Voor het beveiligen van verbindingen over openbare netwerken kunnen verschillende protocollen worden gebruikt, zoals het veel toegepaste ipsec. StrongSwan is een ipsec-implementatie voor Linux-systemen, waarvan de 5.0-vleugel zich richt op de 2.6- en 3.x-Linux-kernels. Ondersteuning voor ikev1, ikev2 en ipv6 is aanwezig, zoals op deze pagina is na te lezen. De ontwikkelaars hebben enkele weken geleden strongSwan versie 5.1.3 uitgebracht en de lijst met veranderingen die in de laatste paar versies is aangebracht is hieronder te vinden.
Changes in version 5.1.3
Changes in version 5.1.2
- Fixed an authentication bypass vulnerability triggered by rekeying an unestablished IKE_SA while it gets actively initiated. This allowed an attacker to trick a peer's IKE_SA state to established, without the need to provide any valid authentication credentials. The vulnerability has been registered as CVE-2014-2338. Refer to our blog for details.
- The acert plugin evaluates X.509 Attribute Certificates. Group membership information encoded as strings can be used to fulfill authorization checks defined with the rightgroups ipsec.conf option. Attribute Certificates can be loaded locally or get exchanged in IKEv2 certificate payloads.
- The pki command gained support to generate X.509 Attribute Certificates using the --acert subcommand, while the --print command supports the ac type. The openac utility has been removed in favor of the new pki functionality.
- The libtls TLS 1.2 implementation as used by EAP-(T)TLS and other protocols has been extended by AEAD mode support, currently limited to AES-GCM.
- Fixed an issue where CRL/OCSP trustchain validation broke enforcing CA constraints (a844b6589034).
- Limited OCSP signing to specific certificates to improve performance (91d71abb16a9).
- authKeyIdentifier is not added to self-signed certificates anymore (f7d04ba6c462).
- Fixed the comparison of IKE configs if only the cipher suites were different (23f34f6ed504).
- Added a Travis CI config, a test script, and some unit test improvements (e.g. the
TESTS_SUITESoption), see DeveloperDocumentation.
Changes in version 5.1.1
- A new default configuration file layout is introduced (with full backward compatibility). The new default strongswan.conf file mainly includes config snippets from the strongswan.d and strongswan.d/charon directories (the latter containing snippets for all plugins). The snippets, with commented defaults, are automatically generated and installed, if they don't exist yet. They are also installed in
$prefix/share/strongswan/templatesso existing files can be compared to the current defaults.
- As an alternative to the non-extensible charon.load setting, the plugins to load in charon (and optionally other applications) can now be determined via the charon.plugins.<name>.load setting for each plugin (enabled in the new default strongswan.conf file via the charon.load_modular option). The load setting optionally takes a numeric priority value that allows reordering the plugins (otherwise the default plugin order is preserved).
- All strongswan.conf settings that were formerly defined in library specific "global" sections are now application specific (e.g. settings for plugins in libstrongswan.plugins can now be set only for charon in charon.plugins). The old options are still supported, which now allows to define defaults for all applications in the libstrongswan section.
- The ntru libstrongswan plugin supports NTRUEncrypt as a post-quantum computer IKE key exchange mechanism. The implementation is based on the ntru-crypto library from the NTRUOpenSourceProject. The supported security strengths are ntru112, ntru128, ntru192, and ntru256. Since the private DH group IDs 1030..1033 have been assigned, the strongSwan Vendor ID must be sent (charon.send_vendor_id = yes) in order to use NTRU.
- Defined a TPMRA remote attestation workitem and added support for it to the Attestation IMV.
- Compatibility issues between IPComp (compress=yes) and leftfirewall=yes as well as multiple subnets in left|rightsubnet have been fixed.
- When enabling its session strongswan.conf option, the xauth-pam plugin opens and closes a PAM session for each established IKE_SA. Patch courtesy of Andrea Bonomi.
- The strongSwan unit testing framework has been rewritten without the check dependency for improved flexibility and portability. It now properly supports multi-threaded and memory leak testing and brings a bunch of new test cases.
- The NetworkManager frontend gained support for PSK authentication.
- The interface option of the dhcp plugin allows binding to a specific interface (3711f66e54).
- If charon.plugins.stroke.prevent_loglevel_changes is enabled, the stroke plugin prevents log level changes via ipsec stroke.
- The inactivity counter is reset with every rekeying, which means that the inactivity timeout must be smaller than the rekeying interval to have any effect (d048a319df).
- SQL schemas and example data (IMV) are now distributed and installed in
- A method to register custom proposal keyword parsers has been added (568e302260).
- A deadlock was fixed when installing trap policies (bb492d80b5).
Changes in version 5.1.0
- Fixed a denial-of-service vulnerability and potential authorization bypass triggered by a crafted
ID_DER_ASN1_DNID payload. The cause is an insufficient length check when comparing such identities. The vulnerability has been registered as CVE-2013-6075. Refer to our blog for details.
