This topic describes the changes in this minor release of IPsec for VMware Tanzu.

For product versions and upgrade paths, see Upgrade Planner.

Releases

v1.9.63

Release Date: June 7, 2024

Maintenance Changes

Rename openssl package to avoid package name collision when deployed on redis service VMs.

Fixes: Compatibility with Redis for VMware Tanzu Application Service.

• Final release 1.9.63

v1.9.58

Release Date: April 16, 2024

Maintenance Changes

• OpenSSL: Upgraded to v3.3.0
• Strongswan: Upgraded to v5.9.14 to address:

Known Issues

• This version of IPsec for VMware Tanzu is not compatible with Redis for VMware Tanzu Application Service.

v1.9.56

Release Date: February 23, 2024

Maintenance Changes

• OpenSSL: Upgraded to v3.2.1

Known Issues

• This version of IPsec for VMware Tanzu is not compatible with Redis for VMware Tanzu Application Service.

v1.9.54

Release Date: January 10, 2024

Maintenance Changes

• Strongswan: Upgraded to v5.9.12 to address:
  • CVE-2023-41913

Known Issues

• This version of IPsec for VMware Tanzu is not compatible with Redis for VMware Tanzu Application Service.

v1.9.52

Release Date: November 2, 2023

Maintenance Changes

• OpenSSL: Upgraded to v3.0.8
  • See FIPS validation certificate

v1.9.50

Release Date: September 7, 2023

Maintenance Changes

• OpenSSL: Upgraded to v1.0.2zi to address:
  • CVE-2023-3817
  • CVE-2023-3446

v1.9.47

Release Date: July 3, 2023

Maintenance Changes

• Strongswan: Upgraded to v5.9.11

v1.9.46

Release Date: June 2, 2023

Maintenance Changes

• OpenSSL: Upgraded to v1.0.2zh to address:
  • CVE-2023-2650
  • CVE-2023-0465
  • CVE-2023-0466
  • CVE-2023-0464

v1.9.43

Release Date: April 12, 2023

Maintenance Changes

• Strongswan: Upgraded to v5.9.10
• OpenSSL: Upgraded to v1.0.2zg to address:
  • CVE-2023-0286
  • CVE-2023-0215
  • CVE-2022-4304

Known Issues

• In some deployments, IPsec has undesired behavior when used with Jammy stemcells v1.18 to v1.83 (inclusive). NATS communication failure causes BOSH jobs such as route_registrar, nats-tls-healthcheck, nats-tls-wrapper, and nats-wrapper to fail. This causes the BOSH deployment to fail. VMware recommends using IPsec with Jammy stemcell v1.93 and later. For more information, see the VMware Tanzu Support documentation.

v1.9.40

Release Date: January 11, 2023

Maintenance Changes

• swanctl.conf replaces the legacy ipsec.conf
• Strongswan: Upgraded to v5.9.5
• OpenSSL FIPS: Upgraded to v2.0.20-vmw

Known Issues

There are no known issues in this release.

v1.9.39

Release Date: November 11, 2022

Maintenance Changes

• OpenSSL: Upgraded to v1.0.2zf to address CVE-2022-1292 and CVE-2022-2068
• Strongswan: Downgraded to v5.9.3 while compatibility issues with v5.9.5 are being addressed

Fixed Issues

• IPsec for VMware Tanzu now uses the FIPS-certified version of OpenSSL instead of the OpenSSL version supplied in Stemcell

Known Issues

There are no known issues in this release.

v1.9.38

Release Date: April 13, 2022

Maintenance Changes

• OpenSSL: Upgraded to v1.0.2zd to address CVE-2022-0778.
• Strongswan: Upgraded to v5.9.5.

