strongSwan is an OpenSource IPsec implementation for the Linux operating system. strongSwan is based on the discontinued FreeS/WAN project and the X.509 patch which we developped over the last three years.
In order to have a stable IPsec platform to base our future extensions of the X.509 capability on, we decided to lauch the strongSwan project.
Here are some key features of "strongSwan":
· runs both on Linux 2.4 (KLIPS) and Linux 2.6 (native IPsec) kernels
· strong 3DES, AES, Serpent, Twofish, or Blowfish encryption
· Authentication based on X.509 certificates or preshared keys
· Powerful IPsec policies based on wildcards or intermediate CAs
· Retrieval and local caching of Certificate Revocation Lists via HTTP or LDAP
· Full support of the Online Certificate Status Protocol (OCSP, RCF 2560).
· Optional storage of RSA private keys on smartcards or USB crypto tokens
· Smartcard access via standardized PKCS #11 interface
· PKCS #11 proxy function offering RSA decryption services via whack
· NAT-Traversal (RFC 3947) and support of Virtual IPs and IKE Mode Config
· CA management (OCSP and CRL URIs, default LDAP server)
· Dead Peer Detection (DPD, RFC 3706)
· Group policies based on X.509 attribute certificates ( RFC 3281)
· Generation of default self-signed certificates during strongSwan setup
What's New in 2.8.0 Stable Release:
· The implementation of the IKE Mode Config push mode allows interoperability with Cisco VPN gateways.
· By setting "modeconfig=push", strongSwan will wait for the peer to push down a virtual IP address that can be used within an IPsec tunnel.
· The default value of the new keyword is "modeconfig=pull".
· The command "ipsec statusall" now shows "DPD active" for all ISAKMP Security Associations that are under active Dead Peer Detection control.
What's New in 4.0.7 Development Release:
· Extended authentication (XAUTH) in conjunction with IKE Main Mode authentication (RSA and PSK) is now possible with most VPN clients and gateways (e.g. Cisco, NCP, Shrew, etc.).
What's New in 2.8.3 Stable Release:
· A bug in the computation of the SHA-512-HMAC function was fixed.
· The SHA-384 hash and HMAC functions were implemented.
· SHA-2 signatures are now supported in X.509 certificates.
· Automatic test vector-based self-tests of all hash functions (MD5, SHA-1, SHA-2) during pluto startup was introduced to increase the reliability of the software.