Releases: libreswan/libreswan
5.3
The Libreswan Project has released libreswan 5.3
This is a maintenance release. It allows re-using an IKEv1
lease address on multiple connections along with improved
"cisco split VPN" support. X.509 Certificate code was
revised to only use the NSS IPsec profile and no longer
uses the SSL profile and the CRL code was updated.
This latest version of libreswan can be downloaded from:
https://download.libreswan.org/libreswan-5.3.tar.gz
https://download.libreswan.org/libreswan-5.3.tar.gz.asc
The full changelog is available at: https://download.libreswan.org/CHANGES
Please report bugs either via one of the mailinglists or at our github
bug tracker:
https://lists.libreswan.org/
https://github.com/libreswan/libreswan/issues
See also https://libreswan.org/
v5.3 (July 3, 2025)
- PKIX (Public Key Infrastructure X.509)
- moved cURL and LDAP CRL download code out of pluto [Andrew]
- replaced CRL thread with libevent [Andrew]
- fixed
ipsec checkcrls[Andrew] - when configured, use cURL to download LDAP CRLs [Andrew]
- verify using NSS's IPsec profile aka certificateUsageIPsec [Andrew]
- only verify using certificateUsageSSL{Client,Server} when USE_NSS_TLS_SECURITY_PROFILE [Andrew]
- IKEv2:
- IKEv1:
- initsystem:
- config:
- merge
addconn(ipsec.conf) andwhackconnection option parsers [Andrew] - change
whackto use same connection defaults asipsec.conf[Andrew] - support
ipsec addconn --name connname left=1.2.3.4 right=5.6.7.8(experimental) [Andrew #2138] - drop undocumented
ipsec readwriteconf --rootdiroption [Andrew, #2152] - obsoleted virtual_private= and plutostderrlog= keywords [Tuomo]
- warn when END-option= has no END [Andrew #663]
- nflog= made an alias to nflog-group= [Andrew]
- recognize ah=... as phase2=ah phase2alg=... [Andrew #712]
- merge
- ipsec pluto:
- make
ipsec.conf'sconfig setupand pluto options consistent [Andrew] - fix
--config file1 --config file2[Andrew]
- make
- ipsec connectionstatus:
- support
ipsec connectionstatus '"labeled"[1][2]'[Andrew #1308]
- support
- testing:
- eliminated all pyOpenSSL dependencies [Andrew]
- review PKIX test coverage [Andrew]
- upgrade Fedora test domain to f42
- building:
- build with curl 8.14.1 [Andrew, Vincent #2319]
5.2
The Libreswan Project has released libreswan 5.2
This is a feature release. It adds support for RFC 5723 Session
Resumption, RFC 9347 IPTFS and draft-ietf-ipsecme-ikev2-qr-alt
protocol extensions. It adds support for ipsec interfaces on the
BSDs and improves the Linux ipsec interface support.
It fixes an interop issue with iOS/OSX IKEv1 padding interop,
supports Linux kernel 6.10+ requirements and other minor
bugfixes and features.
This latest version of libreswan can be downloaded from:
https://download.libreswan.org/libreswan-5.2.tar.gz
https://download.libreswan.org/libreswan-5.2.tar.gz.asc
The full changelog is available at: https://download.libreswan.org/CHANGES
Please report bugs either via one of the mailinglists or at our github
bug tracker:
https://lists.libreswan.org/
https://github.com/libreswan/libreswan/issues
See also https://libreswan.org/
v5.2 (Feb 26, 2025)
- IKEv2:
- IPsec Interface:
- add support on FreeBSD, NetBSD and OpenBSD [Andrew]
- add ipsec-interface-managed=no for namespaces [Andrew]
- IKEv1:
- Linux:
- packet offload counters supported in 6.7+ [Paul]
- Add IPTFS support (RFC 9347) [Paul / Antony / Andrew]
- 6.10+ need replay-window 0 on OUTBOUND SA [Paul]
- Do not set nopmtudisc on inbound SA [Paul]
- Set DSCP options only on the relevant direction SA [Paul]
- updown:
- Use half-routes for IPv6 to cover whole address space #1994 [Tuomo]
- Use sourceip= for all remote subnets when set [Tuomo]
- whack/addconn:
- building:
- testing:
5.1
The Libreswan Project has released libreswan 5.1
This is a bugfix release. Most importantly, a fix to work properly with
Linux 6.9+ kernels, and a workaround for a but in reconnecting iOS/OSX
clients that use IKEv1 with XAUTH/ModeConfig. The handling of ipsec
interfaces was improved as well.
