8.161. openswan

Updated openswan packages that fix several bugs and add various enhancements are now available for Red Hat Enterprise Linux 6.
Openswan is a free implementation of Internet Protocol Security (IPsec) and Internet Key Exchange (IKE). IPsec uses strong cryptography to provide both authentication and encryption services that allow to build secure tunnels through untrusted networks.

Bug Fixes

BZ#739949
When using the protoport option in combination with the type=passthrough setting to exclude traffic from encryption, an incorrect inverse policy was installed and the exclusion was not successful. Now, the correct policy is installed in the described situation.
BZ#834397
Starting multiple connections with the leftsubnets= or auto=start options led to a crypto overload and subsequent restart of Openswan. The pluto cryptohelper has been fixed to prevent the overload.
BZ#970279
The ikev2=insist setting was not enforced on the responder side, allowing an IKEv1 connection to be established instead. This bug has been fixed and ikev2=insist is no longer ignored.
BZ#970349
This update fixes multiple lingering states after reestablishing IKEv2 keys.
BZ#988106
This update enforces the limits set with esp, phase1alg, and andphase2alg options. Previously, any algorithm of the default set (aes, 3des, sha1, md5) was always allowed, regardless of the above options.
BZ#993124
IKEv2 delete payloads were not always properly delivered to the remote peer, leaving the remote endpoint with lingering unused connections. Now, IKEv2 delete payloads are delivered as expected.
BZ#1002708
This update modifies the rightid=%fromcert option to load IDs from the local certificate when set for the local end, and from the certificate delivered by the remote peer when set for the peer end.
BZ#1019746
The "ipsec ikeping" command did not recognize the --exchangenum option. This option is now recognized correctly.
BZ#1021961
This update fixes a crash of the IKE pluto daemon when using the SHA2 encryption family with the ike= option with IKEv2.
BZ#1041576
Openswan no longer drops various privileges too soon, which prevented it from reading configuration files in directories not owned by root.
BZ#1050340
The IKE pluto daemon occasionally crashed and restarted when referencing missing IKEv2 payloads. The Openswan's state machine has been updated to reject packets with missing payloads.
BZ#1070356
This update fixes the compatibility problems with older versions of Cisco VPN introduced in the previous update of the openswan packages.
BZ#1088656
After restarting the remote endpoint, the sourceip option was not properly reset in the local route entry. This bug has been fixed.
BZ#1092913
If there was no NSS database available, the IKE pluto daemon created a nonfunctional replacement. A missing NSS database is now created before the pluto daemon starts and in the %post phase of the package install, which fixes this bug.
BZ#1098473
The "ipsec newhostkey" command did not return a correct non-zero exit code in case of failure, for example when generating keys of insufficient strength. Now, ipsec newhostkey returns the correct exit code.
BZ#1114683
Configuring an AH algorithm for IKEv2, or various non-standard ESP algorithms for IKEv1 or IKEv2 (such as CAST, RIPEMD160 or CAMELLIA) caused the IKE pluto daemon to terminate unexpectedly and restart. This bug has been fixed and pluto no longer crashes when AH or ESP algorithms are configured.
BZ#1126066
Using the "force_busy=yes" developer option to force anti-DDOS mode in IKEv2 caused the IKE pluto daemon to crash and restart. This bug has been fixed and pluto no longer crashes in the described situation.
In addition, this update adds the following

Enhancement

BZ#730975, BZ#1018327, BZ#1099871, BZ#1105179
This update enhances and clarifies man pages shipped with the openswan packages.
Users of openswan are advised to upgrade to these updated packages, which fix these bugs and add these enhancements.