Download strongSwan 5.3.4

Various protocols can be used to secure connections over public networks, such as the widely used ipsec. StrongSwan is an ipsec implementation for Linux systems, whose 5.0 wing targets the 2.6 and 3.x Linux kernels. Support for ikev1, ikev2 and ipv6 is provided, as on this page can be read. The developers have released strongSwan 5.3.4 with the following list of changes:

Version 5.3.4

• Fixed an authentication bypass vulnerability in the eap-mschapv2 plugin that was caused by insufficient verification of the internal state when handling EAP-MSCHAPv2 Success messages received by the client. This vulnerability has been registered as CVE-2015-8023. Please refer to our blog for details.
• The sha3 plugin implements the SHA3 Keccak-F1600 hash algorithm family. Within the strongSwan framework SHA3 is currently used for BLISS signatures only because the OIDs for other signature algorithms haven’t been defined yet. Also the use of SHA3 for IKEv2 has not been standardized yet.
• The EAP-MSCHAPv2 username now replaces the identity of any previous EAP-Identity exchange (#1182).
• Fixed several issues with IKEv1 Phase 2 message handling (#1076, #1128, #1130, #1198).
• A bug with setting the source IP for IKE packets was fixed that caused problems with newer compilers (#1171).
• The ipsec stroke down-nb command is now actually non-blocking (#1191).
• Some VICI commands received updates: NAT information and virtual IPs are listed for IKE_SAs (04f22cdabc, bdb8b76515), IP address leases are optionally listed for pools defined via VICI (f4641f9e45).
• The file-logger now optionally logs the milliseconds within the current second (548b993488).
• Fetching CRLs in PEM format is now supported and using the curl plugin to fetch CRLs from file:// URIs has also been fixed (#1203).
• CRLs added via VICI are now properly added to the credential set (e5e352e631).
• IKEv2 NAT-D payloads are now created in a more static way, which ensures they stay the same when retrying to establish an IKE_SA (eg due to INVALID_KEY_PAYLOAD notifies, #1131).
• Fixed compress=yes (IPComp) with IPv6 and leftfirewall=yes (382f8a334a).
• Fixed a deadlock in duplicate checking for IKEv1 SAs (758b1caa0e, 1d528cfb8d).
• The del_policy method of kernel_ipsec_t now receives the same information originally passed to add_policy (a6e0f14fd2).
• The kernel-netlink plugin allows IPsec policies to replace shunt policies, which allows configuring matching type=drop policies along side auto=add connections.
• To debug custom plugins they can now optionally be loaded with RTLD_NOW so missing symbols are revealed immediately (via charon.dlopen_use_rtld_now). The same applies for custom IMVs/IMCs.
• The runtime for our regression tests has been reduced significantly (by about 75%).
• The Android app has been updated to use the Gradle build system.