This latest version of libreswan can be downloaded from:
https://download.libreswan.org/libreswan-5.1.tar.gz
https://download.libreswan.org/libreswan-5.1.tar.gz.asc
The full changelog is available at: https://download.libreswan.org/CHANGES
Please report bugs either via one of the mailinglists or at our github
bug tracker:
https://lists.libreswan.org/
https://github.com/libreswan/libreswan/issues
See also https://libreswan.org/
v5.1 (Oct 8, 2024)
- IKEv2:
- fix race when initiator-responder cross rekey requests [Andrew]
- don't ignore Delete IKE SA request while waiting for Delete IKE SA response [Andrew]
- log arrival of first IKE_AUTH request that triggers DH [Andrew]
- rate limit logging of packets with invalid payloads
- IKEv1:
- fix Quick mode installing 0.0.0.0/0 when no MSG_CONFIG exchange [Andrew, Tuomo]
- fix iOS Quick mode request needing to re-recover lease [Andrew, Tuomo]
- fix regression where deleting ISAKMP deleted IPsec [Andrew, Tuomo]
- add config options of ah=sha2{256,512} [Andrew]
- add DH29,DH31 to default proposals [Andrew]
- reject ESP AEAD combined with non-NULL integrity [Andrew]
- Crypto:
- update IKE to use NSS's FIPS compliant PK11_AEADOp() [Andrew, Robert Relyea]
- support ESP with CHACHA20POLY1305 on FreeBSD and OpenBSD [Andrew]
- IPsec Interface:
- fix check for an existing IPsec Interface address (Linux) [Wolfgang]
- add IPsec Interface address when connection establishes [Wolfgang]
- fix adding IPv6 address to IPsec interface [Wolfgang]
- delete Ipsec Interface address when connection unroutes [Wolfgang]
- fix setting metric on IPsec Interface [Wolfgang]
- add IPsec Interface device when connection orients [Andrew]
- support existing IPsec interface on FreeBSD and OpenBSD [Andrew]
- log addition of IPsec Interface or Address [Andrew]
- don't delete existing ipsec1 interface (Linux) [Andrew]
- handle repeated connection adds [Wolfgang]
- Linux:
- handle NLMSG_DONE at end of response for > 6.9.0 kernels [Andrew]
- fix hang because of unhandled NLMSG_DONE at end of response (6.9.0-rc1) [Andrew, Ilya, github/1675]
- fix hang when initiating an on-demand TCP connection [Daiki, github/1156]
- updown:
- restore 4.x behaviour of running "updown unroute|down" when initiate fails [Wolfgang, Andrew]
- add test demonstrating redundant tunnels [Wolfgang]
- add plutodebug=updown for debugging updown scripts [Andrew]
- config:
- verbosely ignore x-* style comments in ipsec.conf [Andrew, github/1725]
- whack:
- ignore older whack as could trigger core dump [Andrew, github/1709]
- add --narrowing {yes,no}, retain undocumented --allow-narrowing [Andrew]
- building:
- replace calloc(size,nr) with alloc_things(), fixing compile error [Daiki]
- remove USE_NSS_AVA_COPY and copy of nss source, remove license exception [Tuomo]
- fix syntax error in ckaid.c allowed by GCC [yuncang123]
5.0
paulwouters
Paul Wouters
4026bc6
paulwouters
Paul Wouters
This is major version release with some incompatible changes in default options.
- IKEv1:
- globally disabled by default (ikev1-policy=drop); see RFC9395 [Daniel]
- limit default cryptosuite [Andrew, Paul, Tuomo]
IKE={AES_CBC,3DES_CBC}-{HMAC_SHA2_256,HMAC_SHA2_512HMAC_SHA1}-{MODP2048,MODP1536,DH19,DH31}
ESP={AES_CBC,3DES_CBC}-{HMAC_SHA1_96,HMAC_SHA2_512_256,HMAC_SHA2_256_128}-{AES_GCM_16_128,AES_GCM_16_256}
AH=HMAC_SHA1_96+HMAC_SHA2_512_256+HMAC_SHA2_256_128 - remove support for Labeled IPsec [Andrew]
- properly ignore dpdaction= [Andrew]
- see also IKEv2 routing/revival changes
- IKEv2:
- warn that fragmentation=force is ignored [Andrew]
- avoid post-authentication crash on corrupt TS payload [Andrew]
- support addresspool=v4/mask,v6/mask [Andrew]
- support subnet=SELECTOR,... using a single Child SA [Andrew]
- when non-MOBIKE never update NATed endpoint [#1492/Wofferl/Andrew]
- fix revival of IKE_AUTH (first) Child SA [Andrew]
- properly ignore dpdaction=, keyingtries= [Andrew]
- when reviving, install trap then block [Andrew]
- for auto=keep only retry once [Andrew]
