
Note that listings are in chronological order of release times, not in order
of version numbers, so you will find 2.5.x and 2.6.x releases intersperced.

See also docs/KNOWN_BUGS and http://bugs.openswan.org/

v2.6.15
* Patch to support NETKEY backport on Debian kernels [Rene Mayrhofer]
* Fix a crasher when using right=%any with plutodebug=controlmore [paul]
* Added disable_port_floating support to scripts and parser and
  repair the default back to allow port floating [paul]
* Change (back) defaults of plutorestartoncrash and uniqueids from
  no to yes. The new parser mistakenly did not set these [paul]
* Revert af family code in find_host_pair causing some connections to not
  be found in find_host_connection2() [paul]
* Fixes to _updown.mast, _realsetup (mast) and startklips [paul]
* Fixed to saref code so we can build on OSX again [paul]
* Use PREROUTING instead of OUTPUT/FORWARD for mast [mcr]
* NETKEY support for eroute_idle using get_sa_info() [herbert/andreas]
* Do not send DPD "R_Y_THERE" when eroute not idle [andreas]
* Support for Relative Distinguished Name "unstructuredName"/"UN"
  in ID_DER_ASN1_DN identities (eg leftid="UN=John Doe") [andreas]
* Removed forwardcontrol= and rp_filter= options. Ignore if present
  in config file. Use /etc/sysctl.conf [paul]
* Fix for left="%defaultroute" when using NETKEY [tuomo]
* Fix for KLIPS on SMP systems (missing SOCKOPS_WRAP for pfkey_ops) [dhr/paul]
* Merged in some IPsec SAref related code [mcr/paul]
* Merged in packaging/suse for building rpms on SLES [paul]
* Bugtracker bugs fixed:
  #784 / #928 : openswan (pfs=yes) to vista (pfs=no) crasher [paul/dhr]
  #934: mem leak in klips:ipsec_rcv_decap [Wolfgang Nothdurft]
  #935: 935: Openswan 2.6.14rc5 refuses to start after carsh  [paul]
  #939: Openswan 2.6.14rc5 crashes on startup if dns is not reachable [andreas]
        (curl issue on 64bit platforms when dns is not available)
  #953: disable_port_floating defaults to yes and config parser... [paul]
  #954: patch to support DEFAULT_SOURCE using netkey [mdw21]
  #957: pluto always gets --disable_port_floating parameter... [paul]
  #963: rp_filter=%unchanged option causes assertion failure  [paul]
  #964: make -j4 programs fail [tuomo]

v2.6.14
* Fix for integ vs prf mixup [herbert/antony] 
  See:
   https://bugzilla.redhat.com/show_bug.cgi?id=439771
* Merged in v2.5.18 (see entries below) [paul]
* Merged in v2.5.17 (see entries below) [paul]
* Merged in v2.5.12-v2.5.16 (see entries below) [paul]
* NETKEY and crypto modules did not get loaded automatically [paul]
* Updated "clear" policy file for L root nameserver's new IP for OE. [paul]
* Added testcase interop-ikev2-strongswan-06-aes192 [paul]
* Removed "interfaces= is ignored when using the NETKEY stack" warning
  as it caused confusion and a wrong patch in Fedora 9. [paul]
  See:
   https://bugzilla.redhat.com/show_bug.cgi?id=445179
* Fix for a few warnings of using "en" uninitialised [dhr]
* Various fixes on strnat, chdir, fwrite, fgets, etc. [paul]
* Fix for a potential crasher when displaying status using certs [paul]
* Removed obsoleted and unused  hardware random related defines [paul]
* Maintanance on IKEv2 properties and names [paul]
* IKEv2 rekey fix for initiator [herbert]
* KLIPS fixes to compile on 2.6.24+ [david/paul]
* Added AES-CCM support [herbert]
  See:
   https://bugzilla.redhat.com/show_bug.cgi?id=441383
* Support for KLIPS on 2.6.24+ [david]
* Bugtracker bugs fixed:
  #943: Openswan 2.6.14rc5 pluto crash at ikev1_main.c:1145 
  #936: EXPECTATION FAILED kernel_ops->eroute_idle != NULL [paul]
  #930: 'best.len' and 'cur.len' may be uninitialised. [Michal Nazarewicz]
  #781: %defaultroute detection broken on netkey for 2.5.x [paul]


* Above 2.5.x merges brings in userland IPsec SAref support. Requires
  kernel support, currently only supported with USE_MAST.(KLIPSNG)
  Also requires kernel modification to add IP_IPSEC_REFINFO support 
  This adds support for overlapip, allowing multiple clients behind the
  same NAT router and multi clients on identical IP's behind different
  NAT routers. For possible deployments, see doc/ipsecsaref.png

