summaryrefslogtreecommitdiff
path: root/NEWS
diff options
context:
space:
mode:
authorRene Mayrhofer <rene@mayrhofer.eu.org>2007-07-04 23:47:20 +0000
committerRene Mayrhofer <rene@mayrhofer.eu.org>2007-07-04 23:47:20 +0000
commit7b0305f59ddab9ea026b202a8c569912e5bf9a90 (patch)
tree131d39a22cf97e9e8c6da58ddefabc8138a731c2 /NEWS
parent08ee5250bd9c43fda5f24d10b791ca2c4c17fcee (diff)
downloadvyos-strongswan-7b0305f59ddab9ea026b202a8c569912e5bf9a90.tar.gz
vyos-strongswan-7b0305f59ddab9ea026b202a8c569912e5bf9a90.zip
[svn-upgrade] Integrating new upstream version, strongswan (4.1.4)
Diffstat (limited to 'NEWS')
-rw-r--r--NEWS52
1 files changed, 52 insertions, 0 deletions
diff --git a/NEWS b/NEWS
index 9c64e6001..8ed4fbda4 100644
--- a/NEWS
+++ b/NEWS
@@ -1,3 +1,55 @@
+strongswan-4.1.4
+----------------
+
+- The pluto IKEv1 daemon now exhibits the same behaviour as its
+ IKEv2 companion charon by inserting an explicit route via the
+ _updown script only if a sourceip exists. This is admissible
+ since routing through the IPsec tunnel is handled automatically
+ by NETKEY's IPsec policies. As a consequence the left|rightnexthop
+ parameter is not required any more.
+
+- The new IKEv1 parameter right|leftallowany parameters helps to handle
+ the case where both peers possess dynamic IP addresses that are
+ usually resolved using DynDNS or a similar service. The configuration
+
+ right=peer.foo.bar
+ rightallowany=yes
+
+ can be used by the initiator to start up a connection to a peer
+ by resolving peer.foo.bar into the currently allocated IP address.
+ Thanks to the rightallowany flag the connection behaves later on
+ as
+
+ right=%any
+
+ so that the peer can rekey the connection as an initiator when his
+ IP address changes. An alternative notation is
+
+ right=%peer.foo.bar
+
+ which will implicitly set rightallowany=yes.
+
+- ipsec starter now fails more gracefully in the presence of parsing
+ errors. Flawed ca and conn section are discarded and pluto is started
+ if non-fatal errors only were encountered. If right=%peer.foo.bar
+ cannot be resolved by DNS then right=%any will be used so that passive
+ connections as a responder are still possible.
+
+- The new pkcs11initargs parameter that can be placed in the
+ setup config section of /etc/ipsec.conf allows the definition
+ of an argument string that is used with the PKCS#11 C_Initialize()
+ function. This non-standard feature is required by the NSS softoken
+ library. This patch was contributed by Robert Varga.
+
+- Fixed a bug in ipsec starter introduced by strongswan-2.8.5
+ which caused a segmentation fault in the presence of unknown
+ or misspelt keywords in ipsec.conf. This bug fix was contributed
+ by Robert Varga.
+
+- Partial support for MOBIKE in IKEv2. The initiator acts on interface/
+ address configuration changes and updates IKE and IPsec SAs dynamically.
+
+
strongswan-4.1.3
----------------