Component: ipsec

6.43rc4 Testing 2018-Apr-23 (8 years ago)

• added "responder" parameter for "mode-config" to allow multiple initiator configurations (CLI only);
• added "src-address-list" parameter for "mode-config" that generates dynamic "src-nat" rule (CLI only);
• install all DNS server addresses provided by "mode-config" server;

6.43rc3 Testing 2018-Apr-20 (8 years ago)

• added "responder" parameter for "mode-config" to allow multiple initiator configurations (CLI only);
• added "src-address-list" parameter for "mode-config" that generates dynamic "src-nat" rule (CLI only);
• added warning messages for incorrect peer configuration;
• do not allow removal of "proposal" and "mode-config" entries that are in use;
• separate phase1 proposal configuration from peer menu (CLI only);

6.42 Stable 2018-Apr-13 (8 years ago)

• fixed AES-CTR and AES-GCM support on RB1200;
• improved single tunnel hardware acceleration performance on MMIPS devices;
• properly detect interface for "mode-config" client IP address assignment;

6.42rc41 Testing 2018-Mar-09 (8 years ago)

• improved single tunnel hardware acceleration performance on MMIPS platform devices;

6.40.6 Long-term 2018-Feb-20 (8 years ago)

• fixed incorrect esp proposal key size usage;
• properly update IPsec secret for IPIP/EoIP/GRE dynamic peer;

6.42rc30 Testing 2018-Feb-20 (8 years ago)

• properly detect interface for "mode-config" client IP address assignment;

6.42rc28 Testing 2018-Feb-16 (8 years ago)

• properly detect interface for "mode-config" client IP address assignment;

6.41.1 Stable 2018-Jan-30 (8 years ago)

• properly update IPsec secret for IPIP/EoIP/GRE dynamic peer;

6.42rc11 Testing 2018-Jan-18 (8 years ago)

• fixed AES-CTR and AES-GCM support on RB1200;

6.42rc9 Testing 2018-Jan-15 (8 years ago)

• properly update IPsec secret for IPIP/EoIP/GRE dynamic peer;

6.41 Stable 2017-Dec-22 (8 years ago)

• added DH groups 19, 20 and 21 support for phase1 and phase2;
• allow to specify "remote-peer" address as DNS name;
• fixed incorrect esp proposal key size usage;
• fixed policy enable/disable;
• improved hardware accelerated IPSec performance on 750Gr3;
• improved reliability on certificate usage;
• renamed "firewall" argument to "notrack-chain" in peer configuration;
• skip invalid policies for phase2;

6.41rc66 Testing 2017-Dec-14 (8 years ago)

• improved hardware accelerated IPSec performance on 750Gr3;

6.40.5 Stable 2017-Oct-31 (8 years ago)

• fixed lost value for "remote-certificate" parameter after disable/enable;

6.41rc47 Testing 2017-Oct-18 (8 years ago)

• fixed incorrect esp proposal key size usage;

6.39.3 Long-term 2017-Oct-12 (8 years ago)

• do not deduct "dst-address" from "sa-dst-address" for "/0" policies;

6.41rc44 Testing 2017-Oct-11 (8 years ago)

• added DH groups 19, 20 and 21 support for phase1 and phase2;
• fixed lost value for "remote-certificate" parameter after disable/enable;
• fixed policy enable/disable;
• improved reliability on certificate usage;
• skip invalid policies for phase2;

6.40.4 Stable 2017-Oct-02 (8 years ago)

• kill PH1 on "mode-config" address failure;

6.38.7 Long-term 2017-Jun-20 (8 years ago)

• do not deduct policy src/dst address for tunnel policies;
• fixed generated policy priority;
• fixed peer "my-id" address reset;

6.39.2 Stable 2017-Jun-01 (8 years ago)

• fixed generated policy priority;
• fixed peer "my-id" address reset;
• renamed "remote-dynamic-address" to "dynamic-address";

6.39 Stable 2017-Apr-27 (9 years ago)

• added "last-seen" parameter to active connection list;
• allow mixing aead algorithms in proposal;
• better responder flag calculator for console;
• disallow AH+ESP combined policies ;
• do not loose "use-ipsec=yes" parameter after downgrade;
• enable aes-ni on i386 and x64 for cbc, ctr and gcm modes;
• fixed "/ip ipsec policy group export verbose";
• fixed "mode-cfg" verbose export;
• fixed SA authentication flag;
• renamed "hw-authenc" flag to "hw-aead";
• show hardware accelerated authenticated SAs;
• updated tilera classifier for UDP encapsulated ESP;

6.38.4 Stable 2017-Mar-08 (9 years ago)

• deducted policy SA src/dst address from src/dst address;
• do not require "sa-dst-address" if "action=none" or "action=discard";
• fixed SA address check in policy lookup;
• hide SA address for transport policies;
• keep policy in kernel even with bad proposal;
• kill ph2 on policy removal;
• updated/fixed Radius attributes;

6.38.1 Stable 2017-Jan-13 (9 years ago)

• added ability to kill particular remote-peer;
• fixed flush speed and SAs on startup;
• fixed peer port export;
• port is used only for initiators;

6.37.4 Long-term 2017-Jan-13 (9 years ago)

• fixed kernel failure on tile with sha256 when hardware encryption is not being used;

6.38 Stable 2016-Dec-30 (9 years ago)

• added ability to specify static IP address at "send-dns" option;
• added ph2 accounting for each policy "/ip ipsec policy ph2-count";
• allow to specify explicit split dns address;
• changed logging topic from error to debug when empty pfkey messages are received;
• do not auto-negotiate more SAs than needed;
• ensure generated policy refers to valid proposal;
• fixed camellia crypto algorithm module loading;
• fixed IPv6 remote prefix;
• fixed kernel failure on tile with sha256 when hardware encryption is not being used;
• fixed peer configuration my-id IPv4 address endianness;
• fixed ph2 auto-negotiation by checking policies in correct order;
• load ipv6 related modules only when ipv6 package is enabled;
• make generated policies always as unique;
• non passive peers will also establish SAs from policy without waiting for the first packet;
• optimized logging under ipsec topic;
• show active flag when policy has active SA;
• show SA "enc-key-size";
• split "mode-config" and "send-dns" arguments;

6.37.2 Stable 2016-Nov-08 (9 years ago)

• changed logging topic from error to debug for ph2 transform mismatch messages;