-
Notifications
You must be signed in to change notification settings - Fork 0
/
NEWS
241 lines (212 loc) · 11 KB
/
NEWS
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
==========================================================
NetworkManager-l2tp-1.8.6
Overview of changes since NetworkManager-l2tp-1.8.4
==========================================================
YOU MIGHT NOT BE ABLE TO PROVIDE PRE-BUILT BINARIES OF THIS RELEASE UNTIL
THE INTENDED LINUX DISTRIBUTION SHIPS WITH OPENSSL 3.0 OR LATER THAT IS
GPL COMPATIBLE.
There are exceptions to this GPLv2 and OpenSSL licensing conflict, for example
the Fedora Project considers OpenSSL to be a "System Library" and so exempt
from the conflict per the "System Library Exception" :
https://fedoraproject.org/wiki/Licensing:FAQ#What.27s_the_deal_with_the_OpenSSL_license.3F
Changes:
* Fix for preventing Fedora RPMs from building.
add missing properties/import-export.c to POTFILES.in
==========================================================
NetworkManager-l2tp-1.8.4
Overview of changes since NetworkManager-l2tp-1.8.2
==========================================================
Changes:
* Update translations.
* Update strings for new dialog design in gnome-shell.
e.g use "Password" instead of "Password:".
* Use /usr/share/metainfo for AppData files.
* Move D-Bus policy file to /usr/share/dbus-1/system.d/
* Add --with-nm-ipsec-nss-dir configure switch for Libreswan NSS
database location with default value of /var/lib/ipsec/nss
* Do not add broken route to VPN gateway IP address.
* Add back import/export capability.
* update default PPPD_PLUGIN_DIR to ${libdir}/pppd/2.4.8
* Fix for user certificate password flags for connection editor.
==========================================================
NetworkManager-l2tp-1.8.2
Overview of changes since NetworkManager-l2tp-1.8.0
==========================================================
Changes:
* Fixes for user certificate support.
* Remove modp1024 in default phase 1 algorithms for Libreswan, as
libreswan >= 3.30 is no longer built with DH2 (modp1024) support.
* Provide --enable-libreswan-dh2 configure switch for older libreswan versions.
* KDE plasma-nm compatibility for "Gateway ID".
==========================================================
NetworkManager-l2tp-1.8.0
Overview of changes since NetworkManager-l2tp-1.2.16
==========================================================
* User and machine TLS certificate support.
* New dependency on OpenSSL's libcrypto (>= 1.1.0).
* New dependency on Network Security Services (NSS) libraries.
* Routines to auto detect the following TLS certificate and private key file
formats by looking at the file contents and not the file extension, also
determines if the files are encrypted with a password, which includes
testing if the password is the empty string or NULL :
- PKCS#12 certificates.
- X509 certificates (PEM or DER).
- PKCS#8 private keys (PEM or DER)
- traditional OpenSSL RSA, DSA and ECDSA private keys (PEM or DER).
* Routines to import certificates and privates keys into a Libreswan NSS
database.
* Grey out the auth type selection for user authentication if EAP-TLS
pppd patch not detected.
* Update translations.
==========================================================
NetworkManager-l2tp-1.2.16
Overview of changes since network-manager-l2tp-1.2.14
==========================================================
* Update translations.
* Fix label geometry in LT2P dialog box.
* Remove "Prevalent Algorithms" button, override default algorithms.
Made the phase 1 & 2 proposals previously provided by the Prevalent
Algorithms button the new default for the IKEv1 proposals.
==========================================================
NetworkManager-l2tp-1.2.14
Overview of changes since network-manager-l2tp-1.2.12
==========================================================
* Update translations by merging from various sources.
* Changed Legacy Proposal button to Prevalent Algorithms button.
Clicking Prevalent Algorithms button populates Phase 1 and 2 Algorithm text
entry boxes with the following proposals, which are a merge of Windows 10
and macOS/iOS/iPadOS L2TP clients' IKEv1 proposals.
