Blog

Release and vulnerability announcements for strongSwan

strongSwan 5.8.3 Released

We are happy to announce the release of strongSwan 5.8.3, which comes with several updates for the NetworkManager plugin/backend, reallocates reqids, uses throw type routes for passthrough policies on Linux, and brings several other new features and fixes.

NetworkManager Plugin/Backend Updates

The NetworkManager plugin and backend (charon-nm) have received several new features and other updates. Note that both components have to be updated to use the new features and that the new plugin is not compatible to older versions of the backend. However, charon-nm does work with existing configs and old versions of the plugin.

The major changes are as follows (other changes are listed in the changelog):

Reallocation of Previously Used Reqids

The reqids assigned to CHILD_SAs were so far simply based on a static 32-bit counter. Unfortunately, the FreeBSD kernel does not allow the IKE daemon to use reqids greater than 16383. To make that only an upper limit for concurrent CHILD_SAs, and not for the number of (unique) CHILD_SA installations over time, previously used reqids are now reallocated.

Use Throw Type Routes for Passthrough Policies on Linux

On Linux, throw type routes are now installed for passthrough policies in routing table 220. The kernel will then fall back on routes in routing tables with lower priorities for matching traffic. This way they require less information (e.g. no interface or source IP) and can be installed earlier and are not affected by network changes.

Other Notable Features and Fixes

Download Complete Changelog