- Fixed a denial-of-service vulnerability triggered by a crafted IKEv1 fragmentation payload. The cause is a NULL pointer dereference. The vulnerability has been registered as CVE-2013-6076. Refer to our blog for details.
- The lean stand-alone pt-tls-client can set up a RFC 6876 PT-TLS session with a strongSwan policy enforcement point which uses the tnc-pdp charon plugin.
- The new TCG TNC SWID IMC/IMV pair supports targeted SWID requests for either full SWID Tag or concise SWID Tag ID inventories.
- The XAuth backend in eap-radius now supports multiple XAuth exchanges for different credential types and display messages. All user input gets concatenated and verified with a single User-Password RADIUS attribute on the AAA. With an AAA supporting it, one for example can implement Password+Token authentication with proper dialogs on iOS and OS X clients.
- charon supports IKEv1 Mode Config exchange in push mode. The ipsec.conf modeconfig=push option enables it for both client and server, the same way as pluto used it.
- Using the ah ipsec.conf keyword on both IKEv1 and IKEv2 connections, charon can negotiate and install Security Associations integrity-protected by the Authentication Header protocol. Supported are plain AH(+IPComp) SAs only, but not the deprecated RFC 2401 style ESP+AH bundles.
- The generation of initialization vectors for IKE and ESP (when using libipsec) is now modularized and IVs for e.g. AES-GCM are now correctly allocated sequentially, while other algorithms like AES-CBC still use random IVs.
- The left and right options in ipsec.conf can take multiple address ranges and subnets. This allows connection matching against a larger set of addresses, for example to use a different connection for clients connecting from an internal network.
- For all those who have a queasy feeling about the NIST elliptic curve set, the Brainpool curves introduced for use with IKE by RFC 6932 might be a more trustworthy alternative.
- The kernel-libipsec userland IPsec backend now supports usage statistics, volume based rekeying and accepts ESPv3 style TFC padded packets.
- With two new strongswan.conf options fwmarks can be used to implement host-to-host tunnels with kernel-libipsec.
- libipsec now properly calculates padding length especially for AES-GCM.
- load-tester supports transport mode connections and more complex traffic selectors, including such using unique ports for each tunnel.
- The new dnscert plugin provides support for authentication via CERT RRs that are protected via DNSSEC. The plugin was created by Ruslan N. Marchenko.
- The eap-radius plugin supports forwarding of several Cisco Unity specific RADIUS attributes in corresponding configuration payloads.
- The ipsec pki utility and its subcommands all received man pages. The command itself is now installed in $prefix/bin by default. So the ipsec prefix is now optional.
- pki --pub is able to convert public keys to other formats (e.g. DNSKEY or SSH).
- Database transactions are now abstracted and implemented by the two backends. If you use MySQL make sure all tables use the InnoDB engine.
- libstrongswan now can provide an experimental custom implementation of the printf family functions based on klibc if neither Vstr nor glibc style printf hooks are available. This can avoid the Vstr dependency on some systems at the cost of slower and less complete printf functions.
- Handling of ICMP[v6] has been improved. For instance, traffic selectors with specific ICMP message type and code can now be configured in ipsec.conf and are properly installed in the kernel.
- IKEv1 reauthentication should be more stable with third-party peers (ee99f37e, d2e4dd75).
- Fixes a regression in 5.1.0 that caused a segmentation fault when reestablishing CHILD_SAs due to closeaction=restart|hold (e42ab08a).
- Fixes a regression in 5.1.0 that caused IP addresses on ignored, down or loopback interfaces to get ignored when searching for an address contained in the local traffic selector (d7ae0b254).
- The calculation of the ESN bitmap length in the kernel-netlink plugin was fixed (e001cc2b).
- When removing configs via stroke plugin (e.g. with
ipsec update/reload) matching peer configs are not removed anymore, if they are still used by other child configs (791fde16).
- reqids of established CHILD_SAs are reused when routing connections via stroke plugin (32fef0c6).
- The value for
xfrm_acq_expirescan now be configured via strongswan.conf (255b9dac).
- Fixed a denial-of-service vulnerability triggered by specific XAuth usernames and EAP identities (since 5.0.3), and PEM files (since 4.1.11). The crash was caused by insufficient error handling in the is_asn1() function. The vulnerability has been registered as CVE-2013-5018. Refer to our blog for details.
- The new charon-cmd command line IKE client can establish road warrior connections using IKEv1 or IKEv2 with different authentication profiles. It does not depend on any configuration files (no ipsec.conf nor ipsec.secrets but may use strongswan.conf options) and can be configured using a few simple command line options.
- The kernel-pfroute networking backend has been greatly improved. It now can install virtual IPs on TUN devices on Mac OS X and FreeBSD, allowing these systems to act as a client in common road warrior scenarios.
