New Feature Additions

• Support for multiple IKEv2 key exchanges (RFC 9370) has been added (3a850ae). IKE_INTERMEDIATE exchanges (RFC 9242) are used to transport additional KE payloads between the IKE_SA_INIT and IKE_AUTH exchanges. To rekey IKE and Child SAs with multiple key exchanges, IKE_FOLLOWUP_KE exchanges are used, as defined in RFC 9370.

  In proposals, additional key exchange methods are configured via keX_ prefix, where X is a number between 1 and 7. For example, ke1_mlkem768 adds ML-KEM-768 as additional KE method (works with any key exchange method, whether post-quantum or classic). As with regular key exchanges, peers have to agree on a method for each round unless no algorithms are defined by both or keX_none is configured to make that round explicitly optional.

• Support for the Module-Lattice-Based Key-Encapsulation Mechanism (ML-KEM, FIPS 203), a key exchange method that, at present, is believed to be secure even against adversaries who possess a quantum computer, has been added via Botan 3.6.0+ (botan plugin), wolfSSL 5.7.4+ (wolfssl plugin), AWS-LC 1.37.0+ (openssl plugin), and the new ml plugin. The keywords for ML-KEM-512 (128 bits security strength), ML-KEM-768 (192 bits), ML-KEM-1024 (256 bits) are mlkem512, mlkem768 and mlkem1024, respectively.

• AF_VSOCK sockets can be used on Linux to communicate with a daemon that runs in a VM (e.g. via the vici plugin).

• The file logger can optionally log messages as JSON objects (a2fba6d, bea1f11, see the docs for details), and can add timestamps in microseconds via the new time_precision setting (#2475).

Enhancements and Optimizations

• Handling of CHILD_SA rekey collisions has been improved (d2b2e1b). This makes CHILD_SAs properly trackable via child_rekey() hook and some corner cases are also handled correctly e.g. if a responder's DELETE for the new CHILD_SA arrives before its CREATE_CHILD_SA response that creates that SA in the first place. Also handled properly are responders of rekeyings that incorrectly send a DELETE for the old CHILD_SA (previously, this caused both, the new and the old SA, to get deleted).
• The behavior when reloading or unloading connections that include start in their start_action has been improved (#2324, #2418).
• If no identity is configured but a certificate is available, the subject DN is used instead of the IP address (#2353).
• The cert-enroll script now supports three generations of CA certificates (f59ca96).
• IKE ports are now considered when matching connections (9228a51, 6928709).
• The base address of in-memory IP address pools is now reported as configured (#2264).
• IKE fragment sizes can be configured for each address family explicitly (84bd011).
• The openssl plugin can use the EVP_DigestSqueeze() API for XOFs, which was introduced with OpenSSL 3.3 (3d0f695).
• The kernel-netlink plugin explicitly configures the direction of IPsec SAs when running on 6.10+ kernels (abdc787).
• The Android app was updated for compatibility with Android 14 (740cbb2), a bug was fixed that affects importing already existing VPN profiles (9b9cf20).

Fixes

• The NetworkManager plugin (charon-nm) now uses a different routing table than the regular IKE daemon to avoid conflicts if both are running (#2230).
• TUN devices can properly handle IPv6 addresses (fccc764) and routes via them are now correctly installed on FreeBSD (bf165af).
• Reassigning a matching online lease is now preferred over an offline lease by the in-memory IP address pool to avoid conflicts with make-before-break reauthentication and multiple IKE_SAs per identity (#2472).
• To avoid conflicts with other processes when using ephemeral UDP ports, the socket-default plugin now always opens IPv4 sockets before IPv6 sockets (#2494).
• Challenge passwords in PKCS#10 containers are again encoded as PrintableString if possible to be compatible with older SCEP implementations (8e88d56).
• The vici plugin now uses the same ESP proposals (AEAD before regular) when configuring default instead of not configuring esp_proposals at all (8e020bc).
• Fixed handling of adopted reqids during IKEv1 rekeying (d02aea9, bug was introduced in 5.9.12).
• A typo in the cert-enroll script prevented successful signalling of a change of the sub CA certificate (957aae8).

Plugin and Configuration Changes

• The legacy stroke plugin is no longer enabled by default and must be enabled explicitly.
• The openssl plugin is now enabled by default, while the following crypto plugins are no longer enabled by default: aes, curve25519, des, fips-prf, gmp, hmac, md5, pkcs12, rc2, sha1, sha2.
• The following deprecated plugins have been removed: bliss (signature scheme), newhope (key exchange method), ntru (key exchange method).
• charon.make_before_break is now enabled by default, which initiates IKEv2 reauthentication with a make-before-break instead of a break-before-make scheme. Make-before-break creates overlapping IKE and Child SA during reauthentication by first recreating all SAs before deleting the old ones. This behavior can be beneficial to avoid connectivity gaps during reauthentication (unlike rekeying still not completely without interruption), but requires support for overlapping SAs by the peer. strongSwan can handle such overlapping SAs since version 5.3.0.

For Developers

• Using the child_rekey() hook now allows tracking CHILD_SAs correctly in case of rekey collisions. The event is generally only triggered once after installing the outbound SA for the new/winning CHILD_SA. However, in some cases the event is triggered twice, but it is now ensured that listeners can properly transition to the winning SA.
• Refer to the documentation of key_exchange_method_t interface to learn how KEMs can be implemented in plugins.
• The format of key exchange test vectors has been changed so they can be used for KEMs and classic DH methods (4067678).
• The NetworkManager frontend's build files have been updated to not rely on gnome-common. It now also uses gettext directly instead of intltool (5019e3e).
• Performance of running tests in the testing environment has been improved.

Refer to the 6.0.0 milestone for a list of all closed issues and pull requests.