Page last updated:
This topic contains release notes for the IPsec Add-on for PCF.
Release Date: October 11, 2017
Features included in this release:
- Updates strongSwan to 5.6.0
- Updates OpenSSL to 1.0.2l
- Updates OpenSSL FIPS to 2.0.16
- Log level is now configurable.
- Key exchange is now configurable.
- Instance certificate is validated with the CA certificate on start.
Fixed issues in this release:
- Stop script timeout is configurable.
Known issues in this release:
IKEv1 on Windows: Windows uses IKEv1 for Key exchange. IKEv2 does not support multiple root certificates, and therefore does not support certificate rotation. An issue has been filed with Microsoft.
Spurious Configuration Warning: As part of the upgrade to StrongSwan v5.4.0, this version of the IPsec add-on may emit a sequence of spurious configuration warning messages. The messages are similar to the following:
!! Your strongswan.conf contains manual plugin load options for charon. !! This is recommended for experts only, see !! http://wiki.strongswan.org/projects/strongswan/wiki/PluginLoad
These messages are both expected and harmless. As a caution to end users, the StrongSwan software now emits a warning message when it detects that the installation includes a manually configured set of plugins. As a matter of security hygiene best practices, the IPsec add-on has always used a manual (explicit) configuration and loads a restricted set of StrongSwan plugins. Any unused plugins are not loaded. The newest version of StrongSwan now issues this warning message when it detects that situation. The actual list of plugins in use has been determined to be appropriate for use of StrongSwan in the PCF environment. This warning is expected and should be ignored.
MTU Sizing: Use 1354 on OpenStack. Keep the default on AWS and vSphere.