- Phase 1 - Main Mode :
{enc=AES_CBC_256 integ=HMAC_SHA2_256_128 group=MODP_2048},
{enc=AES_CBC_256 integ=HMAC_SHA2_256_128 group=MODP_1536},
{enc=AES_CBC_256 integ=HMAC_SHA2_256_128 group=MODP_1024},
{enc=AES_CBC_256 integ=HMAC_SHA1_96 group=MODP_2048},
{enc=AES_CBC_256 integ=HMAC_SHA1_96 group=MODP_1536},
{enc=AES_CBC_256 integ=HMAC_SHA1_96 group=MODP_1024},
{enc=AES_CBC_256 integ=HMAC_SHA1_96 group=ECP_384},
{enc=AES_CBC_128 integ=HMAC_SHA1_96 group=MODP_1024},
{enc=AES_CBC_128 integ=HMAC_SHA1_96 group=ECP_256},
{enc=3DES_CBC integ=HMAC_SHA1_96 group=MODP_2048},
{enc=3DES_CBC integ=HMAC_SHA1_96 group=MODP_1024}
- Phase 2 - Quick Mode :
{enc=AES_CBC_256 integ=HMAC_SHA1_96},
{enc=AES_CBC_128 integ=HMAC_SHA1_96},
{enc=3DES_CBC integ=HMAC_SHA1_96}
* Added use IKEv2 key exchange option.
* Improved debugging output for Libreswan and strongSwan.
Libreswan debugging can now be cutomized by setting the `PLUTODEBUG`
environment variable.
strongSwan debugging can now be cutomized by setting the `CHARONDEBUG`
environment variable.
* Gray out "IPsec Settings..." button if no *swan found.
Also fix crash if "IPsec Settings..." button pressed and no *swan installed.
==========================================================
NetworkManager-l2tp-1.2.12
Overview of changes since NetworkManager-l2tp-1.2.10
==========================================================
* Update translations by merging from various sources.
* Added Legacy Proposal button.
Clicking Legacy Proposals button populates Phase 1 and 2 Algorithm text entry
boxes with proposals offered by Windows Server 2019:
- AES256, SHA-1, ECP384 and AES128, SHA-1, ECP256 strong proposals.
strongSwan recommends not using SHA-1 in its security recommendations
documentation.
- 3DES, SHA-1, MODP1024 broken proposal.
Legacy Windows 2000 Server era proposal still commonly offered, especially
with consumer routers
* Added following IPsec configuration options:
- Phase1 Lifetime - ikelifetime.
- Phase2 Lifetime - salifetime (libreswan) / lifetime (strongswan).
- Use IP compression - compress.
- Disable PFS - pfs.
* renamed Gateway ID to Remote ID and updated GUI tooltip.
* removed restrictions that only IP addresses are allowed for the Remote ID.
* Generated config file changes, following config files :
- /var/run/nm-l2tp-xl2tpd-_UUID_.conf
- /var/run/nm-l2tp-xl2tpd-control-_UUID_
- /var/run/nm-l2tp-xl2tpd-_UUID_.pid
- /var/run/nm-l2tp-ppp-options-_UUID_
are now:
- /var/run/nm-l2tp-_UUID_/xl2tpd.conf
- /var/run/nm-l2tp-_UUID_/xl2tpd-control
- /var/run/nm-l2tp-_UUID_/xl2tpd-.pid
- /var/run/nm-l2tp-_UUID_/ppp-options
* Use same IP secrets file for all L2TP connections,
/etc/ipsec.d/ipsec.nm-l2tp.secrets is now used instead of
/etc/ipsec.d/nm-l2tp-ipsec-_UUID_.secrets, where _UUID_ was the UUID of the
VPN connection.
* Force ikev2=never for Libreswan
ikev2=permit is the implicit default setting, which tries to detect
a "bid down" attack from IKEv2 to IKEv1 and can have an impact on
the default proposals.
