Software update: strongSwan 5.7.2




Various protocols can be used for securing connections over public networks, such as the widely used ipsec . StrongSwan is an ipsec implementation for Android, Linux, FreeBSD, iOS and macOS systems. Support for ike v1, ikev2 and ipv6 is present, as can be read on this page . The developers have released strongSwan 5.7.2 with the following changes:

Version 5.7.2
For RSA with PSS padding, the TPM 2.0 specification mandates the maximum salt length (as defined by the length of the key and hash). However, if the TPM is FIPS-168-4 compliant, the salt length equals the hash length. This is assumed for FIPS-140-2 compliant TPMs, but if that’s not the case, it would be necessary to enable charon.plugins.tpm.fips_186_4 if the TPM does not use the maximum salt length.
Directories for credentials loaded by swanctl are now accessible to the loaded swanctl.conf file, in particular, when loading it from a custom location via –file argument. The base directory, which is used if no custom location for swanctl.conf is specified, is now also configurable at runtime via SWANCTL_DIR environment variable.
If RADIUS Accounting is enabled, the eap-radius plugin will add the session ID (Acct-Session-Id) to Access-Request messages, which simplifies associating database entries for IP leases and accounting for sessions. IKE_SAs are rekeyed, # 2853).
All IP addresses assigned by a RADIUS server are included in Accounting-Stop messages even if the client did not claim them, in case of connection errors (# 2856).
Selectors installed on transport mode SAs by the kernel netlink plugin are now updated if IP address changes (eg via MOBIKE) and it was part of the selectors.
No deletes are sent out when a rekeyed CHILD_SA expires (# 2815).
The bypass-lan plugin now tracks interfaces to handle subnets that move from one interface to another and properly update associated routes (# 2820).
Only valid and expected inbound IKEv2 messages are used to update the timestamp of the last received message (previously, retransmits also triggered an update).
IKEv2 requests from responders are now ignored until the IKE_SA is fully established (eg if a DPD requests IKE_AUTH response does, 46bea1add9).
Delayed IKE_SA_INIT responses with COOKIE notifies we are already ignored, they caused another reset of the IKE_SA previously (# 2837).
Active and queued Quick Mode tasks are now adopted if the peer reauthenticates are IKEv1 SA while creating lots of CHILD_SAs.
Newer versions of the FreeBSD kernel add SADB_X_EXT_SA2 extension to SADB_ACQUIRE messages, which allows the kernel-pfkey plugin to determine the reqid of the policy even if it was not installed by the daemon before (eg when using FreeBSD’s if_ipsec (4) VTIs, which install policies themselves, 872b9b3e8d).
Added support for RSA signatures with SHA-256 and SHA-512 to the agent plugin. For older versions of ssh / gpg agent that only support SHA-1, IKEv2 signature authentication has to be disabled via charon.signature_authentication.
The sshkey and agent plugins support Ed25519 / Ed448 SSH keys and signatures.
The openssl plugin supports X25519 / X448 Diffie-Hellman and Ed25519 / Ed448 keys and signatures when built against OpenSSL 1.1.1.
Support for Ed25519, ChaCha20 / Poly1305, SHA-3 and AES-CCM were added to the botanical plugin.
The mysql plugin now properly handles database connections with transactions under heavy load (# 2779).
IP addresses are now distributed equally among all segments (# 2828).
Private key implementations may possibly provide a list of supported signature schemes, which, as described above, is used by the rpm plugin because the padding scheme is predefined.
The testing environment is now based on Debian 9 (stretch) by default. This required some changes, in particular, updating to FreeRADIUS 3.x (which forced us to abandon the TNC @ FHH patches and scenarios, 2fbe44bef3) and removing FIPS-enabled versions or OpenSSL (the FIPS module only supports OpenSSL 1.0.2).
Most test scenarios were migrated to swanctl.
Version number 5.7.2
Release status Final
Operating systems Android, Linux, BSD, macOS, Solaris, iOS
License type Conditions (GNU / BSD / etc.)


In: A Technology & Gadgets Asked By: [23147 Red Star Level]

Answer this Question

You must be Logged In to post an Answer.

Not a member yet? Sign Up Now »

Star Points Scale

Earn points for Asking and Answering Questions!

Grey Sta Levelr [1 - 25 Grey Star Level]
Green Star Level [26 - 50 Green Star Level]
Blue Star Level [51 - 500 Blue Star Level]
Orange Star Level [501 - 5000 Orange Star Level]
Red Star Level [5001 - 25000 Red Star Level]
Black Star Level [25001+ Black Star Level]