From 9b45443dc2d270f3518be0cb739297baf667a79c Mon Sep 17 00:00:00 2001
From: Martin Willi <martin@strongswan.org>
Date: Tue, 20 Mar 2007 08:59:03 +0000
Subject: [PATCH] updated NEWS, TODO and man page

---
 NEWS                     | 25 +++++++++++++++++++++++++
 TODO                     | 11 +++++------
 src/starter/ipsec.conf.5 | 15 ++++++++++++---
 3 files changed, 42 insertions(+), 9 deletions(-)

diff --git a/NEWS b/NEWS
index 1755205f0..49a3c4534 100644
--- a/NEWS
+++ b/NEWS
@@ -9,10 +9,35 @@ strongswan-4.1.0
   and hmac functions during pluto startup. Failure of a self-test
   currently issues a warning only but does not exit pluto [yet].
 
+- Support for SHA2-256/384/512 PRF and HMAC functions in IKEv2.
+
 - Full support of CA information sections. ipsec listcainfos
   now shows all collected crlDistributionPoints and OCSP 
   accessLocations.
 
+- Refactored core of the IKEv2 message processing code, allowing better
+  code reuse and separation.
+
+- Virtual IP support in IKEv2 using INTERNAL_IP4/6_ADDRESS configuration
+  payload. Additionally, the INTERNAL_IP4/6_DNS attribute is interpreted
+  by the requestor and installed in a resolv.conf file.
+
+- The IKEv2 daemon charon installs a route for each IPsec policy to use
+  the correct source address even if an application does not explicitly
+  specify it.
+
+- Integrated the EAP framework into charon which loads pluggable EAP library
+  modules. The ipsec.conf parameter authby=eap initiates EAP authentication
+  on the client side, while the "eap" parameter on the server side defines
+  the EAP method to use for client authentication.
+  A generic client side EAP-Identity module and an EAP-SIM authentication
+  module using a third party card reader implementation are included.
+
+- Added client side support for cookies.
+
+- Integrated the fixes done at the IKEv2 interoperability bakeoff, including
+  strict payload order, correct INVALID_KE_PAYLOAD rejection and other minor
+  fixes to enhance interoperability with other implementations.
 
 strongswan-4.0.7
 ----------------
diff --git a/TODO b/TODO
index c3ecce6d4..9ac2cf706 100644
--- a/TODO
+++ b/TODO
@@ -17,12 +17,12 @@ Roadmap for 2007
       !     exchanges
       !   - merge of EAP authentication code / plugin loader
       !   - merge of the virtual IP support currently in the pipeline
-      !   - merge of the experimental "mediated double-NAT" support
-      !   - write an IETF draft for this feature
       !
  Mar  !   - interface in charon for the new SMP management interface
       !   - full certificate support
       !   - Cookie support, other fixes to mature against DoS
+      !   - merge of the experimental "mediated double-NAT" support
+      !   - write an IETF draft for this feature
       !
  Apr  !   - start porting efforts of IKEv1 into charon
       !   - support of IKEv1 messages and payloads in charon
@@ -58,16 +58,14 @@ Build system
 
 Denail of service
 -----------------
-- Cookie support
+- Cookie support on server
 - thread exhaustion (multiple messages to a single IKE_SA)
 
 Certificate support
 -------------------
 - New trustchain mechanism?
-- proper CERTREQ support
 - proper handling of multiple certificate payloads (import order)
 - synchronized CRL fetcher
-- OCSP support
 - Smartcard interface
 - Attribute certificates
 
@@ -75,9 +73,10 @@ Stroke interface
 ----------------
 - add a Rekey-Counter for SAs in "statusall"
 - ipsec statusall bytecount
-- detach console after first keyingtry
 - proper handling of CTRL+C console detach (SIG_PIPE)
 
 Misc
 ----
 - retry transaction on failure while keyingtries > 1
+- PFS support for creating/rekeying CHILD_SAs
+- Address pool/backend for virtual IP assignement
diff --git a/src/starter/ipsec.conf.5 b/src/starter/ipsec.conf.5
index 9ca2e6776..3e59190e3 100644
--- a/src/starter/ipsec.conf.5
+++ b/src/starter/ipsec.conf.5
@@ -418,7 +418,11 @@ for either, and
 if negotiation is never to be attempted or accepted (useful for shunt-only conns).
 Digital signatures are superior in every way to shared secrets. In IKEv2, the
 two ends must not agree on this parameter, it is relevant for the own
-authentication method only.
+authentication method only. IKEv2 additionally supports the value
+.B eap,
+which indicates an initiator to request EAP authentication. The EAP method to 
+use is selected by the server (see
+.B eap).
 .TP
 .B compress
 whether IPComp compression of content is proposed on the connection
@@ -591,7 +595,12 @@ it is the IP address in \fB%defaultroute\fP (if that is supported by a TXT recor
 it is the system's hostname (if that is supported by a TXT record in its forward domain), or otherwise it is undefined.
 .TP
 .B leftsourceip
-Not supported in IKEv2 yet.
+The internal source IP to use in a tunnel, also known as virtual IP. If the
+value is
+.B %modeconfig
+or
+.B %config,
+an address is requested from the peer.
 .TP
 .B leftsubnetwithin
 Not relevant for IKEv2, as subnets are narrowed.
@@ -980,7 +989,7 @@ Written  for  the  FreeS/WAN project
 <http://www.freeswan.org>
 by Henry Spencer.  Extended for the strongSwan project
 <http://www.strongswan.org>
-by Andreas Steffen. Update to respect IKEv2 specific configuration
+by Andreas Steffen. Updated to respect IKEv2 specific configuration
 by Martin Willi.
 .SH BUGS
 .PP