From 72448f305c65fb08b0e8db0b56435a2486226f31 Mon Sep 17 00:00:00 2001 From: Yves-Alexis Perez Date: Wed, 12 Mar 2014 10:31:40 +0100 Subject: Fix spurious entry in debian/NEWS. * debian/NEWS: - fix spurious entry. --- debian/NEWS | 32 -------------------------------- 1 file changed, 32 deletions(-) (limited to 'debian/NEWS') diff --git a/debian/NEWS b/debian/NEWS index af017f769..a1703e49b 100644 --- a/debian/NEWS +++ b/debian/NEWS @@ -65,35 +65,3 @@ strongswan (4.5.0-1) unstable; urgency=low Local variables: mode: debian-changelog End: -strongswan (5.1.0-1) unstable; urgency=low - - Starting with strongswan 4.5.0 upstream, the IKEv2 protocol is now the - default. This can easily be changed using the keyexchange=ikev1 config - option (either in the respective "conn" section or by putting it in the - "default" section and therefore applying it to all existing connections). - - The IKEv2 protocol has less overhead, more features (e.g. NAT-Traversal by - default, MOBIKE, Mobile IPv6), and provides better error messages in case - the connection can not be established. It is therefore highly recommended - to use it when the other side also supports it. - - Addtionally, strongswan 4.5.0-1 now enables support for NAT Traversal in - combination with IPsec transport mode (the support for this has existed - for a long time, but was disabled due to security concerns). This is - required e.g. to let mobile phone clients (notably Android, iPhone) - connect to an L2TP/IPsec gateway using strongswan. The security - implications as described in the original README.NAT-Traversal file from - the openswan distribution are: - - * Transport Mode can't be used without NAT in the IPSec layer. Otherwise, - all packets for the NAT device (including all hosts behind it) would be - sent to the NAT-T Client. This would create a sort of blackhole between - the peer which is not behind NAT and the NAT device. - - * In Tunnel Mode with roadwarriors, we CAN'T accept any IP address, - otherwise, an evil roadwarrior could redirect all trafic for one host - (including a host on the private network) to himself. That's why, you have - to specify the private IP in the configuration file, use virtual IP - management, or DHCP-over-IPSec. - - -- Yves-Alexis Perez Mon, 30 Sep 2013 20:43:03 +0200 -- cgit v1.2.3