MikroTik Changelog Tracker
← Back to search All components

Component: ipsec

296 changelog entries across 97 version(s)

Releases by channel (stacked)

6.42 Stable 2018-Apr-13 (7 years ago)
  • fixed AES-CTR and AES-GCM support on RB1200;
  • improved single tunnel hardware acceleration performance on MMIPS devices;
  • properly detect interface for "mode-config" client IP address assignment;
6.40.6 Long-term 2018-Feb-20 (8 years ago)
  • fixed incorrect esp proposal key size usage;
  • properly update IPsec secret for IPIP/EoIP/GRE dynamic peer;
6.41.1 Stable 2018-Jan-30 (8 years ago)
  • properly update IPsec secret for IPIP/EoIP/GRE dynamic peer;
6.41 Stable 2017-Dec-22 (8 years ago)
  • added DH groups 19, 20 and 21 support for phase1 and phase2;
  • allow to specify "remote-peer" address as DNS name;
  • fixed incorrect esp proposal key size usage;
  • fixed policy enable/disable;
  • improved hardware accelerated IPSec performance on 750Gr3;
  • improved reliability on certificate usage;
  • renamed "firewall" argument to "notrack-chain" in peer configuration;
  • skip invalid policies for phase2;
6.40.5 Stable 2017-Oct-31 (8 years ago)
  • fixed lost value for "remote-certificate" parameter after disable/enable;
6.39.3 Long-term 2017-Oct-12 (8 years ago)
  • do not deduct "dst-address" from "sa-dst-address" for "/0" policies;
6.40.4 Stable 2017-Oct-02 (8 years ago)
  • kill PH1 on "mode-config" address failure;
6.38.7 Long-term 2017-Jun-20 (8 years ago)
  • do not deduct policy src/dst address for tunnel policies;
  • fixed generated policy priority;
  • fixed peer "my-id" address reset;
6.39.2 Stable 2017-Jun-01 (8 years ago)
  • fixed generated policy priority;
  • fixed peer "my-id" address reset;
  • renamed "remote-dynamic-address" to "dynamic-address";
6.39 Stable 2017-Apr-27 (8 years ago)
  • added "last-seen" parameter to active connection list;
  • allow mixing aead algorithms in proposal;
  • better responder flag calculator for console;
  • disallow AH+ESP combined policies ;
  • do not loose "use-ipsec=yes" parameter after downgrade;
  • enable aes-ni on i386 and x64 for cbc, ctr and gcm modes;
  • fixed "/ip ipsec policy group export verbose";
  • fixed "mode-cfg" verbose export;
  • fixed SA authentication flag;
  • renamed "hw-authenc" flag to "hw-aead";
  • show hardware accelerated authenticated SAs;
  • updated tilera classifier for UDP encapsulated ESP;
6.38.4 Stable 2017-Mar-08 (8 years ago)
  • deducted policy SA src/dst address from src/dst address;
  • do not require "sa-dst-address" if "action=none" or "action=discard";
  • fixed SA address check in policy lookup;
  • hide SA address for transport policies;
  • keep policy in kernel even with bad proposal;
  • kill ph2 on policy removal;
  • updated/fixed Radius attributes;
6.38.1 Stable 2017-Jan-13 (9 years ago)
  • added ability to kill particular remote-peer;
  • fixed flush speed and SAs on startup;
  • fixed peer port export;
  • port is used only for initiators;
6.37.4 Long-term 2017-Jan-13 (9 years ago)
  • fixed kernel failure on tile with sha256 when hardware encryption is not being used;
6.38 Stable 2016-Dec-30 (9 years ago)
  • added ability to specify static IP address at "send-dns" option;
  • added ph2 accounting for each policy "/ip ipsec policy ph2-count";
  • allow to specify explicit split dns address;
  • changed logging topic from error to debug when empty pfkey messages are received;
  • do not auto-negotiate more SAs than needed;
  • ensure generated policy refers to valid proposal;
  • fixed camellia crypto algorithm module loading;
  • fixed IPv6 remote prefix;
  • fixed kernel failure on tile with sha256 when hardware encryption is not being used;
  • fixed peer configuration my-id IPv4 address endianness;
  • fixed ph2 auto-negotiation by checking policies in correct order;
  • load ipv6 related modules only when ipv6 package is enabled;
  • make generated policies always as unique;
  • non passive peers will also establish SAs from policy without waiting for the first packet;
  • optimized logging under ipsec topic;
  • show active flag when policy has active SA;
  • show SA "enc-key-size";
  • split "mode-config" and "send-dns" arguments;
6.37.2 Stable 2016-Nov-08 (9 years ago)
  • changed logging topic from error to debug for ph2 transform mismatch messages;
6.37 Stable 2016-Sep-23 (9 years ago)
  • fixed crash with enabled fragmentation;
  • fixed dynamic policy not deleted on disconnect for nat-t peers;
  • fixed fragmentation use negotiation;
  • fixed kernel crash when sha512 was used;
6.36.3 Stable 2016-Sep-05 (9 years ago)
  • don't log authtype mismatch as critical;
  • fixed xauth parameter printing in terminal;
6.36 Stable 2016-Jul-20 (9 years ago)
  • add dead ph2 detection exception for windows msgid noncompliance with rfc;
  • added dead ph2 reply detection;
  • don't register temporary ph2 on dead list;
  • fix initiator modecfg dynamic dns;
  • fixed AH with SHA2;
  • fixed checks before accessing ph1 nat options;
  • fixed mode-config export;
  • fixed route cache overflow when using ipsec with route cache disabled;
  • fixed windows msgid check on x86 devices;
  • show remote peer address in error messages when possible;
  • store udp encapsulation type in proposal;
6.35.4 Stable 2016-Jun-09 (9 years ago)
  • fixed mode-config export;
  • fixed route cache overflow when using ipsec with route cache disabled;
6.34.5 Long-term 2016-May-27 (9 years ago)
  • better flush on proposal change;
  • fixed crash on policy update;
6.35 Stable 2016-Apr-14 (9 years ago)
  • always re-key ph1 because it was possible that ph1 without DPD would expire;
  • better flush on proposal change;
  • fixed crash on policy update;
  • fixed fast ph2 SA addition;
  • fixed larval SA refresh for display;
  • fixed multiple consecutive dynamic policy flush;
6.34.4 Stable 2016-Mar-24 (9 years ago)
  • take into account ip protocol in kernel policy matcher;
6.34.2 Stable 2016-Feb-18 (10 years ago)
  • fix console peer aes enc algorithm display;
6.32.4 Long-term 2016-Feb-09 (10 years ago)
  • fixed kernel failure after underlying tunnel has been disabled/enabled;
6.34 Stable 2016-Jan-29 (10 years ago)
  • allow my-id address specification in main mode;
  • prioritize proposals;
  • support multiple DH groups for phase 1;
  • fix phase2 hmac-sha-256-128 truncation len from 96 to 128 This will break compatibility with all previous versions and any other currently compatible software using sha256 hmac for phase2;
  • make sure that dynamic policy always has dynamic flag;
  • fixed active SAs flushing;
  • improved TCP performance on CCRs;