Component: ike2

6.46 Stable 2019-Dec-02 (6 years ago)

• improved CHILD SA rekey process with Apple iOS 13;
• improved stability when retransmitting first packet as responder;

6.45.7 Stable 2019-Oct-24 (6 years ago)

• fixed phase 1 rekeying (introduced in v6.45);

6.44.6 Long-term 2019-Oct-24 (6 years ago)

• fixed policy port selection for responder with natted initiator;
• fixed traffic selector address family selection when using IPv6;

6.45.5 Stable 2019-Aug-26 (6 years ago)

• don't release policy on rekey when child not found;
• fixed ID validation with multiple SAN;
• fixed policy port selection for responder with natted initiator;
• fixed traffic selector address family selection when using IPv6;
• improved rekeying process with Windows initiators;
• properly start all initiators to the same remote address;

6.45.1 Stable 2019-Jun-27 (6 years ago)

• added support for ECDSA certificate authentication (rfc4754);
• added support for IKE SA rekeying for initiator;
• do not send "User-Name" attribute to RADIUS server if not provided;
• improved certificate verification when multiple CA certificates received from responder;
• improved child SA rekeying process;
• improved XAuth identity conversion on upgrade;
• prefer SAN instead of DN from certificate for ID payload;

6.44 Stable 2019-Feb-25 (7 years ago)

• improved subsequent phase 2 initialization when no childs exist;
• properly handle certificates with empty "Subject";
• retry RSA signature validation with deduced digest from certificate;
• send split networks over DHCP (option 249) to Windows initiators if DHCP Inform is received;
• show weak pre-shared-key warning;
• added option to specify certificate chain;
• added peer identity validation for RSA auth (disabled after upgrade);
• allow to match responder peer by "my-id=fqdn" field;
• fixed local address lookup when initiating new connection;

6.42.9 Long-term 2018-Sep-27 (7 years ago)

• fixed rare authentication and encryption key mismatches after rekey with PFS enabled;
• improved subsequent phase 2 initialization when no child exist;

6.43.1 Stable 2018-Sep-17 (7 years ago)

• fixed rare authentication and encryption key mismatches after rekey with PFS enabled;

6.43 Stable 2018-Sep-06 (7 years ago)

• fixed initiator first policy selection;
• fixed rekeyed child deletion during another exchange;
• improved basic exchange logging readability;
• use "/32" netmask by default on initiator if not provided by responder;

6.40.8 Long-term 2018-Apr-23 (7 years ago)

• use "policy-template-group" parameter when picking proposal as initiator;

6.42.1 Stable 2018-Apr-23 (7 years ago)

• use "policy-template-group" parameter when picking proposal as initiator;

6.42 Stable 2018-Apr-13 (7 years ago)

• fixed framed IP address received from RADIUS server;

6.40.6 Long-term 2018-Feb-20 (8 years ago)

• added support for multiple split networks;
• delay rekeyed peer outbound SA installation;
• improve half-open connection handling;
• kill connection when peer changes address;
• use peer configuration address when available on empty TSi;

6.41.1 Stable 2018-Jan-30 (8 years ago)

• delay rekeyed peer outbound SA installation;
• improve half-open connection handling;

6.41 Stable 2017-Dec-22 (8 years ago)

• added support for multiple split networks;
• check identities on "initial-contact";
• do not allow to configure nat-traversal;
• fixed PH1 lifetime reset on boot;
• fixed initiator DDoS cookie processing;
• fixed responder DDoS cookie first notify type check;
• kill connection when peer changes address;
• use peer configuration address when available on empty TSi;

6.38.7 Long-term 2017-Jun-20 (8 years ago)

• allow multiple child SA traffic selectors on re-key;
• fixed last EAP authentication payload type;
• fixed policy release during SA negotiation;
• fixed RSA authentication without EAP;
• fixed situation when traffic selector prefix was parsed incorrectly;

6.39.2 Stable 2017-Jun-01 (8 years ago)

• fixed rare kernel failure on address acquire;
• fixed situation when traffic selector prefix was parsed incorrectly;

6.39 Stable 2017-Apr-27 (8 years ago)

• allow multiple child SA traffic selectors on re-key;
• always replace empty TSi with configured address if it is available;
• check child state before allowing rekey;
• default to /32 peer address mask;
• fixed CTR mode;
• fixed EAP message length;
• fixed ISA handler object removal on SA delete;
• fixed RSA authentication without EAP;
• fixed disabled DPD;
• fixed last EAP auth payload type;
• fixed ph2 state when sending notify;
• fixed policy release during SA negotion;
• fixed state when sending delete packet;
• improved logging;
• kill only child SAs which are not re-keyed by remote peer;
• log RADIUS timeout message under error topic;
• remove old SA after rekey;
• send EAP identity as user-name RADIUS attribute;
• update "calling_station_id" RADIUS attribute;
• update peer identity after successful EAP authentication;

6.38.4 Stable 2017-Mar-08 (8 years ago)

• also kill IKEv2 connections on proposal change;
• always limit empty remote selector;
• fixed proposal change crash;
• fixed responder subsequent new child creation when PFS is used;
• fixed responder TS updating on wild match;

6.38.1 Stable 2017-Jan-13 (9 years ago)

• allow empty selectors to reach policy handler;
• auto-negotiate split nets;
• default to tunnel mode in setups without policy;
• fixed error packet from initiator on responder reply;
• fixed initiator TS updating;
• fixed ph1 initial-contact rare desync;
• fixed policy setting for /0 selector with different address families;
• fixed split policy active flag;
• fixed traffic selector prefix calculation;
• fixed xauth add check;
• include identity in peer address info;
• log empty TS payload;
• minor logging update;
• show peer identity of connected peers;
• traffic selector improvements;
• update also local port when peer changes port;
• use first split net for empty TS;
• use standard retransmission timers for DPD;
• xauth like auth method with user support;