[Swan-dev] Fwd: [Swan-announce] libreswan 3.16 released - maintanance release with experimental Opportunistic Encryption support

Amir Naftali amir at fortycloud.com
Tue Apr 19 13:12:08 UTC 2016

hi All,

based on

* pluto: Add keyword  replay-window= (default 32, 0 means disable) [Paul]

Is 3.16 already support setting the ipsec replay-window configuration?

Or is it only in 3.17?

Kind Regards


*Amir Naftali* | *CTO and Co-Founder | +972 54 497 2622*


---------- Forwarded message ----------
From: The Libreswan Project <team at libreswan.org>
Date: Fri, Dec 18, 2015 at 10:28 PM
Subject: [Swan-dev] [Swan-announce] libreswan 3.16 released - maintanance
release with experimental Opportunistic Encryption support
To: swan-announce at lists.libreswan.org

Hash: SHA512

The Libreswan Project has released libreswan-3.16

This is a maintanance release that also includes experimental support
for Opportunistic Encryption using AUTH-NULL

A bug was fixed that caused keyingtries=0 to be misinterpreted, which
could cause failing tunnels to not be retried indefinately. Some IKEv1
PAM modules for pluto would always return a failure. Stricter checks on
IKE padding in 3.14 were relaxed a little to ensure interop with broken
racoon implementations. An XAUTH based connection that was brought up,
down and up quickly could cause a crash.

A new experimental initial release of Opportunistic IPsec has been
included. For more information about Opportunistic IPsec see:

You can download libreswan via https at:


The full changelog is available at: https://download.libreswan.org/CHANGES

Please report bugs either via one of the mailinglists or at our bug tracker:


Binary packages for RHEL/EPEL and Debian/Ubuntu can be found at

Binary packages for Fedora can be found in the respective fedora

See also https://libreswan.org/

v3.16 (December 18, 2015)
* auto: add new option --start which is like auto=start [Tuomo]
* libipsecconf: allow time with no unit suffix (openswan compat) [Hugh]
* libipsecconf: cleanup parser.y to work on old/new GCC and 32/64bit [Hugh]
* libipsecconf: re-introduce strictcrlpolicy= as alias for crl-strict=
* libipsecconf: Allow time specification for dpdtimeout= / dpddelay= [Paul]
* libipsecconf: aliases curl_timeout / curl_iface for openswan migration
* libswan: Fix memory leak in match_rdn() [Valeriu Goldberger]
* PAM: Fix some IKEv1 XAUTH methods always returning "denied" [Antony]
* PAM: stacked pam modules (eg pam_ssss) need CAP_DAC_READ_SEARCH [Matt]
* newhostkey: fix seedev device [Paul]
* pluto: terminate_connection() when we become unoriented (rhbz#609343)
* pluto: find_client_connection() must ignore unoriented c (rhbz#1166146)
* pluto: Fix trafficstatus byte counter output [Antony]
* pluto: accept racoon's over-sized padding (got rejected in 3.14) [Andrew]
* pluto: obsolete plutofork= and ignore the keyword on startup [Paul]
* pluto: send_crl_to_import: use waitpid(2) to wait for correct child [Hugh]
* pluto: cleanup struct spd_route and related tidying [Hugh]
* pluto: fix eclipsed to iterate over connection's spd_routes [Hugh]
* pluto: accept delete payload with wrong side's SPI (CISCO bug) [Paul+Hugh]
* pluto: initialise phase2 our_lastused/peer_lastused on creation
* pluto: pluto: OE: add shunts.total count to ipsec whack --globalstatus
* pluto: Add keyword  replay-window= (default 32, 0 means disable) [Paul]
* pluto: Add fake-strongswan=yes|no (default no) to send strongswan VID
* pluto: Add support for XFRM marking cia mark=val/mask [Amir Naftali]
* pluto: Use selinux dynamic class/perm discovery, not old API [Lubomir
* pluto: Fix for uniqueids killing second tunnel between hosts [Tuomo]
* pluto: Don't refuse to load passthrough conn with ike= / esp= settings
* pluto: Free the event struct initialzed in main loop and tidy [Antony]
* pluto: Add event for child handling of addconn [Wolfgang/Antony]
* pluto: release_fragments() cannot try both IKEv1 and IKEv2 fragments
* X509: load_end_nss_certificate() cleanup [Matt]
* X509: Add on-demand loading of NSS certificate private keys [Matt]
* X509: Fix possible NSS cert leaks in trusted_ca_nss() [Matt]
* IKEv2: delete_state() should only handle shunt of real parent SA [Paul]
* IKEv2: retransmit_v2_msg() should delete parent and child SA on failure
* IKEv2: mixup in parent/child SA caused keyingtries to be lost [Paul]
* IKEv2: Remove two bogus state machine entries for INFORMATIONAL [Paul]
* IKEv2: Remove duplicate SEND_V2_NOTIFICATION() [Paul]
* IKEv2: Only let passthrough conn win if it has longer prefix [Paul]
* OE: Deleting opportunistic Parent with no Child SA [Paul]
* OE: Send authentication failed for OE child fail [Paul]
* OE: Don't reject IPv6 family for OE foodgroups [Antony]
* OE: Move orphan_holdpass() call into delete_state() [Paul]
* OE: Call orphan_holdpass() for opportunistic conns for EVENT_SA_EXPIRE
* OE: Do not answer IKE request if we matched authby=never conn [Paul]
* OE: Fix memory leaks in nullgw and bs->why [Antony]
* OE: At IKE rekey time, delete the IKE/IPsec SA when idle [Antony]
* FIPS: fips.h should only require compiled libexec/ components [Paul]
* XAUTH: Fix for connection going up->down->up causing passert [Hugh]
* XAUTH: Do not interpret padding as incomplete attribute [Lubomir Rintel]
* XAUTH: Improve failure logging [Paul]
* XFRM: Workaround bug in Linux kernel NLMSG_OK's definition [Hugh]
* KLIPS: kernels 4.1.x+ always use the same interface to uids [Roel van
* KLIPS: Various changes to support 4.1.x kernels [Wolfgang]
* ipsec: custom directory not recognized, github issue #44 [Tuomo]
* updown.*: Fix NetworkManager callback [Lubomir Rintel]
* addconn: tidy [Hugh]
* building: obsolete USE_ADNS and disable building adns helpers [Paul]
* building: Do not link all binaries with nss,nspr and gmp [Paul]
* building install "ipsec_initnss.8" and "ipsec_import.8" man pages [Andrew]
* packaging: debian/ directory update [Paul/Daniel]
* testing: Various testing updates and improvements [Antony/Paul/Andrew]
* documentation: added CODE_OF_CONDUCT.d [Paul]
* Bugtracker bugs fixed:
   #216 No longer require :RSA entries for X.509 certs in ipsec.secrets
   #233 pluto sends delete SAs in wrong order and reconnection issues
   #247 KLIPS: fix pluto can't add ipv6 addresses to ipsec devices
   #248 keyingtries=%forever doesn't work anymore [Wolfgang]
Version: GnuPG v1

Swan-announce mailing list
Swan-announce at lists.libreswan.org
Swan-dev mailing list
Swan-dev at lists.libreswan.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan-dev/attachments/20160419/781066f6/attachment.html>

More information about the Swan-dev mailing list