diff options
author | Andreas Steffen <andreas.steffen@strongswan.org> | 2006-07-14 13:21:19 +0000 |
---|---|---|
committer | Andreas Steffen <andreas.steffen@strongswan.org> | 2006-07-14 13:21:19 +0000 |
commit | 623d3dcf78c0d96e44dbf2867b02acf10e51a812 (patch) | |
tree | b96cb14599008657a37255bdd7336844a8fd88af /NEWS | |
parent | a9ae2c01ed8e90566dc9b8ff0ddb1e68f969f9e3 (diff) | |
download | strongswan-623d3dcf78c0d96e44dbf2867b02acf10e51a812.tar.bz2 strongswan-623d3dcf78c0d96e44dbf2867b02acf10e51a812.tar.xz |
X.509 certificate trust path verification4.0.2
Diffstat (limited to 'NEWS')
-rw-r--r-- | NEWS | 11 |
1 files changed, 8 insertions, 3 deletions
@@ -1,15 +1,20 @@ strongswan-4.0.2 ---------------- -- Added Dead Peer Detection (DPD) which checks liveliness of remote peer if no - IKE or ESP traffic is received. DPD is currently hardcoded (dpdaction=clear, - dpddelay=60s). +- Full X.509 certificate trust chain verification has been implemented. + End entity certificates can be exchanged via CERT payloads. The current + default is leftsendcert=always, since CERTREQ payloads are not supported + yet. Optional CRLs must be imported locally into /etc/ipsec.d/crls. - Added support for leftprotoport/rightprotoport parameters in IKEv2. IKEv2 would offer more possibilities for traffic selection, but the Linux kernel currently does not support it. That's why we stick with these simple ipsec.conf rules for now. +- Added Dead Peer Detection (DPD) which checks liveliness of remote peer if no + IKE or ESP traffic is received. DPD is currently hardcoded (dpdaction=clear, + dpddelay=60s). + - Initial NAT traversal support in IKEv2. Charon includes NAT detection notify payloads to detect NAT routers between the peers. It switches to port 4500, uses UDP encapsulated ESP packets, handles peer address |