* Add nm-l2tp-service- prefix back to pppd ipparam argument.
The ipparam argument is used by a condition in the Debian resolvconf's
/etc/ppp/ip-up.d/000resolvconf script.
* PSK is now Base64 encoded, allows PSK to contain double quotation mark (").
* Fix build without GTK/Gnome.
* Legacy KDE Plasman-nm user certificate support.
* libnm-glib compatibility (NetworkManager < 1.0) is disabled by default.
It can be enabled by passing --with-libnm-glib to configure script.
Nobody should need it by now. Users that still use this are encouraged
to let us know before the libnm-glib support is removed for good.
* The auth helper in external UI mode can now be run without a display
server. Future nmcli version will utilize this for handling the
secrets without a graphical desktop.
=======================================================
NetworkManager-l2tp-1.2.10
Overview of changes since NetworkManager-l2tp-1.2.8
=======================================================
This is a new stable release of NetworkManager-l2tp. Notable changes include:
* Point version 1.2.10 appdata image URIs to nm-1-2 github branch:
https://raw.githubusercontent.com/nm-l2tp/NetworkManager-l2tp/nm-1-2/appdata
* Corrected force UDP encapsulation toggle button behavior.
* Workaround for libreswan `ipsec status` issue with short (< 8 char) PSKs.
* fix gcc -Wimplicit-fallthrough warning.
=======================================================
NetworkManager-l2tp-1.2.8
Overview of changes since NetworkManager-l2tp-1.2.6
=======================================================
This is a new stable release of NetworkManager-l2tp. Notable changes include:
* Updated translations, merged from NetworkManager-applet,
NetworkManager-libreswan, NetworkManager-pptp and
KDE Plasma NetworkManagement L2TP. Removed obsolete translations.
* Enforce UDP encapsulation toggle button fix.
* Stop strongSwan service when a connection cannot be established.
* fix entries in Debian Lintian spelling-error-in-binary report.
* configure --runstatedir support if using Autoconf >= 2.7.0.
* If "Automatic (VPN) Addresses Only" mode is enabled in the the IPv4
config settings, do not use the pppd usepeerdns option.
i.e. do not overide /etc/resolv.conf.
=======================================================
NetworkManager-l2tp-1.2.6
Overview of changes since NetworkManager-l2tp-1.2.4
=======================================================
This is a new stable release of NetworkManager-l2tp. Notable changes include:
* If L2TP port 1701 is already in use, no longer writes
"leftprotoport=udp/l2tp" (which is equivalent to "leftprotoport=udp/1701") to
the ipsec config file. This was done to ensures L2TP is encapsulated in IPsec
* Uses UUID instead of PID for run-time generated filenames
* No longer temporarily replaces system /etc/ipsec.secrets file
* IPsec rekeying is now possible because the following file remains for the
lifetime of the VPN connection :
/etc/ipsec.d/nm-l2tp-ipsec-UUID.secrets
* Following line is appended to /etc/ipsec.secrets if the include line is
missing:
include /etc/ipsec.d/*.secrets
* Removed IPsec Group Name from user interface
* Added IPsec Phase 1 (ike) & Phase 2 (esp) to user interface
* New timeout code for IPsec connection up script.
=======================================================
NetworkManager-l2tp-1.2.4
Overview of changes since NetworkManager-l2tp-1.2.2
=======================================================
This is a new stable release of NetworkManager-l2tp. Notable changes include:
* Prefer building against stable libsecret API
* Split libnm-vpn-plugin-l2tp.so into a GTK-free core plugin
usable by nmcli and a UI plugin for nm-applet and gnome components
* Successfully builds on 32bit Linux
* Explicitly check strongSwan connection has been established
and not trust use exit status of strongSwan 'ipsec up' command
* Support weaker initial proposals on later versions of strongSwan
* Support IP addresses for IPsec leftid and rightid
* 10 second timeout for ipsec starter process