respectively.
- The resolve plugin automatically installs nameservers via
resolvconf(8), if it is installed, instead of modifying
/etc/resolv.conf directly.
- The IKEv2 charon daemon supports now raw RSA public keys in RFC
3110 DNSKEY and PKCS#1 file format.
- The farp plugin sends ARP responses for any tunneled address,
not only virtual IPs.
- Charon resolves hosts again during additional keying tries.
- Fixed switching back to original address pair during MOBIKE.
- When resending IKE_SA_INIT with a COOKIE charon reuses the previous
DH value, as specified in RFC 5996.
This has an effect on the lifecycle of diffie_hellman_t, see
source:src/libcharon/sa/keymat.h#39 for details.
- COOKIEs are now kept enabled a bit longer to avoid certain race
OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=44
|
||
|---|---|---|
| .gitattributes | ||
| .gitignore | ||
| README.SUSE | ||
| strongswan_modprobe_syslog.patch | ||
| strongswan-4.6.3-fmt-warnings.patch | ||
| strongswan-4.6.3-rpmlintrc | ||
| strongswan-4.6.3.tar.bz2 | ||
| strongswan-4.6.3.tar.bz2.sig | ||
| strongswan.changes | ||
| strongswan.init.in | ||
| strongswan.spec | ||
Dear Customer, please note, that the strongswan release 4.5 changes the keyexchange mode to IKEv2 as default -- from strongswan-4.5.0/NEWS: "[...] IMPORTANT: the default keyexchange mode 'ike' is changing with release 4.5 from 'ikev1' to 'ikev2', thus commemorating the five year anniversary of the IKEv2 RFC 4306 and its mature successor RFC 5996. The time has definitively come for IKEv1 to go into retirement and to cede its place to the much more robust, powerful and versatile IKEv2 protocol! [...]" This requires adoption of either the "conn %default" or all other IKEv1 "conn" sections in the /etc/ipsec.conf to use explicit: keyexchange=ikev1 The strongswan package does no provide any files any more, but triggers the installation of both, IKEv1 (pluto) and IKEv2 (charon) daemons and the traditional starter scripts inclusive of the /etc/init.d/ipsec init script and /etc/ipsec.conf file. There is a new strongswan-nm package with a NetworkManager plugin to control the charon IKEv2 daemon through D-Bus, designed to work using the NetworkManager-strongswan graphical user interface. It does not depend on the traditional starter scripts, but on the IKEv2 charon daemon and plugins only. Have a lot of fun...