Hello Michael,

I've successfully installed the new version of strongswan on my IPFire 2 
system.

VPN over IPSec still works perfectly - tested with IKEv1 and IKEv2 
connections.

The only bad point, I've to report is, that after the update I can't 
disable IPSec over the WUI anymore - may other testers will report the 
same issue.

Best regards,

Stefan
> Hello,
>
> as Core Update 61 has now been released, it is time to go on with
> developments for the next one:
>
> I have updated strongswan to version 5.0.0 which finally removes the
> pluto daemon which was responsible for IKEv1 connections.
> However, pluto has gotten very old and was created in the beginnings of
> the IPsec for Linux developments back in freeswan times.
>
> charon was introduced by strongswan some time ago when IKEv2 connections
> got supported. It handles IKEv1 connections as well as IKEv2 connections
> since strongswan version 5.0.0.
>
> What are the benefits for IPFire?
>
> As mentioned earlier, pluto is very old and got very hard to maintain.
> There have been problems with VPNs that terminate at hosts with dynamic
> IP addresses, so we needed to restart the entire IPsec subsystem in
> intervals of 5 minutes.
> This caused some trouble in stability terms.
>
> charon handles those dynamic endpoints much better without the need to
> restart anything. Connections may now be added and removed smoothly and
> in total there should be much more connection stability.
>
> There is also some new code for hybrid IPsec VPNs which can be used with
> Android 4 and maybe Apple iOS. I have not done any investigation on this
> topic, because I am not interested, but hopefully somebody else gives it
> a shot.
>
> I have now packaged the changes into a small package which wants to be
> installed on your system.
>
> http://people.ipfire.org/~ms/unsupported/core-upgrade-2.11-strongswan.ipfire
>
> It should not require any manual interaction at all. Please install and
> give me feedback about the connection stability and the interoperability
> with other (proprietary) implementations.
>
> I am looking forward to it.
>
> Michael
>
> P.S. If you reply to this mail make sure to keep both mailing lists.
>
> _______________________________________________
> Development mailing list
> Development(a)lists.ipfire.org
> http://lists.ipfire.org/mailman/listinfo/development
>