[Swan-dev] [Swan-announce] Libreswan 3.5 released

The Libreswan Project team at libreswan.org
Sat Jul 13 23:05:21 EEST 2013

The Libreswan Project has released libreswan-3.5. This is a bugfix release.

These are a lot of small bugfixes. The output of "ipsec auto --status"
changed again to include more information. KLIPS support for Linux 3.9
was added, and KLIPS NATT for kernels 3.5+ was fixed. The nhelpers=
option that was accidentally defaulted to 0 sometime before the first
libreswan release was set back to -1. A crasher with labeled IPsec was
fixed, and a crasher in CRL fetching when the CRL distribution point
was not available has been fixed. For a full changelog, see below.

You can download libreswan via https at:


or via ftp at:


The full changelog is available at:

Please report bugs either via one of the mailinglists or at our bug


Binary packages for Fedora, RHEL and Ubuntu can be found at

See also https://libreswan.org/

v3.5 (July 13, 2013)
* NETKEY: _stackmanager: Clear disable_xfm/disable_policy /proc files
           for labeled IPsec [Paul]
* KLIPS: Added support for kernel 3.9.x [Paul/David]
* KLIPS: NATT support for kernel 3.5+ needs udp_encap_enable() [David]
* KLIPS: pointer can look valid during free process [Unknown/David]
* KLIPS: change default for hidetos (quality of service) to yes [Paul]
* KLIPS: preliminary SHA2 family support via OCF/CryptoAPI [David]
* MAST: _stackmanager: bring mast0 up even if module was loaded [neoXite]
* MAST: Add support for IPv6 iptables mangle table in updown.mast [Paul]
* _stackmanager: Move iptables mangle rules to MAST only section [Paul]
* _stackmanager: re-add support for hidetos=, overridemtu= and fragicmp= [Paul]
* _stackmanager: Clear disable_xfm/disable_policy for labeled IPsec [Paul]
* pluto: Fix reading ipsec.secrets without trailing newline [Hugh]
* pluto: 'ipsec status' output changes, added 'config setup' items [Paul]
* pluto: Added config setup, compile paths, runtime info to ipsec status [Paul]
* pluto: removed IKE_ALG and KERNEL_ALG defines [Paul]
* pluto: Simplify Pluto_IsFIPS(), remove redundant log message [Paul]
* pluto: Added Pluto_IsSElinux() to log SElinux runtime status [Paul]
* pluto: Removed unused alg_info parameters permitmann and permitike [Paul]
* pluto: Fix STATE_XAUTH_R0/STATE_XAUTH_R1 state names [Paul]
* pluto: out_modify_previous_np() should allow ISAKMP_NEXT_SIG for RSA [Paul]
* building: cleanup old vars, and allow more env overrides [Paul]
* packaging: Fix systemd script Alias target (rhbz#982166) [Paul]
* newhostkey: help the user when nssdb is not initialized yet [Paul]
* newhostkey: simplify default nss dir handling [Paul]
* lswan_detect: cleanup coding style and fix help for unknown options [Tuomo]
* lswan_detect: add gentoo detection [Tuomo]
* setup: add rhsysv, openrc, and real sysv init support [Tuomo]
* barf: do not cause any iptables modules to get loaded (rhbz#954249) [Paul]
* look: Don't cause loading of iptables kernel modules (rhbz#954249) [Paul]
* FIPS: Remove hardcoded /usr/libexec/ipsec path, use IPSEC_EXECDIR [Paul]
* FIPS: Add warning in ipsec verify for prelink command [Paul]
* testing: Add option for "post" scripts during a test run [Matt Rogers]
* testing: dist_cert support for commands in different path locations [Matt]
* testing: Generate CRL with leading zero byte for testing [Paul]
* Bugtracker bugs fixed:
    #82: Phase out DBG_KLIPS/DBG_NETKEY for DBG_KERNEL [Paul]
    #96: lswan_detect: Alpine linux compatibility [Tuomo]
    #99: NETKEY: Segfault on acquire_netlink with labeled_ipsec [Kim/Tuomo]
   #101: restore port when ipsec policy is generated for nat-t [Kim/Tuomo]
   #124: pluto: Add usage comment for addresspool.* [Paul]
   #126: pluto: nhelpers= does not default to -1 [Paul]
   #128: pluto: prevent libcurl sigalarm from crashing pluto (lsbz#128) [Paul]
Swan-announce mailing list
Swan-announce at lists.libreswan.org

More information about the Swan-dev mailing list