[Swan-announce] libreswan 4.1 released to address urgent Cisco interoperability issue

The Libreswan Team team at libreswan.org
Mon Oct 19 03:08:20 UTC 2020

Hash: SHA512

The Libreswan Project has released libreswan 4.1

This is a major bugfix release.

A bug in libreswan 4.0 that rejected invalid IKEv2 Notify protocol ID's
instead of ignoring these as per RFC 7296 resulted in an interoperability
issue with some Cisco devices that send invalid Notify protocol IDs.

A DNS resolving bug was fixed that could lead to connections failing to
resolve properly when the connection used left=%defaultroute and a right=
with DNS name that published both A and AAAA records.

If upgrading from libreswan 3.32 or earlier to libreswan 4.1, please
read the libreswan 4.0 announcement:


This latest version of libreswan can be downloaded from:


The full changelog is available at: https://download.libreswan.org/CHANGES

Please report bugs either via one of the mailinglists or at our bug


Binary packages for RHEL/CentOS can be found at:

Binary packages for Fedora and Debian should be available in their
respective repositories a few days after this release.

See also https://libreswan.org/

v4.1 (October 18, 2020)
* IKEv2: Fix Notify protocol ID interop with Cisco introduced in 4.0 [Antony]
* addconn: Fix resolving with %defaultroute plus peer with A + AAAA [Antony]
* building: minor cleanups [Andrew/Tuomo]

v4.0 (October 14, 2020)
* KLIPS: Support for KLIPS completely removed [Paul]
* pluto: Removed support for deprecated algos: serpent, twofish, cast [Paul]
* IKEv2: EXPERIMENTAL: Support for RFC 8229 IKE/ESP over TCP [Andrew]
          New per-conn keywords: listen-tcp=yes|no, tcponly=yes|no,
          Requires: Linux kernel >= 5.8
* IKEv2: Support for leftikeport= / rightikeport= [Andrew/Paul]
* IKEv2: EXPERIMENTAL: Support for INTERMEDIATE Exchange [Yulia Kuzovkova/GSoC]
          New keyword: intermediate=yes
* FIPS: Remove DH 23/24 from FIPS allowed list as per SP 800 56A Rev 3 [Paul]
* pluto: Support for rereading configured certificates from NSS [Myungjin Lee]
* pluto: plutodebug= keywords are now: base,cpu-usage,crypt,tmi,private [Andrew]
* pluto: find_pluto_xfrmi_interface() would only check first interface [Paul]
* pluto: ddos cookies-threshold and max-halfopen output was swapped [John Mah]
* pluto: Fix leased IP address leak [Andrew/Paul]
* pluto: Fix displaying PLUTO_BYTES_ counters [Paul]
* pluto: Replace/remove deprecated libselinux functions [Eduardo Barretto]
* pluto: Update selinux calls for Labeled IPsec support [Richard Haines]
* pluto: Memory leak fixes [Hugh]
* pluto: Remove unused per peer logging [Andrew]
* pluto: Cleanup logging code for minimal logging support [Andrew]
* pluto: Cleanup netlink / XFRM code [Hugh]
* pluto: xfrmi used mark-out for XFRMA_SET_MARK [Antony/Wolfgang]
* pluto: Support for ipsec0 interface to help migrate from KLIPS to XFRM [Paul]
* pluto: Fix logging some IKE messages to proper IKE SA state [Andrew]
* pluto: Remove global ikeport/nat-ikeport, add listen-udp/listen-tcp [Paul]
* pluto: Connections now have serial numbers which are logged [Paul/Andrew]
* pluto: No longer require :RSA sections in ipsec.secrets [Andrew]
* pluto: pluto chooses wrong raw RSA key (github#352) [Andrew]
* seccomp: Update syscall allowlist for pluto and addconn [Paul]
* whack: Support for ipsec whack --rereadcerts [Paul]
* whack: Rename --ikev1-allow and --ikev2-allow to --ikev1 and --ikev2 [Paul]
* whack: Clear inherited defaults for IKEv2 from IKEv1 connections [Paul]
* show: Fixup for python3 version of ipaddress module [Paul]
* IKEv2: Fix Windows 10 rekey being rejected [Antony/Paul]
* IKEv2: Remove duplicaes from proposals using "+" [Andrew]
* IKEv2: CERTREQ payload was not sent for authby=ecdsa [Paul]
* IKEv2: Decode notify payloads into the message digest [Andrew]
* IKEv2: Don't use NAT-T port when no NAT DETECTION payloads received [Andrew]
* IKEv2: Add load-balance support (multiple targets) to redirect [Vukasin]
* IKEv2: Only sent REDIRECTs to established IKE SA's (not IPsec SAs) [Paul]
* IKEv2: Fix AUTH failure if ID payload reserved fields != 0 [Paul/Andrew/Hugh]
* IKEv2: A delete(IKE SA) request should not trigger a delete request [Andrew]
* IKEv2: Ignore, not abort when receiving unknown type transforms [Andrew]
* IKEv2: Don't switch NAT port on receiving non-NAT notify payloads [Andrew]
* IKEv1: Prevent crashing in Quick Mode on unused NAT payload [Daniel Wendler]
* libipsecconf: Fix config handling of policy-label [bauen1]
* libipsecconf: Promote ah= / esp= as desired keywords over phase2alg= [Paul]
* libipsecconf: Remove most obsoleted option names with undersscore(_) [Paul]
* rsasigkey/newhostkey: Remove obsoleted --output option [Paul]
* building: Add NetBSD support [Andrew]
* building: Remove support for SINGLE_CONF_DIR, EMIT_ISAKMP_SPI, [Paul]
* building: Merge userland.mk into config.mk to simplify makefiles [Tuomo]
* building: Deprecate INC_ variables [Tuomo]
* building: Remove all support for SERPENT, TWOFISH, CAST and RIPEMD [Paul]
* building: Remove -DALLOW_MICROSOFT_BAD_PROPOSAL [Tuomo]
* building: The define USE_NSS_PRF was renamed to USE_NSS_KDF [Tuomo]
* building: Rename master branch to main branch [Paul]
* building: Fix finding ipsec command in non-standard bin dirs [Tuomo]
* building: Introduce USE_OLD_SELINUX to support libselinux < 2.1.9 [Paul]
* building: NETKEY options changed to XFRM options [Paul]
* building: NSS database (*.db) are now expected in /var/lib/ipsec/nss [Tuomo]
             ipsec checknss called in initsystem will migrate files
             Use FINALNSSDIR=/etc/ipsec.d to use the pre-4.0 location
* packaging: Debian: remove runtime dependency on systemd [Stephen Kitt]
* packaging: Fedora: add missing build dependency for certutil [Stephen Kitt]
* packaging: Debian switched to using /usr/libexec/ [dkg]
* testing: Support Fedora32, Ubuntu, improved namespaces support [Paul/Others]
* testing: Work around kernel ICMP Acquire bug [Paul]
* testing: Added interop testing with OpenBSD iked [Ravi Teja]
* documentation: friendler ipsec cmd output [Paul]


More information about the Swan-announce mailing list