1Version history: 2---------------- 30.8.x CVS (no official release yet) 4 o A lot of code cleanup 5 o XXX TODO 6 70.8.2 - 27 February 2014 8 o Fix admin port establish-sa for tunnel mode SAs (Alexander Sbitnev) 9 o Fix source port selection regression from version 0.8.1 10 o Various logging improvements 11 o Additional compliance and build fixes 12 130.8.1 - 08 January 2013 14 o Improved X.509 subject name comparation (Götz Babin-Ebell) 15 o Relax DPD cookie check for Cisco IOS compatibility (Roman Antink) 16 o Allow simplified syntax for inherited remote blocks (Roman Antink) 17 o Never shring pfkey socket buffer (Marcelo Leitner) 18 o Privilege separation child process exit fix 19 o Multiple memory allocation and use-after-free fixes 20 210.8 - 18 March 2011 22 o Fix authentication method ambiguity with kerberos and xauth 23 o RFC2253 compliant escaping of asn1dn identifiers (Cyrus Rahman) 24 o Local address code rewrite to speed things up 25 o Improved MIPv6 support (Arnaud Ebalard) 26 o ISAKMP SA (phase1) rekeying 27 o Improved scheduler (faster algorithm, support monotonic clock) 28 o Handle RESPONDER-LIFETIME in quick mode 29 o Handle INITIAL-CONTACT in from main mode too 30 o Rewritten event handling framework for admin port 31 o Ability to initiate IPsec SA through admin port 32 o NAT-T Original Address handling (transport mode NAT-T support) 33 o Remove various obsolete configuration options 34 o A lot of other bug fixes, performance improvements and clean ups 35 360.7.1 - 23 July 2008 37 o Fixes a memory leak when invalid proposal received 38 o Some fixes in DPD 39 o do not set default gss id if xauth is used 40 o fixed hybrid enabled builds 41 o fixed compilation on FreeBSD8 42 o cleanup in network port value manipulation 43 o Gets ports from SADB_X_EXT_NAT_T_[SD]PORT if present in 44 purge_ipsec_spi() 45 o Generates a log if cert validation has been disabled by 46 configuration 47 o better handling for pfkey socket read errors 48 o Fixes in yacc / bison stuff 49 o new plog() macro (reduced CPU usage when logging is disabled) 50 o Try to work better with huge SPD/SAD 51 o Corrected modecfg option syntax 52 530.7 - 09 August 2007 54 o Xauth with pre-shared key PSK 55 o Xauth with certificates 56 o SHA2 support 57 o pkcs7 support 58 o system accounting (utmp) 59 o Darwin support 60 o configuration can be reloaded 61 o Support for UNIQUE generated policies 62 o Support for semi anonymous sainfos 63 o Support for ph1id to remoteid matching 64 o Plain RSA authentication 65 o Native LDAP support for Xauth and modecfg 66 o Group membership checks for Xauth and sainfo selection 67 o Camellia cipher support 68 o IKE Fragment force option 69 o Modecfg SplitNet attribute support 70 o Modecfg SplitDNS attribute support ( server side ) 71 o Modecfg Default Domain attribute support 72 o Modecfg DNS/WINS server multiple attribute support 73 740.6 - 27 June 2005 75 o Generated policies are now correctly flushed 76 o NAT-T works with multiple peers behind the NAT (need kernel support) 77 o Xauth can use shadow passwords 78 o TCP-MD5 support 79 o PAM support for Xauth 80 o Privilege separation 81 o ESP fragmentation in tunnel mode can be tunned (NetBSD only) 82 o racoon admin interface is exported (header and library) to 83 help building control programs for racoon (think GUI) 84 o Fixed single DES support; single DES users MUST UPGRADE. 85 860.5 - 10 April 2005 87 o Rewritten buildsystem. Now completely autoconfed, automaked, 88 libtoolized. 89 o IPsec-tools now compiles on NetBSD and FreeBSD again. 90 o Support for server-side hybrid authentication, with full 91 RADIUS supoort. This is interoperable with the Cisco VPN client. 92 o Support for client-side hybrid authentication (Tested only with 93 a racoon server) 94 o ISAKMP mode config support 95 o IKE fragmentation support 96 o Fixed FWD policy support. 97 o Fixed IPv6 compilation. 98 o Readline is optional, fixed setkey when compiled without readline. 99 o Configurable Root-CA certificate. 100 o Dead Peer Detection (DPD) support. 101 1020.4rc1 - 09 August 2004 103 o Merged support for PlainRSA keys from the 'plainrsa' branch. 104 o Inheritance of 'remote{}' sections. 105 o Support for SPD policy priorities in setkey. 106 o Ciphers are now used through the 'EVP' interface which allows 107 using hardware crypto accelerators. 108 o Setkey has new option -n (no action). 109 o All source files now have 3-clause BSD license. 110 1110.3 - 14 April 2004 112 o Fixed setkey to handle multiline commands again. 113 o Added command 'exit' to setkey. 114 o Fixed racoon to only Warn if no CRL was found. 115 o Improved testsuite. 116 1170.3rc5 - 05 April 2004 118 o Security bugfix WRT handling X.509 signatures. 119 o Stability fix WRT unknown PF_KEY messages. 120 o Fixed NAT-T with more proposals (e.g. more crypto algos). 121 o Setkey parses lines one by one => doesn't exit on errors. 122 o Setkey supports readline => more user friendly. 123 1240.3rc4 - 25 March 2004 125 o Fixed adding "null" encryption via 'setkey'. 126 o Fixed segfault when using AES in Phase1 with OpenSSL>=0.9.7 127 o Fixed NAT-T in aggressive mode. 128 o Fixed testsuite and added testsuite run into make check. 129 1300.3rc3 - 19 March 2004 131 o Fixed compilation error with --enble-yydebug 132 o Better diagnostic when proposals don't match. 133 o Changed/added options to setkey. 134 1350.3rc2 - 11 March 2004 136 o Added documentation for NAT-T 137 o Better NAT-T diagnostic. 138 o Test and workaround for missing va_copy() 139 1400.3rc1 - 04 March 2004 141 o Support for NAT Traversal (NAT-T) 142 1430.2.4 - 29 January 2004 144 o Sync with KAME as of 2004-01-07 145 o Fixed unauthorized deletion of SA in racoon (again). 146 1470.2.3 - 15 January 2004 148 o Support for SA lifetime specified in bytes 149 (see setkey -bs/-bh options) 150 o Enhance support for OpenSSL 0.9.7 151 o Let racoon be more verbose 152 o Fixed some simple bugs (see ChangeLog for details) 153 o Fixed unauthorized deletion of SA in racoon 154 o Fixed problems on AMD64 155 o Ignore multicast addresses for IKE 156 1570.2.2 - 13 March 2003 158 o Fix racoon to build on some systems that require linking against -lfl 159 o add an RPM spec to the distribution 160 1610.2.1 - 07 March 2003 162 o Fix some more gcc-3.2.2 compiler warnings 163 o Fix racoon to actually configure with ssl in a non-standard location 164 o Fix racoon to not complain if krb5-config is not installed 165 1660.2 - 06 March 2003 167 o Glibc-2.3 support 168 o OpenSSL-0.9.7 support 169 o Fixed duplicate-macro problems 170 o Fix racoon lex/yacc support 171 o Install psk.txt mode 600, racoon.conf mode 644 172 o Fix racoon to look in the correct directory for config files 173 1740.1 - 03 March 2003 175 o Initial release of IPsec-Tools 176