NEWS

Version history:
----------------
0.8	- 18 March 2011
	o Fix authentication method ambiguity with kerberos and xauth
	o RFC2253 compliant escaping of asn1dn identifiers (Cyrus Rahman)
	o Local address code rewrite to speed things up
	o Improved MIPv6 support (Arnaud Ebalard)
	o ISAKMP SA (phase1) rekeying
	o Improved scheduler (faster algorithm, support monotonic clock)
	o Handle RESPONDER-LIFETIME in quick mode
	o Handle INITIAL-CONTACT in from main mode too
	o Rewritten event handling framework for admin port
	o Ability to initiate IPsec SA through admin port
	o NAT-T Original Address handling (transport mode NAT-T support)
	o clean NAT-T - PFkey support
	o support for multiple anonymous remoteconfs
	o Remove various obsolete configuration options
	o A lot of other bug fixes, performance improvements and clean ups

0.7.1	- 23 July 2008
	o Fixes a memory leak when invalid proposal received
	o Some fixes in DPD
	o do not set default gss id if xauth is used
	o fixed hybrid enabled builds
	o fixed compilation on FreeBSD8
	o cleanup in network port value manipulation
	o Gets ports from SADB_X_EXT_NAT_T_[SD]PORT if present in
	  purge_ipsec_spi()
	o Generates a log if cert validation has been disabled by
	  configuration
	o better handling for pfkey socket read errors
	o Fixes in yacc / bison stuff
	o new plog() macro (reduced CPU usage when logging is disabled)
	o Try to work better with huge SPD/SAD
	o Corrected modecfg option syntax

0.7	- 09 August 2007
	o Xauth with pre-shared key PSK
	o Xauth with certificates
	o SHA2 support
	o pkcs7 support
	o system accounting (utmp)
	o Darwin support
	o configuration can be reloaded
	o Support for UNIQUE generated policies
	o Support for semi anonymous sainfos
	o Support for ph1id to remoteid matching
	o Plain RSA authentication
	o Native LDAP support for Xauth and modecfg
	o Group membership checks for Xauth and sainfo selection
	o Camellia cipher support
	o IKE Fragment force option
	o Modecfg SplitNet attribute support
	o Modecfg SplitDNS attribute support ( server side )
	o Modecfg Default Domain attribute support
	o Modecfg DNS/WINS server multiple attribute support

0.6	- 27 June 2005
	o Generated policies are now correctly flushed
	o NAT-T works with multiple peers behind the NAT (need kernel support)
	o Xauth can use shadow passwords
	o TCP-MD5 support
	o PAM support for Xauth
	o Privilege separation
	o ESP fragmentation in tunnel mode can be tunned (NetBSD only)
	o racoon admin interface is exported (header and library) to 
	  help building control programs for racoon (think GUI)
	o Fixed single DES support; single DES users MUST UPGRADE.

0.5	- 10 April 2005
	o Rewritten buildsystem. Now completely autoconfed, automaked,
	  libtoolized.
	o IPsec-tools now compiles on NetBSD and FreeBSD again.
	o Support for server-side hybrid authentication, with full 
	  RADIUS supoort. This is interoperable with the Cisco VPN client.
	o Support for client-side hybrid authentication (Tested only with
	  a racoon server)
	o ISAKMP mode config support
	o IKE fragmentation support
	o Fixed FWD policy support.
	o Fixed IPv6 compilation.
	o Readline is optional, fixed setkey when compiled without readline.
	o Configurable Root-CA certificate.
	o Dead Peer Detection (DPD) support.

0.4rc1	- 09 August 2004
	o Merged support for PlainRSA keys from the 'plainrsa' branch.
	o Inheritance of 'remote{}' sections.
	o Support for SPD policy priorities in setkey.
	o Ciphers are now used through the 'EVP' interface which allows
	  using hardware crypto accelerators.
	o Setkey has new option -n (no action).
	o All source files now have 3-clause BSD license.

0.3	- 14 April 2004
	o Fixed setkey to handle multiline commands again.
	o Added command 'exit' to setkey.
	o Fixed racoon to only Warn if no CRL was found.
	o Improved testsuite.

0.3rc5	- 05 April 2004
	o Security bugfix WRT handling X.509 signatures.
	o Stability fix WRT unknown PF_KEY messages.
	o Fixed NAT-T with more proposals (e.g. more crypto algos).
	o Setkey parses lines one by one => doesn't exit on errors.
	o Setkey supports readline => more user friendly.

0.3rc4	- 25 March 2004
	o Fixed adding "null" encryption via 'setkey'.
	o Fixed segfault when using AES in Phase1 with OpenSSL>=0.9.7
	o Fixed NAT-T in aggresive mode.
	o Fixed testsuite and added testsuite run into make check.

0.3rc3	- 19 March 2004
	o Fixed compilation error with --enble-yydebug
	o Better diagnostic when proposals don't match.
	o Changed/added options to setkey.

0.3rc2	- 11 March 2004
	o Added documentation for NAT-T
	o Better NAT-T diagnostic.
	o Test and workaround for missing va_copy()

0.3rc1	- 04 March 2004
	o Support for NAT Traversal (NAT-T)

0.2.4	- 29 January 2004
	o Sync with KAME as of 2004-01-07
	o Fixed unauthorized deletion of SA in racoon (again).

0.2.3	- 15 January 2004
	o Support for SA lifetime specified in bytes
	  (see setkey -bs/-bh options)
	o Enhance support for OpenSSL 0.9.7
	o Let racoon be more verbose
	o Fixed some simple bugs (see ChangeLog for details)
	o Fixed unauthorized deletion of SA in racoon
	o Fixed problems on AMD64
	o Ignore multicast addresses for IKE

0.2.2	- 13 March 2003
	o Fix racoon to build on some systems that require linking against -lfl
	o add an RPM spec to the distribution

0.2.1	- 07 March 2003
	o Fix some more gcc-3.2.2 compiler warnings
	o Fix racoon to actually configure with ssl in a non-standard location
	o Fix racoon to not complain if krb5-config is not installed

0.2	- 06 March 2003
	o Glibc-2.3 support
	o OpenSSL-0.9.7 support
	o Fixed duplicate-macro problems
	o Fix racoon lex/yacc support
	o Install psk.txt mode 600, racoon.conf mode 644
	o Fix racoon to look in the correct directory for config files

0.1	- 03 March 2003
	o Initial release of IPsec-Tools