[Swan] [Swan-announce] libreswan 3.16 released - maintanance release with experimental Opportunistic Encryption support

The Libreswan Project team at libreswan.org
Fri Dec 18 20:28:10 UTC 2015

Hash: SHA512

The Libreswan Project has released libreswan-3.16

This is a maintanance release that also includes experimental support
for Opportunistic Encryption using AUTH-NULL

A bug was fixed that caused keyingtries=0 to be misinterpreted, which
could cause failing tunnels to not be retried indefinately. Some IKEv1
PAM modules for pluto would always return a failure. Stricter checks on
IKE padding in 3.14 were relaxed a little to ensure interop with broken
racoon implementations. An XAUTH based connection that was brought up,
down and up quickly could cause a crash.

A new experimental initial release of Opportunistic IPsec has been
included. For more information about Opportunistic IPsec see:

You can download libreswan via https at:


The full changelog is available at: https://download.libreswan.org/CHANGES

Please report bugs either via one of the mailinglists or at our bug tracker:


Binary packages for RHEL/EPEL and Debian/Ubuntu can be found at

Binary packages for Fedora can be found in the respective fedora

See also https://libreswan.org/

v3.16 (December 18, 2015)
* auto: add new option --start which is like auto=start [Tuomo]
* libipsecconf: allow time with no unit suffix (openswan compat) [Hugh]
* libipsecconf: cleanup parser.y to work on old/new GCC and 32/64bit [Hugh]
* libipsecconf: re-introduce strictcrlpolicy= as alias for crl-strict= [Paul]
* libipsecconf: Allow time specification for dpdtimeout= / dpddelay= [Paul]
* libipsecconf: aliases curl_timeout / curl_iface for openswan migration [Paul]
* libswan: Fix memory leak in match_rdn() [Valeriu Goldberger]
* PAM: Fix some IKEv1 XAUTH methods always returning "denied" [Antony]
* PAM: stacked pam modules (eg pam_ssss) need CAP_DAC_READ_SEARCH [Matt]
* newhostkey: fix seedev device [Paul]
* pluto: terminate_connection() when we become unoriented (rhbz#609343) [Paul]
* pluto: find_client_connection() must ignore unoriented c (rhbz#1166146) [Paul]
* pluto: Fix trafficstatus byte counter output [Antony]
* pluto: accept racoon's over-sized padding (got rejected in 3.14) [Andrew]
* pluto: obsolete plutofork= and ignore the keyword on startup [Paul]
* pluto: send_crl_to_import: use waitpid(2) to wait for correct child [Hugh]
* pluto: cleanup struct spd_route and related tidying [Hugh]
* pluto: fix eclipsed to iterate over connection's spd_routes [Hugh]
* pluto: accept delete payload with wrong side's SPI (CISCO bug) [Paul+Hugh]
* pluto: initialise phase2 our_lastused/peer_lastused on creation [Paul+Hugh]
* pluto: pluto: OE: add shunts.total count to ipsec whack --globalstatus [Paul]
* pluto: Add keyword  replay-window= (default 32, 0 means disable) [Paul]
* pluto: Add fake-strongswan=yes|no (default no) to send strongswan VID [Paul]
* pluto: Add support for XFRM marking cia mark=val/mask [Amir Naftali]
* pluto: Use selinux dynamic class/perm discovery, not old API [Lubomir Rintel]
* pluto: Fix for uniqueids killing second tunnel between hosts [Tuomo]
* pluto: Don't refuse to load passthrough conn with ike= / esp= settings [Paul]
* pluto: Free the event struct initialzed in main loop and tidy [Antony]
* pluto: Add event for child handling of addconn [Wolfgang/Antony]
* pluto: release_fragments() cannot try both IKEv1 and IKEv2 fragments [Paul]
* X509: load_end_nss_certificate() cleanup [Matt]
* X509: Add on-demand loading of NSS certificate private keys [Matt]
* X509: Fix possible NSS cert leaks in trusted_ca_nss() [Matt]
* IKEv2: delete_state() should only handle shunt of real parent SA [Paul]
* IKEv2: retransmit_v2_msg() should delete parent and child SA on failure [Paul]
* IKEv2: mixup in parent/child SA caused keyingtries to be lost [Paul]
* IKEv2: Remove two bogus state machine entries for INFORMATIONAL [Paul]
* IKEv2: Remove duplicate SEND_V2_NOTIFICATION() [Paul]
* IKEv2: Only let passthrough conn win if it has longer prefix [Paul]
* OE: Deleting opportunistic Parent with no Child SA [Paul]
* OE: Send authentication failed for OE child fail [Paul]
* OE: Don't reject IPv6 family for OE foodgroups [Antony]
* OE: Move orphan_holdpass() call into delete_state() [Paul]
* OE: Call orphan_holdpass() for opportunistic conns for EVENT_SA_EXPIRE [Paul]
* OE: Do not answer IKE request if we matched authby=never conn [Paul]
* OE: Fix memory leaks in nullgw and bs->why [Antony]
* OE: At IKE rekey time, delete the IKE/IPsec SA when idle [Antony]
* FIPS: fips.h should only require compiled libexec/ components [Paul]
* XAUTH: Fix for connection going up->down->up causing passert [Hugh]
* XAUTH: Do not interpret padding as incomplete attribute [Lubomir Rintel]
* XAUTH: Improve failure logging [Paul]
* XFRM: Workaround bug in Linux kernel NLMSG_OK's definition [Hugh]
* KLIPS: kernels 4.1.x+ always use the same interface to uids [Roel van Meer]
* KLIPS: Various changes to support 4.1.x kernels [Wolfgang]
* ipsec: custom directory not recognized, github issue #44 [Tuomo]
* updown.*: Fix NetworkManager callback [Lubomir Rintel]
* addconn: tidy [Hugh]
* building: obsolete USE_ADNS and disable building adns helpers [Paul]
* building: Do not link all binaries with nss,nspr and gmp [Paul]
* building install "ipsec_initnss.8" and "ipsec_import.8" man pages [Andrew]
* packaging: debian/ directory update [Paul/Daniel]
* testing: Various testing updates and improvements [Antony/Paul/Andrew]
* documentation: added CODE_OF_CONDUCT.d [Paul]
* Bugtracker bugs fixed:
    #216 No longer require :RSA entries for X.509 certs in ipsec.secrets [Matt]
    #233 pluto sends delete SAs in wrong order and reconnection issues [Wolfgang]
    #247 KLIPS: fix pluto can't add ipv6 addresses to ipsec devices [Wolfgang]
    #248 keyingtries=%forever doesn't work anymore [Wolfgang]
Version: GnuPG v1

Swan-announce mailing list
Swan-announce at lists.libreswan.org

More information about the Swan mailing list