warn users about charon replacing pluto as IKEv1 daemon and provide some

migration pointers.

2 files changed, 49 insertions, 0 deletions

diff --git a/debian/NEWS b/debian/NEWS
index dfdd1a4a7..c3bda6737 100644
--- a/debian/NEWS
+++ b/debian/NEWS
@@ -1,3 +1,17 @@
+strongswan (5.1.0-1) UNRELEASED; urgency=low
+
+  Starting with strongSwan 5, the IKEv1 daemon (pluto) is gone, and the charon
+  daemon is now able to handle both IKEv1 and IKEv2 protocols.
+
+  There should be no issue for previous charon users, but for pluto users that
+  means they need to re-configure strongSwan in order to use charon. Some
+  migration help can be found on the strongSwan website at
+  http://wiki.strongswan.org/projects/strongswan/wiki/CharonPlutoIKEv1 and in
+  some IKEv1 configuration examples at
+  http://wiki.strongswan.org/projects/strongswan/wiki/IKEv1Examples.
+
+ -- Yves-Alexis Perez <corsac@debian.org>  Mon, 30 Sep 2013 20:43:03 +0200
+
 strongswan (4.5.0-1) unstable; urgency=low
 
   Starting with strongswan 4.5.0 upstream, the IKEv2 protocol is now the
@@ -34,3 +48,35 @@ strongswan (4.5.0-1) unstable; urgency=low
 Local variables:
 mode: debian-changelog
 End:
+strongswan (5.1.0-1) unstable; urgency=low
+
+  Starting with strongswan 4.5.0 upstream, the IKEv2 protocol is now the
+  default. This can easily be changed using the keyexchange=ikev1 config
+  option (either in the respective "conn" section or by putting it in the
+  "default" section and therefore applying it to all existing connections).
+
+  The IKEv2 protocol has less overhead, more features (e.g. NAT-Traversal by
+  default, MOBIKE, Mobile IPv6), and provides better error messages in case
+  the connection can not be established. It is therefore highly recommended
+  to use it when the other side also supports it.
+  
+  Addtionally, strongswan 4.5.0-1 now enables support for NAT Traversal in
+  combination with IPsec transport mode (the support for this has existed 
+  for a long time, but was disabled due to security concerns). This is 
+  required e.g. to let mobile phone clients (notably Android, iPhone) 
+  connect to an L2TP/IPsec gateway using strongswan. The security 
+  implications as described in the original README.NAT-Traversal file from 
+  the openswan distribution are:
+  
+  * Transport Mode can't be used without NAT in the IPSec layer. Otherwise,
+    all packets for the NAT device (including all hosts behind it) would be
+    sent to the NAT-T Client. This would create a sort of blackhole between
+    the peer which is not behind NAT and the NAT device.
+
+  * In Tunnel Mode with roadwarriors, we CAN'T accept any IP address,
+    otherwise, an evil roadwarrior could redirect all trafic for one host
+    (including a host on the private network) to himself. That's why, you have
+    to specify the private IP in the configuration file, use virtual IP
+    management, or DHCP-over-IPSec.
+
+ -- Yves-Alexis Perez <corsac@debian.org>  Mon, 30 Sep 2013 20:43:03 +0200
diff --git a/debian/changelog b/debian/changelog
index 0ef6da71f..ded1d87f4 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -13,6 +13,9 @@ strongswan (5.1.0-1) UNRELEASED; urgency=low
   * debian/source/options: ignore files regenerated by autoreconf addon.
   * debian/strongswan-ike.install:
     - install charon-cmd command and manpage.
+  * debian/NEWS:
+    - warn users about charon replacing pluto as IKEv1 daemon and provide some
+      migration pointers.
 
  -- Yves-Alexis Perez <corsac@debian.org>  Sun, 25 Aug 2013 15:37:56 +0200