[Swan-announce] libreswan-4.0 released

The Libreswan Team team at libreswan.org
Thu Oct 15 14:22:38 UTC 2020

Hash: SHA512

The Libreswan Project has released libreswan-4.0

This is a major feature and cleanup release.

The major release number was increased to signify some major changes.
Please ensure you extensively test libreswan 4.0 before upgrading
production systems.

Compatibility issues:

* The KLIPS IPsec stack has been removed - please switch to XFRMi to
   use ipsecX devices.
* Obsolete algorithms removed/disabled (Serpent, Twofish, CAST,
   MD5/SHA1, DH2, DH22-24, RIPEMD.
* Some compatibility keywords have been removed (mostly ones with "_")
* Some whack options have been removed and renamed
* ipsec status and ipsec trafficstatus output changes
* The default NSS database files (*.db) moved from /etc/ipsec.d to
* BUILD variables changed/renamed (see mk/config.mk)
* Renamed INC_* config variables
* Updates to _updown scripts (eg renamed _updown.xfrm)
* NETKEY options now called XFRM
* ipsec newhostkey no longer supports or requires --output
* Global ikeport/natport options removed for per conn port options

New features:

* Support for RFC 8229 IKE and ESP over TCP (requires Linux >= 5.8)
* Support for INTERMEDIATE exchange (draft-ietf-ipsecme-ikev2-intermediate)
* Support for NetBSD
* Improved support for OCP/clouds by supporting custom ikeports
* Failover and loadbalancing support for IKEv2 REDIRECT
* Improved certificate reloading support (ipsec whack --rereadcerts)
* ipsec.secrets no longer needed for RSA keys ( :RSA section is now ignored)

Bug fixes:

* Improved NAT/port switching
* Fix labeled IPsec (selinux) for IKEv1
* Improved ipsecX device support
* Fix traffic counters for updown script
* Work around for some Linux kernel versions with ACQUIRE bug
* Windows 10 rekey interoperability fix

We are really happy to see that this release contains contributions from over
30 individual developers. Please let us know if there is anything we can
do to help you with contributing to libreswan.

This latest version of libreswan can be downloaded from:


The full changelog is available at: https://download.libreswan.org/CHANGES

Please report bugs either via one of the mailinglists or at our bug


Binary packages for RHEL/CentOS can be found at:

Binary packages for Fedora and Debian should be available in their
respective repositories a few days after this release.

