Voor het beveiligen van verbindingen over openbare netwerken kunnen verschillende protocollen worden gebruikt, zoals het veel toegepaste ipsec. StrongSwan is een ipsec-implementatie voor Linux-systemen, waarvan de 4.2- en 4.3-vleugels zich richten op de huidige 2.6-Linux-kernel. Ondersteuning voor ikev1, ikev2 en ipv6 is aanwezig, zoals op deze pagina na te lezen is. De ontwikkelaars hebben strongSwan 4.3.5 uitgebracht en van de volgende lijst met veranderingen sinds de vorige vermelding in de Meuktracker voorzien:
- The IKEv1 pluto daemon can now use SQL-based address pools to deal out virtual IP addresses as a Mode Config server. The pool capability has been migrated from charon's sql plugin to a new attr-sql plugin which is loaded by libstrongswan and which can be used by both daemons either with a SQLite or MySQL database and the corresponding plugin.
- Plugin names have been streamlined: EAP plugins now have a dash after eap (e.g. eap-sim), as it is used with the --enable-eap-sim ./configure option. Plugin configuration sections in strongswan.conf now use the same name as the plugin itself (i.e. with a dash). Make sure to update "load" directives and the affected plugin sections in existing strongswan.conf files.
- The private/public key parsing and encoding has been split up into separate pkcs1, pgp, pem and dnskey plugins. The public key implementation plugins gmp, gcrypt and openssl can all make use of them.
- The EAP-AKA plugin can use different backends for USIM/quintuplet calculations, very similar to the EAP-SIM plugin. The existing 3GPP2 software implementation has been migrated to a separate plugin.
- The IKEv2 daemon charon gained basic PGP support. It can use locally installed peer certificates and can issue signatures based on RSA private keys.
- The new 'ipsec pki' tool provides a set of commands to maintain a public key infrastructure. It currently supports operations to create RSA and ECDSA private/public keys, calculate fingerprints and issue or verify certificates.
- Charon uses a monotonic time source for statistics and job queueing, behaving correctly if the system time changes (e.g. when using NTP).
- In addition to time based rekeying, charon supports IPsec SA lifetimes based on processed volume or number of packets. They new ipsec.conf paramaters 'lifetime' (an alias to 'keylife'), 'lifebytes' and 'lifepackets' handle SA timeouts, while the parameters 'margintime' (an alias to rekeymargin), 'marginbytes' and 'marginpackets' trigger the rekeying before a SA expires. The existing parameter 'rekeyfuzz' affects all margins.
- If no CA/Gateway certificate is specified in the NetworkManager plugin, charon uses a set of trusted root certificates preinstalled by distributions. The directory containing CA certificates can be specified using the --with-nm-ca-dir=path configure option.
- Fixed the encoding of the Email relative distinguished name in left|rightid statements.
- Fixed the broken parsing of PKCS#7 wrapped certificates by the pluto daemon.
- Fixed smartcard-based authentication in the pluto daemon which was broken by the ECDSA support introduced with the 4.3.2 release.
- A patch contributed by Heiko Hund fixes mixed IPv6 in IPv4 and vice versa tunnels established with the IKEv1 pluto daemon.
- The pluto daemon now uses the libstrongswan x509 plugin for certificates and CRls and the struct id type was replaced by identification_t used by charon and the libstrongswan library.
- IKEv2 charon daemon ported to FreeBSD and Mac OS X. Installation details can be found on wiki.strongswan.org.
- ipsec statusall shows the number of bytes transmitted and received over ESP connections configured by the IKEv2 charon daemon.
- The IKEv2 charon daemon supports include files in ipsec.secrets.