strongswan-4.3.6dr5
-------------------

- The IKEv2 daemon supports RFC 3779 IP address block constraints 
  carried as a critical X.509v3 extension in the peer certificate.


strongswan-4.3.6dr4
-------------------

- The ipsec pool --add|del dns|nbns command manages DNS and NBNS name
  server entries that are sent via the IKEv1 Mode Config or IKEv2
  Configuration Payload to remote clients.

- The Camellia cipher can be used as an IKEv1 encryption algorithm
  either with the openssl or gcrypt library.


strongswan-4.3.6dr3
-------------------

- Added required userland changes for proper SHA256 and SHA384/512 in ESP that
  will be introduced with Linux 2.6.33. The "sha256"/"sha2_256" keyword now
  configures the kernel with 128 bit truncation, not the non-standard 96
  bit truncation used by previous releases. To use the old 96 bit truncation
  scheme, the new "sha256_96" proposal keyword has been introduced.

- Fixed IPComp in tunnel mode, stripping out the duplicated outer header. This
  change makes IPcomp tunnel mode connections incompatible with previous
  releases; disable compression on such tunnels.


strongswan-4.3.6dr2
-------------------

- More detailed IKEv2 EAP payload information in debug output.

- IKEv2 EAP-SIM and EAP-AKA share joint libsimaka library. 

- The IKEv1 and IKEv2 daemons now share the PGP certificate parsing
  capability.


strongswan-4.3.6dr1
-------------------

- The IKEv1 and IKEV2 daemons now check certificate path length constraints.

- The IKEv1 daemon ignores the Juniper SRX notification type 40001, thus
  allowing interoperability.