forked from pool/strongswan
Marius Tomaschewski
1caa59fb4f
- A new default configuration file layout is introduced. The new
default strongswan.conf file mainly includes config snippets from
the strongswan.d and strongswan.d/charon directories (the latter
containing snippets for all plugins). The snippets, with commented
defaults, are automatically generated and installed, if they don't
exist yet. Also installed in $prefix/share/strongswan/templates so
existing files can be compared to the current defaults.
- As an alternative to the non-extensible charon.load setting, the
plugins to load in charon (and optionally other applications) can
now be determined via the charon.plugins.<name>.load setting for
each plugin (enabled in the new default strongswan.conf file via the
charon.load_modular option). The load setting optionally takes a
numeric priority value that allows reordering the plugins (otherwise
the default plugin order is preserved).
- All strongswan.conf settings that were formerly defined in library
specific "global" sections are now application specific (e.g.
settings for plugins in libstrongswan.plugins can now be set only
for charon in charon.plugins). The old options are still supported,
which now allows to define defaults for all applications in the
libstrongswan section.
- The ntru libstrongswan plugin supports NTRUEncrypt as a post-quantum
computer IKE key exchange mechanism. The implementation is based on
the ntru-crypto library from the NTRUOpenSourceProject.
The supported security strengths are ntru112, ntru128, ntru192, and
ntru256. Since the private DH group IDs 1030..1033 have been
assigned, the strongSwan Vendor ID must be sent in order to use NTRU
(charon.send_vendor_id = yes).
- Defined a TPMRA remote attestation workitem and added support for it
to the Attestation IMV.
OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=64
|
||
|---|---|---|
| .gitattributes | ||
| .gitignore | ||
| README.SUSE | ||
| strongswan_ipsec_service.patch | ||
| strongswan_modprobe_syslog.patch | ||
| strongswan-5.1.2-rpmlintrc | ||
| strongswan-5.1.2.tar.bz2 | ||
| strongswan-5.1.2.tar.bz2.sig | ||
| strongswan.changes | ||
| strongswan.init.in | ||
| strongswan.keyring | ||
| strongswan.spec | ||
Dear Customer, please note, that the strongswan release 4.5 changes the keyexchange mode to IKEv2 as default -- from strongswan-4.5.0/NEWS: "[...] IMPORTANT: the default keyexchange mode 'ike' is changing with release 4.5 from 'ikev1' to 'ikev2', thus commemorating the five year anniversary of the IKEv2 RFC 4306 and its mature successor RFC 5996. The time has definitively come for IKEv1 to go into retirement and to cede its place to the much more robust, powerful and versatile IKEv2 protocol! [...]" This requires adoption of either the "conn %default" or all other IKEv1 "conn" sections in the /etc/ipsec.conf to use explicit: keyexchange=ikev1 The strongswan package does no provide any files any more, but triggers the installation of both, IKEv1 (pluto) and IKEv2 (charon) daemons and the traditional starter scripts inclusive of the /etc/init.d/ipsec init script and /etc/ipsec.conf file. There is a new strongswan-nm package with a NetworkManager plugin to control the charon IKEv2 daemon through D-Bus, designed to work using the NetworkManager-strongswan graphical user interface. It does not depend on the traditional starter scripts, but on the IKEv2 charon daemon and plugins only. Have a lot of fun...