I didn't see anything in the release notes (though I liked this: [Warcraft] Nefarian's Shadowblaze cast frequency cannot increase beyond 1, once every 15 seconds) ... But are there any changes/enhancements to the ipsec VPN functionality? Most importantly an update to a modern version of strongswan? Thanks.
at the moment, there aren't any specific features that we're lacking. However, we have noticed that when you make a change to *any* tunnel it seems that every tunnel gets bounced. My understanding is that this is something that was fixed in a later version of StrongSwan.
Also, there are stability issues (about once a week or so, we have a tunnel suddenly stop passing traffic, requiring a stop/restart to fix) that seem to have been addressed in newer versions.
Mainly however, it makes me a little nervous to be running a security appliance that is using a nearly 4 year old version of one of the core pieces of its software when the underlying software has developed and matured considerably in those 4 years.
Please contact support about the issues with your tunnels bouncing. A restart of the daemon is only needed when you change global settings. Any connection specific change should only affect the availability of the associated tunnels. This should be solvable.
We're backporting all security relevant changes back to our version. So you're safe with the older version running. Also, the strongSwan project integrated IKEv1 support into their new charon daemon and discontinued pluto. There were some occasions where charon exposed a vulnerability that pluto didn't have, in the past. In general newer does not necessarily also mean more secure. Pluto has seen some exposure to the roughness of the internet in its lifetime and could be considered stable. That said, we do plan to upgrade to charon, because pluto has no future. It's just not clear when we will make the change, yet.
Please contact support about the issues with your tunnels bouncing. A restart of the daemon is only needed when you change global settings. Any connection specific change should only affect the availability of the associated tunnels. This should be solvable.
We're backporting all security relevant changes back to our version. So you're safe with the older version running. Also, the strongSwan project integrated IKEv1 support into their new charon daemon and discontinued pluto. There were some occasions where charon exposed a vulnerability that pluto didn't have, in the past. In general newer does not necessarily also mean more secure. Pluto has seen some exposure to the roughness of the internet in its lifetime and could be considered stable. That said, we do plan to upgrade to charon, because pluto has no future. It's just not clear when we will make the change, yet.
