8.161. openswan

Bug Fixes

BZ#739949

When using the protoport option in combination with the type=passthrough setting to exclude traffic from encryption, an incorrect inverse policy was installed and the exclusion was not successful. Now, the correct policy is installed in the described situation.

BZ#834397

Starting multiple connections with the leftsubnets= or auto=start options led to a crypto overload and subsequent restart of Openswan. The pluto cryptohelper has been fixed to prevent the overload.

BZ#970279

The ikev2=insist setting was not enforced on the responder side, allowing an IKEv1 connection to be established instead. This bug has been fixed and ikev2=insist is no longer ignored.

BZ#970349

This update fixes multiple lingering states after reestablishing IKEv2 keys.

BZ#988106

This update enforces the limits set with esp, phase1alg, and andphase2alg options. Previously, any algorithm of the default set (aes, 3des, sha1, md5) was always allowed, regardless of the above options.

BZ#993124

IKEv2 delete payloads were not always properly delivered to the remote peer, leaving the remote endpoint with lingering unused connections. Now, IKEv2 delete payloads are delivered as expected.

BZ#1002708

This update modifies the rightid=%fromcert option to load IDs from the local certificate when set for the local end, and from the certificate delivered by the remote peer when set for the peer end.

BZ#1019746

The "ipsec ikeping" command did not recognize the --exchangenum option. This option is now recognized correctly.

BZ#1021961

This update fixes a crash of the IKE pluto daemon when using the SHA2 encryption family with the ike= option with IKEv2.

BZ#1041576

Openswan no longer drops various privileges too soon, which prevented it from reading configuration files in directories not owned by root.

BZ#1050340

The IKE pluto daemon occasionally crashed and restarted when referencing missing IKEv2 payloads. The Openswan's state machine has been updated to reject packets with missing payloads.

BZ#1070356

This update fixes the compatibility problems with older versions of Cisco VPN introduced in the previous update of the openswan packages.

BZ#1088656

After restarting the remote endpoint, the sourceip option was not properly reset in the local route entry. This bug has been fixed.

BZ#1092913

If there was no NSS database available, the IKE pluto daemon created a nonfunctional replacement. A missing NSS database is now created before the pluto daemon starts and in the %post phase of the package install, which fixes this bug.

BZ#1098473

The "ipsec newhostkey" command did not return a correct non-zero exit code in case of failure, for example when generating keys of insufficient strength. Now, ipsec newhostkey returns the correct exit code.

BZ#1114683

Configuring an AH algorithm for IKEv2, or various non-standard ESP algorithms for IKEv1 or IKEv2 (such as CAST, RIPEMD160 or CAMELLIA) caused the IKE pluto daemon to terminate unexpectedly and restart. This bug has been fixed and pluto no longer crashes when AH or ESP algorithms are configured.

BZ#1126066

Using the "force_busy=yes" developer option to force anti-DDOS mode in IKEv2 caused the IKE pluto daemon to crash and restart. This bug has been fixed and pluto no longer crashes in the described situation.

Enhancement

BZ#730975, BZ#1018327, BZ#1099871, BZ#1105179

This update enhances and clarifies man pages shipped with the openswan packages.