updated NEWS, TODO and man page
This commit is contained in:
Martin Willi
parent
fdb9b2bdde
commit
9b45443dc2
25
NEWS
25
NEWS
|
|
@ -9,10 +9,35 @@ strongswan-4.1.0
|
|||
and hmac functions during pluto startup. Failure of a self-test
|
||||
currently issues a warning only but does not exit pluto [yet].
|
||||
|
||||
- Support for SHA2-256/384/512 PRF and HMAC functions in IKEv2.
|
||||
|
||||
- Full support of CA information sections. ipsec listcainfos
|
||||
now shows all collected crlDistributionPoints and OCSP
|
||||
accessLocations.
|
||||
|
||||
- Refactored core of the IKEv2 message processing code, allowing better
|
||||
code reuse and separation.
|
||||
|
||||
- Virtual IP support in IKEv2 using INTERNAL_IP4/6_ADDRESS configuration
|
||||
payload. Additionally, the INTERNAL_IP4/6_DNS attribute is interpreted
|
||||
by the requestor and installed in a resolv.conf file.
|
||||
|
||||
- The IKEv2 daemon charon installs a route for each IPsec policy to use
|
||||
the correct source address even if an application does not explicitly
|
||||
specify it.
|
||||
|
||||
- Integrated the EAP framework into charon which loads pluggable EAP library
|
||||
modules. The ipsec.conf parameter authby=eap initiates EAP authentication
|
||||
on the client side, while the "eap" parameter on the server side defines
|
||||
the EAP method to use for client authentication.
|
||||
A generic client side EAP-Identity module and an EAP-SIM authentication
|
||||
module using a third party card reader implementation are included.
|
||||
|
||||
- Added client side support for cookies.
|
||||
|
||||
- Integrated the fixes done at the IKEv2 interoperability bakeoff, including
|
||||
strict payload order, correct INVALID_KE_PAYLOAD rejection and other minor
|
||||
fixes to enhance interoperability with other implementations.
|
||||
|
||||
strongswan-4.0.7
|
||||
----------------
|
||||
|
|
|
|||
11
TODO
11
TODO
|
|
@ -17,12 +17,12 @@ Roadmap for 2007
|
|||
! exchanges
|
||||
! - merge of EAP authentication code / plugin loader
|
||||
! - merge of the virtual IP support currently in the pipeline
|
||||
! - merge of the experimental "mediated double-NAT" support
|
||||
! - write an IETF draft for this feature
|
||||
!
|
||||
Mar ! - interface in charon for the new SMP management interface
|
||||
! - full certificate support
|
||||
! - Cookie support, other fixes to mature against DoS
|
||||
! - merge of the experimental "mediated double-NAT" support
|
||||
! - write an IETF draft for this feature
|
||||
!
|
||||
Apr ! - start porting efforts of IKEv1 into charon
|
||||
! - support of IKEv1 messages and payloads in charon
|
||||
|
|
@ -58,16 +58,14 @@ Build system
|
|||
|
||||
Denail of service
|
||||
-----------------
|
||||
- Cookie support
|
||||
- Cookie support on server
|
||||
- thread exhaustion (multiple messages to a single IKE_SA)
|
||||
|
||||
Certificate support
|
||||
-------------------
|
||||
- New trustchain mechanism?
|
||||
- proper CERTREQ support
|
||||
- proper handling of multiple certificate payloads (import order)
|
||||
- synchronized CRL fetcher
|
||||
- OCSP support
|
||||
- Smartcard interface
|
||||
- Attribute certificates
|
||||
|
||||
|
|
@ -75,9 +73,10 @@ Stroke interface
|
|||
----------------
|
||||
- add a Rekey-Counter for SAs in "statusall"
|
||||
- ipsec statusall bytecount
|
||||
- detach console after first keyingtry
|
||||
- proper handling of CTRL+C console detach (SIG_PIPE)
|
||||
|
||||
Misc
|
||||
----
|
||||
- retry transaction on failure while keyingtries > 1
|
||||
- PFS support for creating/rekeying CHILD_SAs
|
||||
- Address pool/backend for virtual IP assignement
|
||||
|
|
|
|||
|
|
@ -418,7 +418,11 @@ for either, and
|
|||
if negotiation is never to be attempted or accepted (useful for shunt-only conns).
|
||||
Digital signatures are superior in every way to shared secrets. In IKEv2, the
|
||||
two ends must not agree on this parameter, it is relevant for the own
|
||||
authentication method only.
|
||||
authentication method only. IKEv2 additionally supports the value
|
||||
.B eap,
|
||||
which indicates an initiator to request EAP authentication. The EAP method to
|
||||
use is selected by the server (see
|
||||
.B eap).
|
||||
.TP
|
||||
.B compress
|
||||
whether IPComp compression of content is proposed on the connection
|
||||
|
|
@ -591,7 +595,12 @@ it is the IP address in \fB%defaultroute\fP (if that is supported by a TXT recor
|
|||
it is the system's hostname (if that is supported by a TXT record in its forward domain), or otherwise it is undefined.
|
||||
.TP
|
||||
.B leftsourceip
|
||||
Not supported in IKEv2 yet.
|
||||
The internal source IP to use in a tunnel, also known as virtual IP. If the
|
||||
value is
|
||||
.B %modeconfig
|
||||
or
|
||||
.B %config,
|
||||
an address is requested from the peer.
|
||||
.TP
|
||||
.B leftsubnetwithin
|
||||
Not relevant for IKEv2, as subnets are narrowed.
|
||||
|
|
@ -980,7 +989,7 @@ Written for the FreeS/WAN project
|
|||
<http://www.freeswan.org>
|
||||
by Henry Spencer. Extended for the strongSwan project
|
||||
<http://www.strongswan.org>
|
||||
by Andreas Steffen. Update to respect IKEv2 specific configuration
|
||||
by Andreas Steffen. Updated to respect IKEv2 specific configuration
|
||||
by Martin Willi.
|
||||
.SH BUGS
|
||||
.PP
|
||||
|
|
|
|||
Loading…
Reference in New Issue