Skip to content

Commit

Permalink
Add what's new in strongswan 6.0
Browse files Browse the repository at this point in the history
  • Loading branch information
strongX509 authored and tobiasbrunner committed Nov 25, 2024
1 parent dd19eee commit 3bb0d2b
Show file tree
Hide file tree
Showing 3 changed files with 139 additions and 0 deletions.
3 changes: 3 additions & 0 deletions docs/modules/ROOT/nav.adoc
Original file line number Diff line number Diff line change
@@ -1,3 +1,6 @@
.News
** xref:news/whatsNew.adoc[]

* xref:howtos/introduction.adoc[]
* xref:howtos/ipsecProtocol.adoc[]
Expand Down
1 change: 1 addition & 0 deletions docs/modules/ROOT/pages/index.adoc
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@

== Introduction

* xref:news/whatsNew.adoc[]
* xref:howtos/introduction.adoc[An introduction to strongSwan]

== Configuration Examples
Expand Down
135 changes: 135 additions & 0 deletions docs/modules/ROOT/pages/news/whatsNew.adoc
Original file line number Diff line number Diff line change
@@ -0,0 +1,135 @@
= What's New in strongSwan 6.0

:RELEASES: https://github.com/strongswan/strongswan/releases
:BOTAN: https://botan.randombit.net/
:WOLFSSL: https://www.wolfssl.com/
:AWSLC: https://aws.amazon.com/security/opensource/cryptography/
:GMP: https://gmplib.org/
:OPENSSL: https://openssl.org/

TIP: Please refer to the {RELEASES}[*full release notes*] for a complete list of
changes.

== Plugins

=== New Plugin

The following new `*libstrongswan*` plugin has been *added*:

[cols="5,22"]
|===
|Plugin Name |Description

|ml
|Module-Lattice-based crypto (ML-KEM)

|===

NOTE: ML-KEM is also supported via {BOTAN}[Botan] (`*botan*` plugin),
{WOLFSSL}[wolfSSL] (`*wolfssl*` plugin), and {AWSLC}[AWS-LC] (`*openssl*` plugin).

=== Removed Plugins

The following deprecated `*libstrongswan*` plugins have been *removed*:

[cols="5,22"]
|===
|Plugin Name |Description

|bliss
|Bimodal Lattice Signature Scheme (BLISS) post-quantum computer signature scheme

|newhope
|Key exchange based on post-quantum computer New Hope algorithm

|ntru
|Key exchange based on post-quantum computer NTRU encryption
|===

=== Default Plugins

The powerful `*openssl*` crypto plugin is now *enabled* by default:

[cols="5,22"]
|===
|Plugin Name |Description

|openssl
|Crypto backend based on the {OPENSSL}[OpenSSL] library
|===

Due to the nearly all-encompassing capabilities of the `*openssl*` default
crypto plugin, the following `*libstrongswan*` plugins are *not enabled* by
default anymore:

[cols="5,22"]
|===
|Plugin Name |Description

|aes
|AES-128/192/256 cipher software implementation

|curve25519
|X25519 DH group and Ed25519 public key authentication

|des
|DES/3DES cipher software implementation

|fips-prf
|PRF specified by FIPS, used by EAP-SIM/AKA algorithms

|gmp
|RSA/DH crypto backend based on {GMP}[libgmp]

|hmac
|HMAC wrapper using various hashers

|md5
|MD5 hasher software implementation

|pkcs12
|PKCS#12 decoding routines

|rc2
|RC2 cipher software implementation

|sha1
|SHA1 hasher software implementation

|sha2
|SHA-2 hasher software implementation
|===

IMPORTANT: The legacy `*stroke*` management interface has been deprecated for many
years and has been replaced by the versatile xref:plugins/vici.adoc[`*vici*`]
management interface. Thus with strongSwan 6.0, the `*stroke*` plugin
is *not enabled* by default anymore and has to be built separately.

[cols="5,22"]
|===
|Plugin Name |Description

|stroke
|Deprecated stroke configuration/control backend used with ipsec script and starter
|===

Thus the xref:/plugins/plugins.adoc#_default_plugins[following 25 plugins] are now
enabled by xref:/plugins/plugins.adoc#_default_plugins[default].

== Configuration Options

The following xref:config/strongswanConf.adoc#_charon[`*strongswan.conf*`]
configuration option is now enabled by default:

[cols="4,1,8"]
|===
|*Key*|*Default*|*Description [Default]*

|make_before_break |`yes`
|Initiate IKEv2 reauthentication with a *make-before-break* instead of a
*break-before-make* scheme. Make-before-break uses overlapping `IKE` and `CHILD SA`
during reauthentication by first recreating all new SAs before deleting the old
ones. This behavior can be beneficial to avoid connectivity gaps during
reauthentication, but requires support for overlapping SAs by the peer.
strongSwan can handle such overlapping SAs since version 5.3.0
|===

0 comments on commit 3bb0d2b

Please sign in to comment.