Unclaimed project

Are you a maintainer of libreswan? Claim this project to take control of your public changelog and roadmap.

Claim this project

Changelog

libreswan

libreswan

libreswan/libreswan

Back to changelog

NewJuly 7, 2025

5.3

The Libreswan Project has released libreswan 5.3

This is a maintenance release. It allows re-using an IKEv1 lease address on multiple connections along with improved "cisco split VPN" support. X.509 Certificate code was revised to only use the NSS IPsec profile and no longer uses the SSL profile and the CRL code was updated.

This latest version of libreswan can be downloaded from:

https://download.libreswan.org/libreswan-5.3.tar.gz https://download.libreswan.org/libreswan-5.3.tar.gz.asc

The full changelog is available at: https://download.libreswan.org/CHANGES

Please report bugs either via one of the mailinglists or at our github bug tracker:

https://lists.libreswan.org/ https://github.com/libreswan/libreswan/issues

See also https://libreswan.org/

v5.3 (July 3, 2025)

PKIX (Public Key Infrastructure X.509)
- moved cURL and LDAP CRL download code out of pluto [Andrew]
- replaced CRL thread with libevent [Andrew]
- fixed ipsec checkcrls [Andrew]
- when configured, use cURL to download LDAP CRLs [Andrew]
- verify using NSS's IPsec profile aka certificateUsageIPsec [Andrew]
- only verify using certificateUsageSSL{Client,Server} when USE_NSS_TLS_SECURITY_PROFILE [Andrew]
IKEv2:
- fix PEXPECT when deleting crossed IKE SA [Andrew, Ilya Maximets #2101, Ondrej Moris #2123]
IKEv1:
- fix CISCO's split support (requires cisco-split=yes) [Andrew, Amirreza #2230 Erikas #633]
- share-lease=yes|no (default yes) to share XAUTH/ModeCfg lease IP on multiple connections [Paul]
initsystem:
- remove unused _stackmanager [Tuomo #2080]
- on BSD, default to syslog(LOG_NOTICE) and not pluto.log [Andrew #2295 #2298]
config:
- merge addconn (ipsec.conf) and whack connection option parsers [Andrew]
- change whack to use same connection defaults as ipsec.conf [Andrew]
- support ipsec addconn --name connname left=1.2.3.4 right=5.6.7.8 (experimental) [Andrew #2138]
- drop undocumented ipsec readwriteconf --rootdir option [Andrew, #2152]
- obsoleted virtual_private= and plutostderrlog= keywords [Tuomo]
- warn when END-option= has no END [Andrew #663]
- nflog= made an alias to nflog-group= [Andrew]
- recognize ah=... as phase2=ah phase2alg=... [Andrew #712]
ipsec pluto:
- make ipsec.conf's config setup and pluto options consistent [Andrew]
- fix --config file1 --config file2 [Andrew]
ipsec connectionstatus:
- support ipsec connectionstatus '"labeled"[1][2]' [Andrew #1308]
testing:
- eliminated all pyOpenSSL dependencies [Andrew]
- review PKIX test coverage [Andrew]
- upgrade Fedora test domain to f42
building:
- build with curl 8.14.1 [Andrew, Vincent #2319]