Known Issues

There are no known issues for this release.

v1.9.37

Release Date: November 1, 2021

Maintenance Changes

Maintenance changes in this release:

• Upgrades OpenSSL to patch the following CVEs:
  • High CVE-2021-3711
  • High CVE-2021-3712
• Strongswan: Upgraded to v5.9.3.
• GMP: Upgraded to v6.2.1

Known Issues

There are no known issues for this release.

v1.9.35

Release Date: April 9, 2021

Maintenance Changes

Maintenance changes in this release:

• Upgrades OpenSSL to patch the following CVEs:
  • Low CVE-2021-23839
  • High CVE-2021-23840
  • Medium CVE-2021-23841

Known Issues

There are no known issues for this release.

v1.9.32

Release Date: February 24, 2021

Fixed Issues

This release fixes the following issue:

• NATS clients connection: NATS clients failed to connect to NATS VM when rotating certificates

Known Issues

There are no known issues for this release.

v1.9.31

Release Date: December 4, 2020

Features

New features and changes in this release:

• Support for certificate rotation using CredHub Maestro: For more information, see Advanced Certificate Rotation with CredHub Maestro.

Fixed Issues

This release fixes the following issue:

• Deployment failure due to stale security associations: Large deployments, with a size of approximately 300 VMs, failed due to stale security associations (SAs). The ipsec job now runs an ip xfrm state flush immediately after starting the charon process.
• Duplicate certificate subjects and serial numbers: Handles duplicate certificate subjects and serial numbers against the subjects and serial numbers of all the certificate authorities.

Known Issues

This release has the following issue:

• NATS clients connection: NATS clients fail to connect to the NATS VM when rotating certificates

v1.9.25

Release Date: June 2, 2020

Features

New features and changes in this release:

• Updates strongSwan to v5.8.4. For more information, see strongSwan 5.8.4 Released in the strongSwan documentation.

Known Issues

There are no known issues for this release.

v1.9.21

Release Date: October 17, 2019

Features

New features and changes in this release:

• Automatic restart: IPsec now restarts automatically when the host VM reboots. This now works for all IaaSes, including vSphere.

v1.9.19

Release Date: August 14, 2019

Features

New features and changes in this release:

• Updates strongSwan to v5.8.0: For more information, see strongSwan 5.8.0 Released in the strongSwan documentation.

Known Issues

There are no known issues for this release.

v1.9.13

Release Date: November 19, 2018

Features

New features and changes in this release:

• Updates strongSwan to v5.7.1. For more information, see strongSwan 5.7.1 Released in the strongSwan documentation.

Fixed Issues

This release fixes the following issues:

• Windows job failure due to matching certificate numbers: The IPsec Windows job failed if the instance certificate and CA certificate had the same common name or serial number. Now, IPsec does not deploy if there are duplicate common names or serial numbers in the certificate chain. For more information, see this troubleshooting symptom.

Known Issues

There are no known issues for this release.

v1.9.9

Release Date: August 23, 2018

Features

New features and changes in this release:

• Updates strongSwan to v5.6.3. For more information, see strongSwan 5.6.3 Released in the strongSwan documentation.

Fixed Issues

This release fixes the following issues:

• Failed logging on Windows 2012 R2: On Windows 2012 R2 where scheduled logging could not be created for the enablement of the following alerts: certificate expiration and optional IPsec enforcement.

• Subsequent deployments of IPsec did not start due to existing stale process IDs.

v1.9.4

Release Date: June 28, 2018

Features

New features and changes in this release:

• Starting with BOSH Director v265.1.0, the BOSH job lifecycle includes a post-stop phase. The charon IPsec daemon job is now stopped in the BOSH post-stop lifecycle phase instead of the BOSH stop lifecycle phase. The stop phase is now a no-op. This ensures the network remains available and secure while all other BOSH jobs perform their stop processing.

• Updates smoke tests to check connectivity using TCP protocol requests on port 22, rather than issuing an ICMP ping request to the remote host. This ensures that the smoke test produces an accurate result, even when ICMP is not enabled.

• Updates smoke tests to skip the connectivity check on localhost, because strongSwan does not create a transform when the source and destination addresses are equal.

View Release Notes for another Version

To view the release notes for another product version, select the version from the drop-down menu at the top of this page.