Component: ike2
155 changelog entries across 45 version(s)
Activity over time (changelog entries per month)
- adapt rekey procedure for compatibility with Libreswan;
- improved system stability;
- improved initial key exchange process on slow or unreliable connections;
- improved performance by balancing multicore CPU usage for key exchange calculation also for initiator;
- improved performance by balancing multicore CPU usage for key exchange calculation;
- fixed ike2 double reply;
- improved rekey collision handling;
- improved SA rekeying reply process;
- improved system stability when closing phase1;
- improved system stability when making configuration changes on active setup;
- log "reply ignored" as non-debug log message;
- improved child SA delete request processing;
- fixed minor logging typo;
- added support for "address", "key-id" and "dn" for Remote ID matching (CLI only);
- fixed active SA flush on responder after an unsuccessful peer connection attempt;
- added support for ChaChaPoly1305 encryption;
- added support for DH Group 31 (EC25519) (CLI only);
- fixed rekey notify creation;
- improved certificate payload parsing;
- allow sending certificate chain as initiator;
- ignore "INITIAL-CONTACT" payload on responder when "send-initial-contact" is disabled;
- added support for ASN.1 DN "my-id" value setting for initiators;
- check if TS is still valid after obtaining SPI;
- fixed initiator packet retransmit with DDOS cookie;
- check if TS is still valid after obtaining SPI;
- added "MS-CHAP-Domain" attribute to RADIUS requests;
- added "MS-CHAP-Domain" attribute to RADIUS requests;
- fixed DH group negotiation with EAP;
- fixed EAP MSK length validation (introduced in v6.48);
- fixed initial traffic selector's protocol and port in transport mode;
- fixed phase 2 rekeying with enabled PFS (introduced in v6.48);
- improved stability when invalid certificate is configured (introduced in v6.48);
- properly register packet time after expensive CPU operations;
- added "prf-algorithm" support for phase 1;
- added support for IKEv2 Message Fragmentation (RFC7383);
- fixed EAP MSK length validation;
- fixed too small payload parsing;
- improved EAP message integrity checking;
- improved child SA rekeying process;
- fixed local side NAT detection;
- fixed policy reference for pending acquire;
- retry RSA signature validation with deduced digest from certificate;
- fixed local side NAT detection;
- fixed initiator child SA init without policy;
- fixed policy reference for pending acquire;
- retry RSA signature validation with deduced digest from certificate;
- added support for "INTERNAL_DNS_DOMAIN" payload attribute;
- added support for RADIUS Disconnect-Request message handling;
- added support for RFC8598;
- allow initiator address change before authentication;
- fixed authentication handling when initiator disconnects before RADIUS response;
- fixed DHCP Inform package handling when received on PPPoE interface;
- improved CHILD SA rekey process with Apple iOS 13;
- improved stability when retransmitting first packet as responder;
- fixed phase 1 rekeying (introduced in v6.45);
- fixed policy port selection for responder with natted initiator;
- fixed traffic selector address family selection when using IPv6;
- don't release policy on rekey when child not found;
- fixed ID validation with multiple SAN;
- fixed policy port selection for responder with natted initiator;
- fixed traffic selector address family selection when using IPv6;
- improved rekeying process with Windows initiators;
- properly start all initiators to the same remote address;
- added support for ECDSA certificate authentication (rfc4754);
- added support for IKE SA rekeying for initiator;
- do not send "User-Name" attribute to RADIUS server if not provided;
- improved certificate verification when multiple CA certificates received from responder;
- improved child SA rekeying process;
- improved XAuth identity conversion on upgrade;
- prefer SAN instead of DN from certificate for ID payload;
- added option to specify certificate chain;
- added peer identity validation for RSA auth (disabled after upgrade);
- allow to match responder peer by "my-id=fqdn" field;
- fixed local address lookup when initiating new connection;
- improved subsequent phase 2 initialization when no childs exist;
- properly handle certificates with empty "Subject";
- retry RSA signature validation with deduced digest from certificate;
- send split networks over DHCP (option 249) to Windows initiators if DHCP Inform is received;
- show weak pre-shared-key warning;
- fixed rare authentication and encryption key mismatches after rekey with PFS enabled;
- improved subsequent phase 2 initialization when no child exist;
- fixed rare authentication and encryption key mismatches after rekey with PFS enabled;
- fixed initiator first policy selection;
- fixed rekeyed child deletion during another exchange;
- improved basic exchange logging readability;
- use "/32" netmask by default on initiator if not provided by responder;
- use "policy-template-group" parameter when picking proposal as initiator;
- use "policy-template-group" parameter when picking proposal as initiator;
- fixed framed IP address received from RADIUS server;
- added support for multiple split networks;
- delay rekeyed peer outbound SA installation;
- improve half-open connection handling;
- kill connection when peer changes address;
- use peer configuration address when available on empty TSi;
- delay rekeyed peer outbound SA installation;
- improve half-open connection handling;
- added support for multiple split networks;
- check identities on "initial-contact";
- do not allow to configure nat-traversal;
- fixed PH1 lifetime reset on boot;
- fixed initiator DDoS cookie processing;
- fixed responder DDoS cookie first notify type check;
- kill connection when peer changes address;
- use peer configuration address when available on empty TSi;
- allow multiple child SA traffic selectors on re-key;
- fixed last EAP authentication payload type;
- fixed policy release during SA negotiation;
- fixed RSA authentication without EAP;
- fixed situation when traffic selector prefix was parsed incorrectly;
- fixed rare kernel failure on address acquire;
- fixed situation when traffic selector prefix was parsed incorrectly;
- allow multiple child SA traffic selectors on re-key;
- always replace empty TSi with configured address if it is available;
- check child state before allowing rekey;
- default to /32 peer address mask;
- fixed CTR mode;
- fixed EAP message length;
- fixed ISA handler object removal on SA delete;
- fixed RSA authentication without EAP;
- fixed disabled DPD;
- fixed last EAP auth payload type;
- fixed ph2 state when sending notify;
- fixed policy release during SA negotion;
- fixed state when sending delete packet;
- improved logging;
- kill only child SAs which are not re-keyed by remote peer;
- log RADIUS timeout message under error topic;
- remove old SA after rekey;
- send EAP identity as user-name RADIUS attribute;
- update "calling_station_id" RADIUS attribute;
- update peer identity after successful EAP authentication;
- also kill IKEv2 connections on proposal change;
- always limit empty remote selector;
- fixed proposal change crash;
- fixed responder subsequent new child creation when PFS is used;
- fixed responder TS updating on wild match;
- allow empty selectors to reach policy handler;
- auto-negotiate split nets;
- default to tunnel mode in setups without policy;
- fixed error packet from initiator on responder reply;
- fixed initiator TS updating;
- fixed ph1 initial-contact rare desync;
- fixed policy setting for /0 selector with different address families;
- fixed split policy active flag;
- fixed traffic selector prefix calculation;
- fixed xauth add check;
- include identity in peer address info;
- log empty TS payload;
- minor logging update;
- show peer identity of connected peers;
- traffic selector improvements;
- update also local port when peer changes port;
- use first split net for empty TS;
- use standard retransmission timers for DPD;
- xauth like auth method with user support;