Voor het beveiligen van verbindingen over openbare netwerken kunnen verschillende protocollen worden gebruikt, zoals het veel toegepaste ipsec. StrongSwan is een ipsec-implementatie voor Android-, Linux-, FreeBSD-, iOS- en macOS-systemen. Ondersteuning voor ikev1, ikev2 en ipv6 is aanwezig, zoals op deze pagina te lezen is. De ontwikkelaars hebben strongSwan 5.7.2 uitgebracht met de volgende veranderingen:
Version 5.7.2
- For RSA with PSS padding, the TPM 2.0 specification mandates the maximum salt length (as defined by the length of the key and hash). However, if the TPM is FIPS-168-4 compliant, the salt length equals the hash length. This is assumed for FIPS-140-2 compliant TPMs, but if that's not the case, it might be necessary to manually enable charon.plugins.tpm.fips_186_4 if the TPM doesn't use the maximum salt length.
- Directories for credentials loaded by swanctl are now accessed relative to the loaded swanctl.conf file, in particular, when loading it from a custom location via --file argument. The base directory, which is used if no custom location for swanctl.conf is specified, is now also configurable at runtime via SWANCTL_DIR environment variable.
- If RADIUS Accounting is enabled, the eap-radius plugin will add the session ID (Acct-Session-Id) to Access-Request messages, which e.g. simplifies associating database entries for IP leases and accounting with sessions (the session ID does not change when IKE_SAs are rekeyed, #2853).
- All IP addresses assigned by a RADIUS server are included in Accounting-Stop messages even if the client did not claim them, allowing to release them early in case of connection errors (#2856).
- Selectors installed on transport mode SAs by the kernel-netlink plugin are now updated if an IP address changes (e.g. via MOBIKE) and it was part of the selectors.
- No deletes are sent anymore when a rekeyed CHILD_SA expires (#2815).
- The bypass-lan plugin now tracks interfaces to handle subnets that move from one interface to another and properly update associated routes (#2820).
- Only valid and expected inbound IKEv2 messages are used to update the timestamp of the last received message (previously, retransmits also triggered an update).
- IKEv2 requests from responders are now ignored until the IKE_SA is fully established (e.g. if a DPD request from the peer arrives before the IKE_AUTH response does, 46bea1add9).
- Delayed IKE_SA_INIT responses with COOKIE notifies we already recevied are ignored, they caused another reset of the IKE_SA previously (#2837).
- Active and queued Quick Mode tasks are now adopted if the peer reauthenticates an IKEv1 SA while creating lots of CHILD_SAs.
- Newer versions of the FreeBSD kernel add an SADB_X_EXT_SA2 extension to SADB_ACQUIRE messages, which allows the kernel-pfkey plugin to determine the reqid of the policy even if it wasn't installed by the daemon previously (e.g. when using FreeBSD's if_ipsec(4) VTIs, which install policies themselves, 872b9b3e8d).
- Added support for RSA signatures with SHA-256 and SHA-512 to the agent plugin. For older versions of ssh/gpg-agent that only support SHA-1, IKEv2 signature authentication has to be disabled via charon.signature_authentication.
- The sshkey and agent plugins support Ed25519/Ed448 SSH keys and signatures.
- The openssl plugin supports X25519/X448 Diffie-Hellman and Ed25519/Ed448 keys and signatures when built against OpenSSL 1.1.1.
- Support for Ed25519, ChaCha20/Poly1305, SHA-3 and AES-CCM were added to the botan plugin.
- The mysql plugin now properly handles database connections with transactions under heavy load (#2779).
- IP addresses in ha pools are now distributed evenly among all segments (#2828).
- Private key implementations may optionally provide a list of supported signature schemes, which, as described above, is used by the tpm plugin because for each key on a TPM 2.0 the hash algorithm and for RSA also the padding scheme is predefined.
- The testing environment is now based on Debian 9 (stretch) by default. This required some changes, in particular, updating to FreeRADIUS 3.x (which forced us to abandon the TNC@FHH patches and scenarios, 2fbe44bef3) and removing FIPS-enabled versions of OpenSSL (the FIPS module only supports OpenSSL 1.0.2).
- Most test scenarios were migrated to swanctl.
:strip_exif()/i/1401542535.png?f=thumbmedium)