v2.6.13
* RFC4306 Section 3.3.5 IKEv2 Attribute KEY_LENGTH support [herbert/paul]
  See:
   https://bugzilla.redhat.com/show_bug.cgi?id=444166
   https://bugzilla.redhat.com/show_bug.cgi?id=439771
* Support for ESP_NULL and AH_NULL [herbert/paul]
  See:
   https://bugzilla.redhat.com/show_bug.cgi?id=442955
   https://bugzilla.redhat.com/show_bug.cgi?id=442956
* Close on file descriptors on exec (fixes SElinux avc denials) [Neil Horman]
  See:
   https://bugzilla.redhat.com/show_bug.cgi?id=442333
* Fix a memory leak by removing unused variables alg_esp and alg_ike [dhr]
* linux/include/crypto renamed to linux/include/klips-crypto [paul]
* Fix for IKEv1-only policies attempting bogus IKEv2 rekeys [Miloslav Trmac]
* Bugtracker bugs fixed:
  #198: Connection not coming up automatically, plutowait=yes workaround [tuomo]
  #622: pluto memory leak [dhr]
  #916: KLIPS kmod fails to compile 2.6.22 based kernel (...) [paul]
  #917: pluto fails to compile when using pam. xauth [Tamas Pal]
  #922: pluto crashes on rekey failure [Miloslav Trmac]

v2.6.12
* Add aes-*-modp1024 proposals to default responder policy db [antony]
  This is bug https://bugzilla.redhat.com/show_bug.cgi?id=439985
* Fix for ikev1 continuation segfault (only the first helper's continuations
  were cleaned up properly (eg. on dpd, sa expires..) [Anthony Tong]
* Redid fix for leftsourceip/rightsourceip getting deleted [paul]
  This is bug https://bugzilla.redhat.com/show_bug.cgi?id=432821
* As per RFC 4309, use modp2048 as default for PSK with IKEv2 [paul]
  Relates to https://bugzilla.redhat.com/show_bug.cgi?id=441588
* Added workaround for INITIATOR/RESPONDER keys being swapped [herbert]
* Preliminary work to support IKEv2_ENCR_AES_CCM__* algos [paul]
* modprobe the AES ccm kernel module on startup [paul]

v2.6.11
* Fix state machine to pick proper Responder STATE_UNDEFINED state
  when receiving R1 NO_PROPOSAL_CHOSEN [dhr/paul/antony]
* Fixes to some enum tables that caused (null)'s in logs [dhr/paul]
* Starting the prf+ counter from 1 instead of 0 [herbert]
* Removed wrong Gr check [antony]
* Added IKEv2 NO_PROPOSAL_CHOSEN processing [antony]
* Clone st_ni/st_nr chunks for child SA [herbert]
* Various smal logging changes - mostly to fix (null)'s [paul/dhr]
* AUTH_ALGORITHM_HMAC_SHA2_* are now logged properly [paul]
* interop-* testcase output updated [paul]


v2.6.10
* Includes fallback from IKEv2->IKEv1 [mcr]
* IKEv2 bid-down attack recovery [mcr]
* changes to I1 retransmission timers [mcr]
* Only check for bid-down when POLICY_IKEV2_PROPOSE to avoid two ikev2
  capable ikev1 instances from false detecting a biddown [paul]
* Fix ikev2_trans struct (redhat bug #438826) [dhr/paul]
* Revisit of 2.6.06 NOTIFY crasher - fixed again [paul]

v2.6.09
* Completed IKEv2 6msg exchange support [antony]

v2.6.08
* IKEv2 6msg exchange (responder, partially for initiator) [antony]
* IKEv2 notify support [antony]
* Some pullups from #testing related to NETKEY [paul/tuomo]
* Added force_busy option for testing 6msg exchange [paul]
* OSX compile fixes [paul]
* sourceip= option fixed with NETKEY [paul]
* ipsec setup restart with NETKEY fix [paul]
* NETKEY, strongswan, racoon2 support in test harnass [paul/antony]

v2.6.07
* IKEv2 retransmit fixes [mcr]

v2.5.18
* Do not use the KMEM_CACHE macro for now, so KLIPS works on 2.6.23 [paul]
* Sha2 support for X.509 certificates in pluto [Daniel Mueller]
* Various memory leaks
* uclibc workaround for malloc(0) abort. Fixes to not malloc 0 [paul]
* Bugtracker bugs fixed
 #917: pluto fails to compile when using pam. xauth [folti]
 #919: Invalid memory access in show_dnskey of showhostkey.c [paul]

v2.5.17
* Implemented netlink_shunt_eroute() [paul]
* Simplified _updown.netkey [tuomo]
* Bugtracker bugs fixed
  #460: Fix bogus header with delayed MAIN I2->R2 [Herbert Xu]
  #496: kernel_alg_esp_auth_ok() call fixed - [gernot]
  #761: pluto crashes after removing interface [Tillman Baumann]
  #897/731: crash in alg_info_snprint() - ["Deep Throat"]
  #889: backport from #ikev2 branch to fix ipsec_delete_sa with NETKEY [mcr]

v2.6.06
* Added IKEv2 X.509 CERTREQ [antony]
* Interop fix for IKEv2 PSK - Use correct IETF Key Pad without \0 [paul]
* Fixed a few IKEv2 related crashers on receiving a NOTIFY in R1 [paul]

v2.6.05
* Added IKEv2 X.509 CERT [antony/paul]

v2.6.04
* Added IKEv2 PSK AUTH [antony/paul]

v2.6.03
* Added IKEv2 RSA AUTH [mcr]

