[Swan-dev] [Swan-announce] libreswan-4.2 released
The Libreswan Team
team at libreswan.org
Wed Feb 3 03:08:30 UTC 2021
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
The Libreswan Project has released libreswan 4.2
This is a minor feature and bugfix release.
This release introduces IKEv2 Labeled IPsec support as defined
in draft-ietf-ipsecme-labeled-ipsec. A new auto=keep allows for a
responder/server to wait for a dynamic peer to connect, and then
treat it as auto=start to keep the connection up. The new global
option ikev1-policy= enables libreswan to drop all IKEv1 packets. To
reduce traffic interruption during a libreswan restart, the whack
shutdown option now takes the option --leave-state which can be
specified to leave the kernel state intact as long as possible.
The main bugfixes are re-introducing the "BAD MICROSOFT" proposal
required for L2TP/IPsec with old Windows machines, A bugfix when
IKEv1/XAUTH needs to retransmit packets, some NAT and MOBIKE
ephemeral port fixes and a re-introduction of two old aliased option
named that are still in use by NetworkManager-libreswan for IKEv1.
This latest version of libreswan can be downloaded from:
https://download.libreswan.org/libreswan-4.2.tar.gz
https://download.libreswan.org/libreswan-4.2.tar.gz.asc
The full changelog is available at: https://download.libreswan.org/CHANGES
Please report bugs either via one of the mailinglists or at our bug
tracker:
https://lists.libreswan.org/
https://bugs.libreswan.org/
Binary packages for RHEL/CentOS can be found at:
https://download.libreswan.org/binaries/
Binary packages for Fedora and Debian should be available in their
respective repositories a few days after this release.
See also https://libreswan.org/
v4.2 (February 2, 2021)
* IKEv2: Support for IKEv2 Labeled IPsec [Hugh, Sahana, Paul, Kavinda Wewegama]
* IKEv2: MOBIKE could cause assertion failure due to eroute ownership [Paul]
* IKEv2: MOBIKE and NAT port update code interfered with each other [Andrew]
* IKEv1: Re-enable questionable Microsoft proposals to fix L2TP/IPsec [Paul]
* IKEv1: Do not load IKEv1 conns when IKEv1 support not compiled in [Paul]
* IKEv1: Fix XAUTH: re-transmit when sending CFG request [Andrew]
* pluto: New config setup option ikev1-policy=<accept|drop|reject> [Paul]
* pluto: Change default ikelifetime from 1h to 8h [Paul]
* pluto: Add ignore-peer-dns=yes|no and whack --ignore-peer-dns [Paul]
* pluto: Startup could take long time closing fd's (github#373) [Andrew]
* pluto: IKEv2 connection could accidentally retry as IKEv1 [Andrew]
* pluto: change default IKE SA lifetime from 1h to 8h [Paul]
Resolves: github#362, github#405, hwdsl2/setup-ipsec-vpn#912
* pluto: Revived conns can try to quickly re-use existing NAT mapping.
Can be used with new auto=keep [Paul, Andrew]
* pluto: Don't complain about DNS names starting with number [Paul]
* pluto: Re-implement Labeled IPsec for IKEv1 [Paul, Sahana]
* pluto: Support for --shutdown --leave-state [Paul]
* whack: add very raw --processstatus [Andrew]
* whack: no longer require --ipv6 when specifying raw IPv6 host addresses
* libswan: Re-introduce xauthusername/remote_peer_type for NM-libreswan [Paul]
* initsystem: fix docker/podman startup with sysvinit [Paul]
* initsystem: ensure non-testing namespaces work with systemd [Paul]
* initsystem: systemd support for ipsec whack --shutdown --leave-state [Paul]
* pluto: prefer IPv4 over IPv6 when performing DNS lookups [Andrew]
* building: Support for compiling without IKEv1 via USE_IKEv1=false [Paul]
* building: Various clang compiler related fixes [Timm Baeder]
* building: fix NetBSD arm64 build [Andrew]
* testing: many updates [Andrew, Paul]
-----BEGIN PGP SIGNATURE-----
iQJHBAEBCgAxFiEEkH55DyXB6OVhzXO1hf9LQ7MPxvkFAmAaE1cTHHRlYW1AbGli
cmVzd2FuLm9yZwAKCRCF/0tDsw/G+e/mD/9Ju7tZZl3v6+844OottqUCT4FmmKDz
wA8ygb8oQ4qG6djqkwWOMevfepdbIsEftbOuhKL5U3x227LwBXB3yiaAn1QAWaEY
/idHM4m3+YSme7FXodZwlAG5G7muzSZQULi2/Oi4vCbxLV/cBzDpHHUPz7OIYqtc
nJAVLKEzrVVaLSPZ2UYe33S7zgHTno+Z99ZNEHIhxWbmkCBjNvIJF1C76Wyt9ZIK
aqIAQQk/aWPz8Fo3YTpajergIS3QcEjpZ+pSvYVWUEQZpgDsvd8q2c4eVjB5YbcG
m3eTadztv/SBv0QaxdDkmRoRUk5mn83YLxnfW14diZpMaYhFL9IrwJfl/z+D8LY0
ULK2oUcB2S5voioSeXDamEu6SJcSRsiyIVKihARfFgQbGsLR/rurvi3N88e0GuiB
w3vx9EvIwiZL9mh9kvbNZoHxqeIzYVGOBDbkIa2QWuV6KShFUS/8zrEQcCL0Cxc4
bqwLrGTIGLGtPRdy5Bgq+jC38KXDvXx14FgrGmiHoalaNd+/8fXSVxEiv9L1IHx2
CwIfkJK22k5cxdVMBvKKD7V8Q9WKN7UuazWW2yQLj/qwi2RWUDIh7r3EGsrT9vZ+
tiimPMWqm9zjtx+2JUmT4Zr6Y7G6E56u38t67lTNnxIItQwIMT97hsm924BMPC3E
CiTc9bzXE+nYGQ==
=edYw
-----END PGP SIGNATURE-----
_______________________________________________
Swan-announce mailing list
Swan-announce at lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan-announce
More information about the Swan-dev
mailing list