updated for release
This commit is contained in:
parent
147fe5095d
commit
c15c3d4be9
24
NEWS
24
NEWS
|
@ -1,8 +1,26 @@
|
||||||
|
- Added algorithm selection to charon: New default algorithms for
|
||||||
|
ike=aes128-sha-modp2048, as both daemons support it. The default
|
||||||
|
for IPsec SAs is now esp=aes128-sha,3des-md5. charon handles
|
||||||
|
the ike/esp parameter the same way as pluto. As this syntax does
|
||||||
|
not allow specification of a pseudo random function, the same
|
||||||
|
algorithm as for integrity is used (currently sha/md5). Supported
|
||||||
|
algorithms for IKE:
|
||||||
|
Encryption: aes128, aes192, aes256
|
||||||
|
Integrity/PRF: md5, sha (using hmac)
|
||||||
|
DH-Groups: modp768, 1024, 1536, 2048, 4096, 8192
|
||||||
|
and for ESP:
|
||||||
|
Encryption: aes128, aes192, aes256, 3des, blowfish128,
|
||||||
|
blowfish192, blowfish256
|
||||||
|
Integrity: md5, sha1
|
||||||
|
More IKE encryption algorithms will come after porting libcrypto into
|
||||||
|
libstrongswan.
|
||||||
|
|
||||||
- initial support for rekeying CHILD_SAs using IKEv2. Currently
|
- initial support for rekeying CHILD_SAs using IKEv2. Currently no
|
||||||
perfect forward secrecy is not supported. The rekeying parameters
|
perfect forward secrecy is used. The rekeying parameters rekey,
|
||||||
rekeymargin, rekeyfuzz and keylife from ipsec.conf are now supported
|
rekeymargin, rekeyfuzz and keylife from ipsec.conf are now supported
|
||||||
when using IKEv2.
|
when using IKEv2. WARNING: charon currently is unable to handle
|
||||||
|
simultaneous rekeying. To avoid such a situation, use a large
|
||||||
|
rekeyfuzz, or even better, set rekey=no on one peer.
|
||||||
|
|
||||||
- new build environment featuring autotools. Features such
|
- new build environment featuring autotools. Features such
|
||||||
as HTTP, LDAP and smartcard support may be enabled using
|
as HTTP, LDAP and smartcard support may be enabled using
|
||||||
|
|
Loading…
Reference in New Issue