We are happy to announce the release of strongSwan 5.8.3, which comes with several updates for the NetworkManager plugin/backend, reallocates reqids, uses throw type routes for passthrough policies on Linux, and brings several other new features and fixes.
NetworkManager Plugin/Backend Updates
The NetworkManager plugin and backend (charon-nm) have received several new features and other updates. Note that both components have to be updated to use the new features and that the new plugin is not compatible to older versions of the backend. However, charon-nm does work with existing configs and old versions of the plugin.
The major changes are as follows (other changes are listed in the changelog):
- EAP-TLS authentication is supported
- The certificate source (file, agent, smartcard) can now be selected independently (previously, it was tied to the authentication method)
- Custom local and remote identities may be configured
- Custom server ports are supported
- Reauthentication and IKEv2 redirection is supported by the backend
Reallocation of Previously Used Reqids
The reqids assigned to CHILD_SAs were so far simply based on a static 32-bit counter. Unfortunately, the FreeBSD kernel does not allow the IKE daemon to use reqids greater than 16383. To make that only an upper limit for concurrent CHILD_SAs, and not for the number of (unique) CHILD_SA installations over time, previously used reqids are now reallocated.
Use Throw Type Routes for Passthrough Policies on Linux
On Linux, throw type routes are now installed for passthrough policies in routing table 220. The kernel will then fall back on routes in routing tables with lower priorities for matching traffic. This way they require less information (e.g. no interface or source IP) and can be installed earlier and are not affected by network changes.
Other Notable Features and Fixes
- For IKEv1, the lifetimes of the actually selected transform are returned to the initiator. We now also return the correct transform and proposal IDs (proposal ID was always 0, transform ID 1).
- IKE_SAs are now not re-established anymore (e.g. after several retransmits) if a deletion has been queued.
- Added support for Ed448 keys and certificates via openssl plugin and pki tool. The plugin also supports SHA-3 and SHAKE128/256.
- Fixed a compiler issue that may have caused invalid keyUsage extensions in certificates.