The strongSwan 5.0.2 release brings many new and extended features.
Support for the proprietary IKEv1 fragmentation extension (Cisco flavor - as implemented by Cisco, racoon and Shrew) has been added. This was implemented because Apple's VPN client (racoon) in iOS 6.0.x sends fragments even if the responder does not support it. Fragments are always handled on receipt but only sent if supported by the peer and if enabled with the new fragmentation ipsec.conf option.
IKEv1 in charon can now parse certificates received in PKCS#7 containers and supports NAT traversal as used by Windows XP clients. Patches courtesy of Volker Rümelin.
IKEv2 proposals can now use a PRF algorithm different to that defined for integrity protection. If an algorithm with a "prf" prefix is defined explicitly (such as prfsha1 or prfsha256) no implicit PRF algorithm based on the integrity algorithm is added to the proposal.
All IETF RFC Standard 5792 PA-TNC attributes have been implemented. A strongSwan OS IMC/IMV pair uses these attributes to transfer operating system information from a Linux client to a TNC server.
New Statistics Features
The new ipsec listcounters command prints a list of global counter values about received and sent IKE messages and rekeyings.
With the new lookip plugin fast lookups of tunnel information using a client's virtual IP can be performed. It can also send notifications about established or deleted tunnels. The ipsec lookip command can be used to query such information or to receive notifications.
The new error-notify plugin catches some common error conditions and allows an external application to receive notifications for them over a UNIX socket.
Usually, the pkcs11 plugin automatically loads the correct certificate from a smartcard, based on the identity configured with leftid. In case this automatic selection is insufficient, for instance, if multiple certificates use the same subject, a specific certificate can now be loaded with the leftcert keyword for each conn section in ipsec.conf. The same is supported for CA certificates in ca sections.
The load-tester plugin gained additional options for certificate generation and can load keys and multiple CA certificates from external files. Also, it can install a dedicated outer IP address for each tunnel, and tunnel initiation batches can be triggered and monitored externally using the ipsec load-tester tool.
The integration and regression test environment was updated and now uses KVM and reproducible guest images based on the latest Debian packages.
Download it from here - a more extensive changelog can be found on our wiki.