The Libreswan Project has released libreswan 5.2

This is a feature release. It adds support for RFC 5723 Session Resumption, RFC 9347 IPTFS and draft-ietf-ipsecme-ikev2-qr-alt protocol extensions. It adds support for ipsec interfaces on the BSDs and improves the Linux ipsec interface support.

It fixes an interop issue with iOS/OSX IKEv1 padding interop, supports Linux kernel 6.10+ requirements and other minor bugfixes and features.

This latest version of libreswan can be downloaded from:

https://download.libreswan.org/libreswan-5.2.tar.gz https://download.libreswan.org/libreswan-5.2.tar.gz.asc

The full changelog is available at: https://download.libreswan.org/CHANGES

Please report bugs either via one of the mailinglists or at our github bug tracker:

https://lists.libreswan.org/ https://github.com/libreswan/libreswan/issues

See also https://libreswan.org/

v5.2 (Feb 26, 2025)

• IKEv2:
  • add PPK in INTERMEDIATE exchange, draft-ietf-ipsecme-ikev2-qr-alt-04 [Vukasin]
  • add initial support for RFC 5723 IKE_SESSION_RESUME [Nupur Agrawal, Andrew]
  • fix crash in <> [Andrew, Ilya Maximets #1894]
  • fix bogus ERROR when deleting connection [Andrew, Ilya Maximets #1914]
• IPsec Interface:
  • add support on FreeBSD, NetBSD and OpenBSD [Andrew]
  • add ipsec-interface-managed=no for namespaces [Andrew]
• IKEv1:
  • removed compile-time SOFTREMOTE_CLIENT_WORKAROUND [Andrew]
  • fix INVALID_ID_INFORMATION response using corrupt IV [Andrew #1830]
  • fix reconnect with addresspool after restart [Andrew #1790]
  • fix padding of modecfg payloads [Andrew wmasilva #2023]
  • update ikepad= to allow {yes,no,auto} [Andrew]
• Linux:
  • packet offload counters supported in 6.7+ [Paul]
  • Add IPTFS support (RFC 9347) [Paul / Antony / Andrew]
  • 6.10+ need replay-window 0 on OUTBOUND SA [Paul]
  • Do not set nopmtudisc on inbound SA [Paul]
  • Set DSCP options only on the relevant direction SA [Paul]
• updown:
  • Use half-routes for IPv6 to cover whole address space #1994 [Tuomo]
  • Use sourceip= for all remote subnets when set [Tuomo]
• whack/addconn:
  • fix "duplicated flag ctlsocket" regression in 5.0 #1840 [Andrew, Ilya Maximets #1840]
  • orders of magnitude speedup of 'ipsec add' w/ protoports= [Ilya Maximets #1987]
• building:
  • fix build with USE_LIBCURL=false [Hans de Graaff #1845, Andrew]
  • fix build on OpenBSD 7.6 [Andrew]
  • fix build with GCC 15 / C 23 [Daiki Ueno]
  • fix init script on Alpine [Andrew #2042]
• testing:
  • update OpenBSD: 7.6; NetBSD: 10.1; FreeBSD: 14.2; Alpine: 3.21 [Andrew]
  • eliminate pyOpenSSL dependency when generating CRLs and PKCS12 files [Andrew #1990 #1996]