[Announce] Openswan 2.6.33 released

Paul Wouters paul at xelerance.com
Mon Feb 21 17:35:48 EST 2011 

Xelerance has released openswan 2.6.33

http://www.openswan.org/download/openswan-2.6.33.tar.gz
http://www.openswan.org/download/openswan-2.6.33.tar.gz.asc

This is a major feature and bugfix release.

KLIPS now fully supports IPv6. The OCF codes has seen many improvements
and on SMP machines the AES speed is now roughly 95% of plaintext speed.
An important NAT-T fix resolves some Windows and OSX/iphone issues and
the NAT-T case where both sides are behind NAT. And the ipsec verify
command now checks for a lot more things on your system.

The full change set for this release follows below.

v2.6.33 (February 18, 2011)
* Merge in the klips-ipv6 branch [David]
* modprobe more crypto modules on startup (gcm, camelia, sha2* etc) [Paul]
* Added %v4:26/8 to virtual_private ("thanks" to T-Mobile/Rogers/FIDO) [Paul]
* Pluto did not start nhelpers due to --nofork, bug introduced in 2.6.32 [Paul]
* OCF: Set the OCF queues to 10000 when 256MB+ RAM and 1000+ bogomips [Paul]
* Improved NetworkManager support [Avesh]
   - This is Red Hat bugzilla 642722, 658253, 659709 and 641068
* ipsec verify now also shows parse errors in ipsec.conf [Paul]
* Always build SHA2 family support for IKE [Paul]
* KLIPS: Add a new option to override the replay window via /sys [David]
   (echo 0 > /sys/module/ipsec/parameters/ipsec_replaywin_override)
* Add aesni_intel to the list of crypto modules we attempt to load [Paul]
* enable dumpdir= in stock ipsec.conf for use with abrtd [Paul]
* New per-conn keyword mtu= allows setting the mtu per tunnel [Paul]
* per-conn keyword metric= did not export to userland or updown [Paul/Tuomo]
* Cleaned up and moved some old docs [Paul]
* KLIPS: arp_broken_ops is no longer exported in 2.6.37+ [Paul]
* KLIPS: Fix crasher in ipsec_xmit_state_delete [David]
* Bugtracker bugs fixed:
    # 601 KLIPS: NAT-OA UDP checksum bad in transport mode when both sides are
          NATted [Wolfgang]
    # 645 hundreds of replacements [...]: 000 #3: pending Phase 2 [Anthony Tong]
    #1182 Verification of X509 certificate signed by SHA2 [fryasu at yahoo.co.jp]
    #1183 Fix documentation typo (in ipsec.conf) [Tuomo]
    #1190 nat-t broke on transport mode for klips between 2.6.31 and 2.6.32
          [Paul]
    #1199 when leftsubnet has a different netmask than the localnet, a route
          is added for the localnet to the ipsec device [Tuomo]
    #1201 dpd + ddns does not work [Mattias Walström]
    #1204 Workaround for iPhone/MacOS X NAT problem [Wolfgang Nothdurft]
    #1210 Failes to compile with uClibc >= 0.9.29 [mb at openwrt]

More information about the Announce mailing list