Release and vulnerability announcements for strongSwan

strongSwan 5.9.0 Released

We are happy to announce the release of strongSwan 5.9.0, which prefers AES-GCM for ESP, comes with several updates for the NetworkManager plugin/backend and the VICI plugin, and brings several other new features and fixes.

AES-GCM Preferred for ESP

We prefer AEAD algorithms for ESP and therefore put AES-GCM in a default AEAD proposal in front of the existing default proposal.

NetworkManager Plugin/Backend Updates

Password entry for private keys in the NetworkManager plugin have been fixed, the height has been reduced by using tabs for options/proposals, and the AppStream metadata has been migrated from appdata to metainfo.

The NM backend (charon-nm) now clears cached credentials when a connection is terminated, the DPD and close action are both set to restart, and custom remote traffic selectors can be configured via remote-ts option (no GUI support, so only via nmcli or config file). 

VICI-Plugin Updates

The vici plugin stores all CA certificates in one place, which avoids issues with unloading authority sections or clearing all credentials. When unloading a connection with start_action=start, any related IKE_SAs without children are now terminated (including those in CONNECTING state). Connections are now stored in a hashtable, which makes managing high numbers of connections faster. Our hashtable implementation was changed for this so it maintains insertion order. The default maximum size for VICI messages (512 KiB) can be changed via compile option.

Other Notable Features and Fixes

Download Complete Changelog