libreswan-3.23-5.0.1.el7.AXS7

Libreswan is an implementation of IPsec and IKE for Linux. IPsec is the Internet Protocol Security and uses strong cryptography to provide both authentication and encryption services. These services allow you to build secure tunnels through untrusted networks such as virtual private network (VPN).

This update fixes the following bugs:

* Prior to this update, the "ipsec newhostkey" command incorrectly tried self-test itself expecting a FIPS mode signature to be present. This is no longer required for the "newhostkey" and "rsasigkey" commands, and it caused generating a false positive FIPS error that prevented the commands from executing properly in FIPS mode. With this update, "newhostkey" and "rsasigkey" correctly do not look for a FIPS signature when executing in FIPS mode, and Libreswan is now able to generate new RSA keys in FIPS mode. (BZ#1573949)

* Previously, when multiple IPsec Security Associations (SAs) shared the same Internet Key Exchange (IKE) SA and rekey events took place, not all state was properly transferred to a new connection. That could lead to multiple IKE SAs, and certain devices returned the "INVALID_IKE_SPI" error message. The devices also deleted all their IKE SAs. With this update, all state is properly transferred to a new connection, and Libreswan no longer creates duplicate IKE SAs. (BZ#1574456)

* Prior to this update, the Libreswan suite ignored Dead Peer Detection (DPD) responses on idle connections. As a consequence, idle tunnels were accidentally restarted by the remote peer. Handling of liveness responses has been fixed, and idle tunnels are no longer accidentally restarted. (BZ#1574457)

Users of libreswan are advised to upgrade to these updated packages, which fix these bugs.