- when redirect fails, fall back to revival [Andrew]
- Linux:
- HW packet offload support [Raed Salem raeds@nvidia.com,Paul]
- XFRM interface IP management with ref-counting [Brady Johnson]
- fix IPcomp with XFRM interfaces [Wolfgang]
- BSD:
- fix esp=aes_gcm [github/1220, Igor V. Gubenko, Andrew]
- whack:
- review ipsec-whack.8 [Tuomo, Andrew, Paul]
- change defaults to match addconn [Andrew]
- add --{rekey,delete,down}-{ike,child} --name [Andrew]
- match whack and addconn option names [Andrew]
- drop NNN_ prefix from all output [Andrew]
- config (ipsec.conf, addconn):
- update ipsec.conf.5 [Tuomo, Andrew, Paul]
- log ipsec.conf errors and warnings in Pluto [Andrew]
- <<include {a,b,c}.conf>> no longer supported [Andrew]
- fix keyexchange={ikev1,ikev2}; deprecate ikev2= [Andrew]
- remove nic-offload=auto option, only accept packet,crypto,yes [Paul]
- warn when converting legacy ",," to "," in {left,right}id= [Andrew]
- change also= to expand inline (more like C's #include) [Andrew]
- fix KEYWORD= sometimes causing Pluto to exit [Andrew]
- parse <<KEYWORD=>> as <<KEYWORD=''>>, i.e., empty [Andrew]
- warn when, within a conn, there are duplicate keys [Andrew]
- add encap-dscp= [Wolfgang]
- implement interface-ip= [Brady]
- implement subnet=SELECTOR,SELECTOR,... [Andrew]
- default ikev1-policy to drop [Daniel]
- add ppk-ids= [Vukasin]
- add experimental per-connection debug= [Andrew]
- drop obsolete forceencaps= [Andrew]
- add groundhog= [Andrew]
- reject non-numeric sourceip= [Andrew]
- fix crash when dpdtimeout= missing [Andrew]
- building:
- remove dependency on libxz via libsystemd [Tuomo Andrew]
- use INSTALL_INITSYSTEM=false to prevent update of /etc/ [Andrew]
- use INSTALL_CONFIGS=false prevents update of /etc/ipsec.d et.al. [Andrew]
- drop FINAL* make variables; see mk/config.mk for alternatives [Andrew]
- remove old copy of unbound headers [Andrew]
- use DESTDIR instead of FINAL* env vars [Andrew]
- fix "make git-rpm" [Paul/Tuomo]
- check return values of libcap-ng functions [Paul]
- don't call ischar(signed char) [Andrew]
- packaging:
- fix Debian systemd service install [Antonio Silva]
- testing:
- fix namespace tests for super long dir names [Paul]
- add Alpine, Debian, NetBSD and FreeBSD KVMs [Andrew]
- add Alpine, Debian, NetBSD, FreeBSD and OpenBSD to nightly builds [Andrew]
- add man pages to nightly build [Andrew]
- initsystem:
- use documented ipsec sub-commands [Tuomo]
- stop using _stackmanager [Tuomo]
- documentation:
- update to docbook xml 4.5 [Tuomo]
- re-org pages adding libreswan.5 [Andrew]
- ipsec utilities:
- ipsec auto sub-command: deprecate [Tuomo]
- ipsec auto --{cmd} connection -> ipsec {cmd} connection [Tuomo]
- ipsec look: script moved to contrib/; use ip xfrm et.al. [Andrew]
- ipsec portexcludes: script moved to contrib/ [Andrew]
- ipsec barf: script moved to contrib/ [Andrew]
- ipsec _secretsensor: script moved to contrib/ [Andrew]
- ipsec show: drop ipsec subcommand (old, incomplete) [Paul]
- ipsec verify: drop ipsec subcommand (old, incomplete) [Paul]
5.0rc3
paulwouters
Paul Wouters
13dfd4f
paulwouters
Paul Wouters
has fix to CVE-2024-3652
4.15 for CVE-2024-3652
paulwouters
Paul Wouters
960fdc2
paulwouters
Paul Wouters
Address CVE-2024-3652
5.0rc2
paulwouters
Paul Wouters
e80ee43
paulwouters
Paul Wouters
this is where 5.0 was cut from mainline
5.0rc1
paulwouters
Paul Wouters
87956ac
paulwouters
Paul Wouters
The first pre-release of the libreswan 5.x series. Please test and give us feedback. Read the CHANGES file and the updated man pages for any incompatibility changes between 4.x and 5.x
4.12 for CVE-2023-38710, CVE-2023-38711 and CVE-2023-38712
paulwouters
Paul Wouters
273ab05
paulwouters
Paul Wouters
This is a medium risk security release.
All CVEs addressed in this release require the peer to successfully authenticate before it can start a Denial of Service attack.
4.11 for CVE-2023-30570
paulwouters
Paul Wouters
cbfa405
paulwouters
Paul Wouters
Fix for medium security CVE-2023-30570