diff options
author | Rene Mayrhofer <rene@mayrhofer.eu.org> | 2007-07-04 23:47:20 +0000 |
---|---|---|
committer | Rene Mayrhofer <rene@mayrhofer.eu.org> | 2007-07-04 23:47:20 +0000 |
commit | 7b0305f59ddab9ea026b202a8c569912e5bf9a90 (patch) | |
tree | 131d39a22cf97e9e8c6da58ddefabc8138a731c2 /NEWS | |
parent | 08ee5250bd9c43fda5f24d10b791ca2c4c17fcee (diff) | |
download | vyos-strongswan-7b0305f59ddab9ea026b202a8c569912e5bf9a90.tar.gz vyos-strongswan-7b0305f59ddab9ea026b202a8c569912e5bf9a90.zip |
[svn-upgrade] Integrating new upstream version, strongswan (4.1.4)
Diffstat (limited to 'NEWS')
-rw-r--r-- | NEWS | 52 |
1 files changed, 52 insertions, 0 deletions
@@ -1,3 +1,55 @@ +strongswan-4.1.4 +---------------- + +- The pluto IKEv1 daemon now exhibits the same behaviour as its + IKEv2 companion charon by inserting an explicit route via the + _updown script only if a sourceip exists. This is admissible + since routing through the IPsec tunnel is handled automatically + by NETKEY's IPsec policies. As a consequence the left|rightnexthop + parameter is not required any more. + +- The new IKEv1 parameter right|leftallowany parameters helps to handle + the case where both peers possess dynamic IP addresses that are + usually resolved using DynDNS or a similar service. The configuration + + right=peer.foo.bar + rightallowany=yes + + can be used by the initiator to start up a connection to a peer + by resolving peer.foo.bar into the currently allocated IP address. + Thanks to the rightallowany flag the connection behaves later on + as + + right=%any + + so that the peer can rekey the connection as an initiator when his + IP address changes. An alternative notation is + + right=%peer.foo.bar + + which will implicitly set rightallowany=yes. + +- ipsec starter now fails more gracefully in the presence of parsing + errors. Flawed ca and conn section are discarded and pluto is started + if non-fatal errors only were encountered. If right=%peer.foo.bar + cannot be resolved by DNS then right=%any will be used so that passive + connections as a responder are still possible. + +- The new pkcs11initargs parameter that can be placed in the + setup config section of /etc/ipsec.conf allows the definition + of an argument string that is used with the PKCS#11 C_Initialize() + function. This non-standard feature is required by the NSS softoken + library. This patch was contributed by Robert Varga. + +- Fixed a bug in ipsec starter introduced by strongswan-2.8.5 + which caused a segmentation fault in the presence of unknown + or misspelt keywords in ipsec.conf. This bug fix was contributed + by Robert Varga. + +- Partial support for MOBIKE in IKEv2. The initiator acts on interface/ + address configuration changes and updates IKE and IPsec SAs dynamically. + + strongswan-4.1.3 ---------------- |