github libreswan/libreswan v5.2
5.2
on GitHub

10 hours ago

The Libreswan Project has released libreswan 5.2

This is a feature release. It adds support for RFC 5723 Session
Resumption, RFC 9347 IPTFS and draft-ietf-ipsecme-ikev2-qr-alt
protocol extensions. It adds support for ipsec interfaces on the
BSDs and improves the Linux ipsec interface support.

It fixes an interop issue with iOS/OSX IKEv1 padding interop,
supports Linux kernel 6.10+ requirements and other minor
bugfixes and features.

This latest version of libreswan can be downloaded from:

https://download.libreswan.org/libreswan-5.2.tar.gz
https://download.libreswan.org/libreswan-5.2.tar.gz.asc

The full changelog is available at: https://download.libreswan.org/CHANGES

Please report bugs either via one of the mailinglists or at our github
bug tracker:

https://lists.libreswan.org/
https://github.com/libreswan/libreswan/issues

See also https://libreswan.org/

v5.2 (Feb 26, 2025)

  • IKEv2:
    • add PPK in INTERMEDIATE exchange, draft-ietf-ipsecme-ikev2-qr-alt-04 [Vukasin]
    • add initial support for RFC 5723 IKE_SESSION_RESUME [Nupur Agrawal, Andrew]
    • fix crash in <> [Andrew, Ilya Maximets #1894]
    • fix bogus ERROR when deleting connection [Andrew, Ilya Maximets #1914]
  • IPsec Interface:
    • add support on FreeBSD, NetBSD and OpenBSD [Andrew]
    • add ipsec-interface-managed=no for namespaces [Andrew]
  • IKEv1:
    • removed compile-time SOFTREMOTE_CLIENT_WORKAROUND [Andrew]
    • fix INVALID_ID_INFORMATION response using corrupt IV [Andrew #1830]
    • fix reconnect with addresspool after restart [Andrew #1790]
    • fix padding of modecfg payloads [Andrew wmasilva #2023]
    • update ikepad= to allow {yes,no,auto} [Andrew]
  • Linux:
    • packet offload counters supported in 6.7+ [Paul]
    • Add IPTFS support (RFC 9347) [Paul / Antony / Andrew]
    • 6.10+ need replay-window 0 on OUTBOUND SA [Paul]
    • Do not set nopmtudisc on inbound SA [Paul]
    • Set DSCP options only on the relevant direction SA [Paul]
  • updown:
    • Use half-routes for IPv6 to cover whole address space #1994 [Tuomo]
    • Use sourceip= for all remote subnets when set [Tuomo]
  • whack/addconn:
    • fix "duplicated flag ctlsocket" regression in 5.0 #1840 [Andrew, Ilya Maximets #1840]
    • orders of magnitude speedup of 'ipsec add' w/ protoports= [Ilya Maximets #1987]
  • building:
    • fix build with USE_LIBCURL=false [Hans de Graaff #1845, Andrew]
    • fix build on OpenBSD 7.6 [Andrew]
    • fix build with GCC 15 / C 23 [Daiki Ueno]
    • fix init script on Alpine [Andrew #2042]
  • testing:
    • update OpenBSD: 7.6; NetBSD: 10.1; FreeBSD: 14.2; Alpine: 3.21 [Andrew]
    • eliminate pyOpenSSL dependency when generating CRLs and PKCS12 files [Andrew #1990 #1996]
Check out latest releases or
releases around libreswan/libreswan v5.2

Don't miss a new libreswan release

NewReleases is sending notifications on new releases.

Get notifications