We are proud to announce the release of strongSwan 5.2.1, which comes with support for systemd, IKEv2 fragmentation, segmentation of large PA-TNC attributes, a Ruby interface to vici and several other new features and fixes.
The new charon-systemd IKE daemon implements an IKE daemon tailored for use with systemd. It avoids the dependency on ipsec starter and uses swanctl as configuration backend, building a simple and lightweight solution. Native systemd journal logging is supported.
We support the new IKEv2 Fragmentation mechanism as defined by RFC 7383 which avoids IP fragmentation of IKEv2 UDP datagrams exceeding the network's MTU size. This feature is activated by setting fragmentation=yes in ipsec.conf. Optionally the maximum IP packet size may be configured with the charon.fragment_size parameter in strongswan.conf.
Refer to the net2net-fragmentation scenario for an example.
We implemented the TCG TNC IF-M Segmentation Proposal which allows to transfer potentially huge attributes amounting to several megabytes of measurement data like the TCG/SWID Tag [ID] Inventory or IETF/Installed Packages attributes via the PA-TNC, PB-TNC and either PT-EAP or PT-TLS NEA protocol stack. By default segmented attributes are just reconstructed on the receiving side from the individual segments with the exeception of the three attribute types mentioned above which can be parsed and processed incrementally as the segments arrive one-by-one.
The tnccs-20-pdp-eap test case shows an example scenario retrieving SWID tags from Debian-based hosts.
For the vici plugin a ruby gem has been added to allow ruby applications to control or monitor the IKE daemon. The vici documentation has been
updated to include a description of the available operations and some simple examples using both the libvici C interface and the ruby gem (see README.md).
STRONGSWAN_CONF
environment variable. Patches courtesy of Shea Levy.Download it from here - a more extensive changelog can be found on our wiki.