1 files changed, 36 insertions, 0 deletions

diff --git a/debian/NEWS b/debian/NEWS
new file mode 100644
index 000000000..dfdd1a4a7
--- /dev/null
+++ b/debian/NEWS
@@ -0,0 +1,36 @@
+strongswan (4.5.0-1) unstable; urgency=low
+
+  Starting with strongswan 4.5.0 upstream, the IKEv2 protocol is now the
+  default. This can easily be changed using the keyexchange=ikev1 config
+  option (either in the respective "conn" section or by putting it in the
+  "default" section and therefore applying it to all existing connections).
+
+  The IKEv2 protocol has less overhead, more features (e.g. NAT-Traversal by
+  default, MOBIKE, Mobile IPv6), and provides better error messages in case
+  the connection can not be established. It is therefore highly recommended
+  to use it when the other side also supports it.
+  
+  Addtionally, strongswan 4.5.0-1 now enables support for NAT Traversal in
+  combination with IPsec transport mode (the support for this has existed 
+  for a long time, but was disabled due to security concerns). This is 
+  required e.g. to let mobile phone clients (notably Android, iPhone) 
+  connect to an L2TP/IPsec gateway using strongswan. The security 
+  implications as described in the original README.NAT-Traversal file from 
+  the openswan distribution are:
+  
+  * Transport Mode can't be used without NAT in the IPSec layer. Otherwise,
+    all packets for the NAT device (including all hosts behind it) would be
+    sent to the NAT-T Client. This would create a sort of blackhole between
+    the peer which is not behind NAT and the NAT device.
+
+  * In Tunnel Mode with roadwarriors, we CAN'T accept any IP address,
+    otherwise, an evil roadwarrior could redirect all trafic for one host
+    (including a host on the private network) to himself. That's why, you have
+    to specify the private IP in the configuration file, use virtual IP
+    management, or DHCP-over-IPSec.
+
+ -- Rene Mayrhofer <rmayr@debian.org>  Sun,  28 Nov 2010 13:16:00 +0200
+
+Local variables:
+mode: debian-changelog
+End: