[Swan-announce] libreswan-4.5 released

The Libreswan Team team at libreswan.org
Mon Aug 23 20:26:51 UTC 2021


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512


The Libreswan Project has released libreswan 4.5

This is a bugfix release. The Labeled IPsec for IKEv2 now uses 1 set of
SPD policies for all sets of SPD states. Libreswan now supports RFC 6023
(Childless SA) which is required for auto=start with Labeled IPsec when
the kernel ACQUIRE is not yet present and also to continue the negotiation
when the first subnet configured mismatches or is childless. The IKE SA
is now no longer destroyed when a Child SA is mismatched, ensuring that
all but the misconfigured subnets in a left/rightsubnets= line will come
up. Initial Contact has been enabled by default, and will ensure that
a replaced IKE/IPsec SA is done more quickly and will not take 60s for
retransmit timeouts to take out the old Child SA. Previously, during
this 60s, all traffic was dropped because it was using the old state's
encryption key.


This latest version of libreswan can be downloaded from:

https://download.libreswan.org/libreswan-4.5.tar.gz
https://download.libreswan.org/libreswan-4.5.tar.gz.asc

The full changelog is available at: https://download.libreswan.org/CHANGES

Please report bugs either via one of the mailinglists or at our github
bug tracker:

https://lists.libreswan.org/
https://github.com/libreswan/libreswan/issues

Binary packages for RHEL/CentOS can be found at:
https://download.libreswan.org/binaries/

Binary packages for Fedora and Debian should be available in their
respective repositories a few days after this release.

See also https://libreswan.org/

v4.5 (August 20, 2021)
* IKEv1: multiple subnets could lead to crossed wires, failures [Paul/Andrew]
* IKEv2: don't tear down IKE SA on TS_UNACCEPTABLE [Paul]
* IKEv2: unpend/delete Child SA when rejected by IKE_AUTH response [Andrew]
* IKEv2: mobike: resolve_defaultroute_one() updates [Andrew]
* IKEv2: mobike: prevent sending duplicate mobike response [Andrew]
* IKEv2: Support for Childless IKE SA [Andrew]
* IKEv2: redirect: make peer redirecting in IKE_AUTH childless [Vukasin]
* IKEv2: Labeled IPsec --up causes Childless IKE SA [Andrew/Paul]
* IKEv2: Labeled IPsec conns share SPD policies (as IKEv1) [Andrew/Paul/Kavinda]
* IKEv2: Performance; eliminate more O(#CONNECTIONS) code [Andrew]
* IKEv2: Immediately delete replaced Child from new (IC) IKE SA [Andrew/Paul]
* pluto: mismatched subnets= could take down all conns [Paul]
* pluto: Don't delete existing IKE SA of connection instance [Paul]
* pluto: fail better on parse errors in subnet= clause [Paul]
* libswan: use getaddrinfo(3) instead of gethostbyname2(3) [Hugh]
* libipsecconf: fail to load conn if no right= or left= set [Paul]
* libipsecconf: change default of initial-contact= to yes [Paul]
* X509: directly append new CRL requests to the fetch queue [Andrew]
* whack: implement --impair trigger:<global-event> [Andrew]
* ipsec.service: remove reload which did not work as expected [Tuomo]
* portexcludes: update to use python3 [Kim]
* building: fix NetBSD build [Andrew]
* building: fix arm / aarch64 build [kekePower at github]
* building: Remove support for RHEL6 USE_OLD_SELINUX [Paul]
* packaging: handle properly rpm sysctl config [Tuomo]
* packaging: rhel7: fix python2 shebang [Tuomo]
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEkH55DyXB6OVhzXO1hf9LQ7MPxvkFAmEjlGQACgkQhf9LQ7MP
xvllHg//ScutN4VwW8lEKYsQnUkTfo9CBy69UU7jC0mAcycPn3ON7cj1GkTbIJwF
XBCGOYQElwTL7l3EFKBy4+ix1Q7ivbvxzt1Q5TyclkhbS0yTe6V/XEIisgLxP1Px
FSaORBeBS92tPRftnVAQJG1cZynLusFTPOmFMKEb1ddXve2WjzQz26qBgiQpN+zi
CrVK7Ou73rkqkgvS8mcBVm6xbW8HWaE0n3x9FpH+OxwbFxf0cY//tE12st0LqeX8
P+JLUGiPPH9JAQn1m5P2EXvl8MSoMEWTeB98y52tg0NE2177y+x/pzrnanVxHWG1
EvHIRsxKxowoJTpMIsr1bUzauLNulQNlDA7cushMmUWFe5FVB7osuvrP4tMYdRU1
JvdCTNdIQModS02AsF7Sfjydb2t67l4e3L5sSJhzaK3T2WaYvUucyf4WRq27vK+q
tvgJiFgZOgbeWfaqyJLqOkMi/0h7E3NGZ1Tk8OvHwy+p2peYa9WVzSdtzIeuD9LM
Q8GrCt5E893sgOSbSjldkoLgmpz5wCnyqGoRwg9l3k1CJKeONxIbnULnNn+fBHar
nV2B/y9Dlh2PzXW0Ku67/SuH3ERadIxdbY7BNedOFAqUXC8Y6byBKkLqMs70R0ew
UmBuM17CvzDjECK1FK8jO/o/uSfgoTKnHlh9qwT2wr336AaLNYE=
=VmJh
-----END PGP SIGNATURE-----


More information about the Swan-announce mailing list