See also https://libreswan.org/

v4.0 (October 14, 2020)
* KLIPS: Support for KLIPS completely removed [Paul]
* pluto: Removed support for deprecated algos: serpent, twofish, cast [Paul]
* IKEv2: EXPERIMENTAL: Support for RFC 8229 IKE/ESP over TCP [Andrew]
          New per-conn keywords: listen-tcp=yes|no, tcponly=yes|no, tcp-remoteport=
          Requires: Linux kernel >= 5.8
* IKEv2: Support for leftikeport= / rightikeport= [Andrew/Paul]
* IKEv2: EXPERIMENTAL: Support for INTERMEDIATE Exchange [Yulia Kuzovkova/GSoC]
          New keyword: intermediate=yes
* FIPS: Remove DH 23/24 from FIPS allowed list as per SP 800 56A Rev 3 [Paul]
* pluto: Support for rereading configured certificates from NSS [Myungjin Lee]
* pluto: plutodebug= keywords are now: base,cpu-usage,crypt,tmi,private [Andrew]
* pluto: find_pluto_xfrmi_interface() would only check first interface [Paul]
* pluto: ddos cookies-threshold and max-halfopen output was swapped [John Mah]
* pluto: Fix leased IP address leak [Andrew/Paul]
* pluto: Fix displaying PLUTO_BYTES_ counters [Paul]
* pluto: Replace/remove deprecated libselinux functions [Eduardo Barretto]
* pluto: Update selinux calls for Labeled IPsec support [Richard Haines]
* pluto: Memory leak fixes [Hugh]
* pluto: Remove unused per peer logging [Andrew]
* pluto: Cleanup logging code for minimal logging support [Andrew]
* pluto: Cleanup netlink / XFRM code [Hugh]
* pluto: xfrmi used mark-out for XFRMA_SET_MARK [Antony/Wolfgang]
* pluto: Support for ipsec0 interface to help migrate from KLIPS to XFRM [Paul]
* pluto: Fix logging some IKE messages to proper IKE SA state [Andrew]
* pluto: Remove global ikeport/nat-ikeport, add listen-udp/listen-tcp [Paul]
* pluto: Connections now have serial numbers which are logged [Paul/Andrew]
* pluto: No longer require :RSA sections in ipsec.secrets [Andrew]
* pluto: pluto chooses wrong raw RSA key (github#352) [Andrew]
* seccomp: Update syscall allowlist for pluto and addconn [Paul]
* whack: Support for ipsec whack --rereadcerts [Paul]
* whack: Rename --ikev1-allow and --ikev2-allow to --ikev1 and --ikev2 [Paul]
* whack: Clear inherited defaults for IKEv2 from IKEv1 connections [Paul]
* show: Fixup for python3 version of ipaddress module [Paul]
* IKEv2: Fix Windows 10 rekey being rejected [Antony/Paul]
* IKEv2: Remove duplicaes from proposals using "+" [Andrew]
* IKEv2: CERTREQ payload was not sent for authby=ecdsa [Paul]
* IKEv2: Decode notify payloads into the message digest [Andrew]
* IKEv2: Don't use NAT-T port when no NAT DETECTION payloads received [Andrew]
* IKEv2: Add load-balance support (multiple targets) to redirect [Vukasin]
* IKEv2: Only sent REDIRECTs to established IKE SA's (not IPsec SAs) [Paul]
* IKEv2: Fix AUTH failure if ID payload reserved fields != 0 [Paul/Andrew/Hugh]
* IKEv2: A delete(IKE SA) request should not trigger a delete request [Andrew]
* IKEv2: Ignore, not abort when receiving unknown type transforms [Andrew]
* IKEv2: Don't switch NAT port on receiving non-NAT notify payloads [Andrew]
* IKEv1: Prevent crashing in Quick Mode on unused NAT payload [Daniel Wendler]
* libipsecconf: Fix config handling of policy-label [bauen1]
* libipsecconf: Promote ah= / esp= as desired keywords over phase2alg= [Paul]
* libipsecconf: Remove most obsoleted option names with undersscore(_) [Paul]
* rsasigkey/newhostkey: Remove obsoleted --output option [Paul]
* building: Add NetBSD support [Andrew]
* building: Remove support for SINGLE_CONF_DIR, EMIT_ISAKMP_SPI, [Paul]
* building: Merge userland.mk into config.mk to simplify makefiles [Tuomo]
* building: Deprecate INC_ variables [Tuomo]
* building: Remove all support for SERPENT, TWOFISH, CAST and RIPEMD [Paul]
* building: Remove -DALLOW_MICROSOFT_BAD_PROPOSAL [Tuomo]
* building: The define USE_NSS_PRF was renamed to USE_NSS_KDF [Tuomo]
* building: Rename master branch to main branch [Paul]
* building: Fix finding ipsec command in non-standard bin dirs [Tuomo]
* building: Introduce USE_OLD_SELINUX to support libselinux < 2.1.9 [Paul]
* building: NETKEY options changed to XFRM options [Paul]
* building: NSS database (*.db) are now expected in /var/lib/ipsec/nss [Tuomo]
             ipsec checknss called in initsystem will migrate files
             Use FINALNSSDIR=/etc/ipsec.d to use the pre-4.0 location
* packaging: Debian: remove runtime dependency on systemd [Stephen Kitt]
* packaging: Fedora: add missing build dependency for certutil [Stephen Kitt]
* packaging: Debian switched to using /usr/libexec/ [dkg]
* testing: Support Fedora32, Ubuntu, improved namespaces support [Paul/Others]
* testing: Work around kernel ICMP Acquire bug [Paul]
* testing: Added interop testing with OpenBSD iked [Ravi Teja]
* documentation: friendler ipsec cmd output [Paul]



More information about the Swan-announce mailing list