[Swan-announce] Libreswan 3.6 released

The Libreswan Project team at libreswan.org
Thu Oct 31 05:42:36 EET 2013

The Libreswan Project has released libreswan-3.6. This is a feature
and bugfix release.

A few new options have been introduced to enhance compatibility -
cisco_unity=, modecfg_banner=, modecfg_domain, ike_pad=, priority=,
reqid= and statsbin= See man page for details.

KLIPS is now supported up to Linux kernel 3.11. NETKEY error handling
has been improved handling replacing SA's. FIPS code has been updated
to comply with new requirements and Labeled IPsec support was repaired.

The default new raw RSA keysize has been increase to 3072-4096 bits.

Various cleanup including some compile time options that are now always
included. Stale and unused code was removed.  Blowfish support was removed
(use twofish instead).

openrc init system support has been added.

You can download libreswan via https at:


or via ftp at:


The full changelog is available at:

Please report bugs either via one of the mailinglists or at our bug


Binary packages for Fedora, RHEL and Ubuntu can be found at

See also https://libreswan.org/

v3.6 (October 30, 2013)
* IKEv2: Fix interoperability bug in SKEYSEED generation [Paul/Hugh/Antony]
* IKEv2: Add liveness checks (a.k.a DPD for IKEv2) [Matt Rogers]
* IKEv2: ikev2=insist allowed ikev1 when acting as responder [Matt Rogers]
* IKEv2: Fix fallback to ikev1 when remote has ikev2=no [Paul]
* IKEv1: Cleanup AGGR Mode VendorID - also send fragmentation vid [Paul]
* IKEv1: Added cisco_unity= (default no) option which sends VID [Paul]
* IKEv1: Fix compatibility with NAT-T and remote_peer_type=cisco [Paul]
* IKEv1: dpdaction=restart_by_peer is now called dpdaction=restart [Paul]
* IKEv1: Added support for modecfgbanner= and modecfgdomain= [Paul]
* IKE: introduce ikepad=yes|no (default yes) for Checkpoint interop [David]
* pluto: work around for Cisco VPN clients sending extraneous bytes [Paul/Hugh]
* pluto: Support for google-authenticator OTP via pam [Paul]
* pluto: fix kernel.c typo in word outgoing [Tuomo]
* pluto: remove dsa/elgamal stubs from gnupg that were unused [Paul]
* pluto: Added per conn priority= to specify kernel IPsec SA priority [Paul]
* keyword: auto=route and ipsec auto --route renamed to "ondemand" [Paul]
* NETKEY/BSD: Added per conn reqid= to specify kernel IPsec SA [Paul]
               (based on idea by Panagiotis Tamtamis)
* pluto: %fromcert now works for local certs and those received via IKE [Matt]
* pluto: Allow \\ masking in RDNs similar to ,, [Matt Rogers]
* pluto: merge updateresolvconf/restoreresolv.conf in client-up|down [Paul]
* building: Removed USE_MODP_RFC5114 flag. Support is always added [Paul]
* building: Removed USE_AGGRESSIVE flag. Support is always added [Paul]
* building: Removed USE_XAUTH flag, Support is always added [Paul]
* building: Removed MODECFG* flags, Support is always added [Paul]
* building: Remove blowfish (use twofish instead) [Paul]
* building: Generate Makefile depend files automatically [Tuomo]
* building: Add support for openrc initsystem on Alpine Linux [Paul]
* packaging: spec files now initialise NSS DB when not found [Paul]
* NETKEY: Take protoport= into account when setting IPsec SA priority [Paul]
* NETKEY: Change Update SA to Add SA when existing SA is not found [Mattias]
* NETKEY: Fix Labeled IPsec (broken in openswan 2.6.33) [Paul]
* KLIPS: Support for 3.10+ kernels (/proc use via seq_* functions) [David]
* Changed HAVE_STATSD compile option to statsbin= runtime option [Paul]
* sysvinit: status function used incorrect variable for pid file [Tuomo]
* _stackmanager: coding style cleanup - fixes bashism [Tuomo]
* testing: Various interop test case updates [Paul]
* FIPS: Support versioned hmac files, fips test in non-fips mode [Paul]
* rsasigkey/newhostkey: Keysize for new RSA keys keysize increasd from 2192
   to randomised 3072-4096 (in blocks of 16) to fight keysize monoculture [Paul]
* Removed unused and unmaintained USE_TAPROOM functionality [Paul]
* NAT-T: Added from RFC 6598 to virtual_private [Paul]
* NSS: pluto should now open NSS files in readwrite, just read [Paul]
* Bugtracker bugs fixed:
   #130: debian debuild creates a deb with /usr/libexec contents
         [Marc-Cristian Petersen]
   #145: support old location of /selinux/enforce still in use by CentOS6 [Paul]

More information about the Swan-announce mailing list