- The new kernel-libipsec plugin uses TUN devices and libipsec to provide IPsec processing in userland on Linux, FreeBSD and Mac OS X.
- The eap-radius plugin can now serve as an XAuth backend called xauth-radius, directly verifying XAuth credentials using RADIUS User-Name/User-Password attributes. This is more efficient than the existing xauth-eap + eap-radius combination, and allows RADIUS servers without EAP support to act as AAA backend for IKEv1.
- The new osx-attr plugin installs configuration attributes (currently DNS servers) via SystemConfiguration on Mac OS X. The keychain plugin provides certificates from the OS X keychain service.
- The sshkey plugin parses SSH public keys, which, together with the --agent option for charon-cmd, allows the use of ssh-agent for authentication. To configure SSH keys in ipsec.conf the left|rightrsasigkey options are replaced with left|rightsigkey, which now take public keys in one of three formats: SSH (RFC 4253, ssh: prefix), DNSKEY (RFC 3110, dns: prefix), and PKCS#1 (the default, no prefix).
- Extraction of certificates and private keys from PKCS#12 files is now provided by the new pkcs12 plugin or the openssl plugin. charon-cmd (--p12) as well as charon (via P12 token in ipsec.secrets) can make use of this.
- IKEv2 can now negotiate transport mode and IPComp in NAT situations.
- IKEv2 exchange initiators now properly close an established IKE or CHILD_SA on error conditions using an additional exchange, keeping state in sync between peers.
- Using a SQL database interface a Trusted Network Connect (TNC) Policy Manager can generate specific measurement workitems for an arbitrary number of Integrity Measurement Verifiers (IMVs) based on the history of the VPN user and/or device.
The new strongTNC web application provides a frontend to manage such databases. This project was started by Stefan Rohner and Marco Tanner as part of their Bachelor Thesis.
- Several core classes in libstrongswan are now tested with unit tests. These can be enabled with --enable-unit-tests and run with
make check. Coverage reports can be generated with --enable-coverage and
make coverage(this disables any optimization, so it should not be enabled when building production releases).
- The leak-detective developer tool has been greatly improved. It works much faster/stabler with multiple threads, does not use deprecated malloc hooks anymore and has been ported to OS X.
chunk_hash()is now based on SipHash-2-4 with a random key. This provides better distribution and prevents hash flooding attacks when used with hashtables. To generate reproducible hashes the
chunk_hash_static()function can be used.
- All default plugins implement the
get_features()method to define features and their dependencies. The plugin loader has been improved, so that plugins in a custom load statement can be ordered freely or to express preferences without being affected by dependencies between plugin features.
- A centralized thread can take care for watching multiple file descriptors concurrently. This removes the need for a dedicated listener threads in various plugins. The number of "reserved" threads for such tasks has been reduced to about five, depending on the plugin configuration.
- Plugins that can be controlled by a UNIX socket IPC mechanism gained network transparency. Third party applications querying these plugins now can use TCP connections from a different host. See the respective socket options in strongswan.conf.
- Protocol and port can be specified for each individual subnet specified with the left|rightsubnet ipsec.conf options.
- The closeaction ipsec.conf option is now also supported for IKEv1 (thanks to Oliver Smith for the initial patch).
- libipsec now supports AES-GCM.
- By replacing several linked lists that exist during the full lifetime of an SA with a simple array implementation the memory usage per tunnel is reduced by 5 KB or more.
- Responders reuse reqids of trapped policies, making auto=route on both sides more reliable.
- Instead of silently replacing a policy if the reqid changes, the kernel-netlink plugin now rejects such requests. This has consequences e.g. if two clients behind the same NAT use transport mode (see #365).
- Capability dropping has been improved. Every plugin verifies that the capabilities it requires are actually held and requests to keep only those that are really required at runtime.
- Support for silent rules was added to the build system, they can be enabled with --enable-silent-rules.
V=1can be used to build with a different verbosity than configured.
- The unique identifier of an IKE_SA is passed as PLUTO_UNIQUEID to the updown script.
- Whether the socket-default plugin uses IPv4 and/or IPv6 can be configured via strongswan.conf.
- Fixed a race-condition if the DELETE for a redundant CHILD_SA created by a responder during a CHILD_SA rekey collision arrives before the responder's answer to the initiator's winning CREATE_CHILD_SA request.
- The X.509 certificate decoder provided by the openssl plugin supports IP address blocks (patch by Michael Rossberg).
- scepclient can use a specific source address configured with the new --bind option.
- Negotiation of IKEv1 DPD with Cisco IOS devices has been fixed, if they do not send the DPD vendor ID in the first message.
- The ipsec stroke exportconncert and exportconnchain commands can be used to export either a single end entity certificate or the full trust chain for a specific connection.
- The ipsec stroke up-nb and down-nb commands do the same as up and down, respectively, but they do not block until the command has finished.