ipsec-tools/NEWS


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173

Version history:
----------------
0.8.2	- 27 February 2014
	o Fix admin port establish-sa for tunnel mode SAs (Alexander Sbitnev)
	o Fix source port selection regression from version 0.8.1
	o Various logging improvements
	o Additional compliance and build fixes

0.8.1	- 08 January 2013
	o Improved X.509 subject name comparation (Götz Babin-Ebell)
	o Relax DPD cookie check for Cisco IOS compatibility (Roman Antink)
	o Allow simplified syntax for inherited remote blocks (Roman Antink)
	o Never shring pfkey socket buffer (Marcelo Leitner)
	o Privilege separation child process exit fix
	o Multiple memory allocation and use-after-free fixes

0.8	- 18 March 2011
	o Fix authentication method ambiguity with kerberos and xauth
	o RFC2253 compliant escaping of asn1dn identifiers (Cyrus Rahman)
	o Local address code rewrite to speed things up
	o Improved MIPv6 support (Arnaud Ebalard)
	o ISAKMP SA (phase1) rekeying
	o Improved scheduler (faster algorithm, support monotonic clock)
	o Handle RESPONDER-LIFETIME in quick mode
	o Handle INITIAL-CONTACT in from main mode too
	o Rewritten event handling framework for admin port
	o Ability to initiate IPsec SA through admin port
	o NAT-T Original Address handling (transport mode NAT-T support)
	o clean NAT-T - PFkey support
	o support for multiple anonymous remoteconfs
	o Remove various obsolete configuration options
	o A lot of other bug fixes, performance improvements and clean ups

0.7.1	- 23 July 2008
	o Fixes a memory leak when invalid proposal received
	o Some fixes in DPD
	o do not set default gss id if xauth is used
	o fixed hybrid enabled builds
	o fixed compilation on FreeBSD8
	o cleanup in network port value manipulation
	o Gets ports from SADB_X_EXT_NAT_T_[SD]PORT if present in
	  purge_ipsec_spi()
	o Generates a log if cert validation has been disabled by
	  configuration
	o better handling for pfkey socket read errors
	o Fixes in yacc / bison stuff
	o new plog() macro (reduced CPU usage when logging is disabled)
	o Try to work better with huge SPD/SAD
	o Corrected modecfg option syntax

0.7	- 09 August 2007
	o Xauth with pre-shared key PSK
	o Xauth with certificates
	o SHA2 support
	o pkcs7 support
	o system accounting (utmp)
	o Darwin support
	o configuration can be reloaded
	o Support for UNIQUE generated policies
	o Support for semi anonymous sainfos
	o Support for ph1id to remoteid matching
	o Plain RSA authentication
	o Native LDAP support for Xauth and modecfg
	o Group membership checks for Xauth and sainfo selection
	o Camellia cipher support
	o IKE Fragment force option
	o Modecfg SplitNet attribute support
	o Modecfg SplitDNS attribute support ( server side )
	o Modecfg Default Domain attribute support
	o Modecfg DNS/WINS server multiple attribute support

0.6	- 27 June 2005
	o Generated policies are now correctly flushed
	o NAT-T works with multiple peers behind the NAT (need kernel support)
	o Xauth can use shadow passwords
	o TCP-MD5 support
	o PAM support for Xauth
	o Privilege separation
	o ESP fragmentation in tunnel mode can be tunned (NetBSD only)
	o racoon admin interface is exported (header and library) to 
	  help building control programs for racoon (think GUI)
	o Fixed single DES support; single DES users MUST UPGRADE.

0.5	- 10 April 2005
	o Rewritten buildsystem. Now completely autoconfed, automaked,
	  libtoolized.
	o IPsec-tools now compiles on NetBSD and FreeBSD again.
	o Support for server-side hybrid authentication, with full 
	  RADIUS supoort. This is interoperable with the Cisco VPN client.
	o Support for client-side hybrid authentication (Tested only with
	  a racoon server)
	o ISAKMP mode config support
	o IKE fragmentation support
	o Fixed FWD policy support.
	o Fixed IPv6 compilation.
	o Readline is optional, fixed setkey when compiled without readline.
	o Configurable Root-CA certificate.
	o Dead Peer Detection (DPD) support.

0.4rc1	- 09 August 2004
	o Merged support for PlainRSA keys from the 'plainrsa' branch.
	o Inheritance of 'remote{}' sections.
	o Support for SPD policy priorities in setkey.
	o Ciphers are now used through the 'EVP' interface which allows
	  using hardware crypto accelerators.
	o Setkey has new option -n (no action).
	o All source files now have 3-clause BSD license.

0.3	- 14 April 2004
	o Fixed setkey to handle multiline commands again.
	o Added command 'exit' to setkey.
	o Fixed racoon to only Warn if no CRL was found.
	o Improved testsuite.

0.3rc5	- 05 April 2004
	o Security bugfix WRT handling X.509 signatures.
	o Stability fix WRT unknown PF_KEY messages.
	o Fixed NAT-T with more proposals (e.g. more crypto algos).
	o Setkey parses lines one by one => doesn't exit on errors.
	o Setkey supports readline => more user friendly.

0.3rc4	- 25 March 2004
	o Fixed adding "null" encryption via 'setkey'.
	o Fixed segfault when using AES in Phase1 with OpenSSL>=0.9.7
	o Fixed NAT-T in aggresive mode.
	o Fixed testsuite and added testsuite run into make check.

0.3rc3	- 19 March 2004
	o Fixed compilation error with --enble-yydebug
	o Better diagnostic when proposals don't match.
	o Changed/added options to setkey.

0.3rc2	- 11 March 2004
	o Added documentation for NAT-T
	o Better NAT-T diagnostic.
	o Test and workaround for missing va_copy()

0.3rc1	- 04 March 2004
	o Support for NAT Traversal (NAT-T)

0.2.4	- 29 January 2004
	o Sync with KAME as of 2004-01-07
	o Fixed unauthorized deletion of SA in racoon (again).

0.2.3	- 15 January 2004
	o Support for SA lifetime specified in bytes
	  (see setkey -bs/-bh options)
	o Enhance support for OpenSSL 0.9.7
	o Let racoon be more verbose
	o Fixed some simple bugs (see ChangeLog for details)
	o Fixed unauthorized deletion of SA in racoon
	o Fixed problems on AMD64
	o Ignore multicast addresses for IKE

0.2.2	- 13 March 2003
	o Fix racoon to build on some systems that require linking against -lfl
	o add an RPM spec to the distribution

0.2.1	- 07 March 2003
	o Fix some more gcc-3.2.2 compiler warnings
	o Fix racoon to actually configure with ssl in a non-standard location
	o Fix racoon to not complain if krb5-config is not installed

0.2	- 06 March 2003
	o Glibc-2.3 support
	o OpenSSL-0.9.7 support
	o Fixed duplicate-macro problems
	o Fix racoon lex/yacc support
	o Install psk.txt mode 600, racoon.conf mode 644
	o Fix racoon to look in the correct directory for config files

0.1	- 03 March 2003
	o Initial release of IPsec-Tools