#ikev2 (v2.6.01)
* IKEv2 support

#stable
* Merged in XAUTH DNS/WINS server-side patch from Anna Wiejak [paul]
  See: http://popoludnica.pl/?id=10100110 
* Various fixes to the scripts for NETKEY [paul]
* KLIPS support for the 2.6.23+ UDP ENCAP sockets [mcr]
  Userland support not yet finished. This should obsolete the NAT-T patch
  when finished.
* incorporated changes between 2.4.8 and 2.4.9
* incorporated changes between 2.4.9 and 2.4.10
* Notice and gracefully fail to load KLIPS when we try to load esp/ah/ipcomp
  protocol and another module already has registered these (eg esp4, ah4,
  ipcomp) [paul]
* Fix for KLIPS NAT-T dropping all packets on 64bit big endian machines [dhr]
* FIx for KLIPS on 2.6.23.1 without CONFIG_NF_CONNTRACK* [paul]
* Bugtracker bugs fixed:
  #600: multiple definitions of passert_fail when cross-compiling.
  #852: dd_connection() fails with ...not AH+ESP for type=passthrough conns
  #708: vanilla kernel-2.6.19, KLIPS compile error (sock_unregister) [sergeil]
  #654: XAUTH strips space out of username/password + patch [Dustin Lang]
  #641: Herein patches to fix warnings if -Wshadow is used [andygay/paul]
  #580: kernel 2.4.x cryptoapi broken [espakman]
  #582: Cannot initiate on demand a connection with traffic selectors [Ilia Sotnikov]
  #590: serpent lib used private kernel header [paul]
  #544: the following error should only show up for x509 debugging: ... [paul]
  #185: Deadlock in function "scx_release()" daemon pluto.(SMARTCARD) [Kurodo]

v2.5.16
* Implemented netlink_shunt_eroute() [paul]
* Simplified _updown.netkey [tuomo]

v2.5.15
   change ipsec_breakroute to permit non-existant eroute's to be replaced.  
   fix for NAT-T negotiation with IP address changes during negotiation.
   adjusted addconn to support nat-t debug keywords.

v2.5.14
   failed attempt to fix ipsec_breakroute.
   fixed leftsendcert= to be implemented in keyword parser.
   introduced startnetkey functions.
   UML kernel configuration canonicalization updated.

v2.5.13
   move DNS lookups from libipsecconf into pluto, where they belong. DNS lookups
	are still only done once during conn load time, and are done synchronously.

v2.5.12
   A fix to detect that XEN has been patched into the kernel, and set
   some of the 2.6.18 changes.
   never log starter_log() things to stdout, they always go to stderr.
   when a packet is passed through, do not call NF_IP_LOCAL_OUT, as it has already 
	passed through the output hooks, and doing it again, confuses things
	causing ip_route_me_harder() which creates a look, since it does the flow
	lookup again. (This doesn't happen if the kernel hasn't got XFRM support)
   fixed parsing of config file so that "version 2" is accepted.
   fixed addconn to respect "right/left"sourceip=, new test case sourceip-01 
   fixed processing of "first"/"last" packet for %trap/%hold conns in KLIPS, it now
	properly forwards the packets when the packet is released.
   

v2.5.11
   Some fixes in KLIPS for "ipsec eroute --clear" bug. It is not clear
   why this suddendly became an issue, or if it would have been an issue
   previously, given the right compiler optimization.
   
v2.5.10
   Includes fixes for xmlto generation for _confread directory.

v2.5.09
   Minor fix to build process, updated CHANGES file.

v2.5.08
   Correct release.
   Includes some changes to permit OE to work without nexthop,
   however this seems to cause it to return an unreachable on 
   the first message.

v2.5.07	-dud due to release script error.

v2.5.06
   set LANGUAGE, LANG and LC_ALL in setup script.
   change OE off by default note and scripts.
   Merge of additional code from 2.4.
   
v2.5.05
   2.5.03 and 2.5.04 were not properly released, and 2.5.05 now
   is properly released and includes below items
    
v2.5.04
    zero peer_ca to avoid crashes.
    (include glob's may still not work correctly)

v2.5.0sbs5
    fixed issues with libwhack not getting built with VIRTUAL_IP.
    adjusted programs/pluto/Makefile to depend upon libraries better

v2.5.0sbs4
    When a template conn is instantiated for a phase 1 configuration, it
	may still need to be adjusted to a virtual IP address. In addition,
	change the order of the virtual IP address setting and the
	port-wildcard processing.
        This patch also provides some additional debugging of the proposal
	which actually processed by the machinery.

    tests for L2TP+X.509 L2TP configuration --- 2 clients behind the
        same NAT with certificates that need to have their connection both
        instantiated (in phase 1) and virtualized (in phase 2).

v2.5.03

    ipsec.conf parsing should ignore keywords that start with x-
	they are a form of structured comment.
    added in forceencaps= keyword.
    process wildcards with glob() in include statements.

v2.5.02
    fixed bug in ipsec.conf parser, where it could not read values
       that had = in them (such as base64 encoded keys)
    fixed bug in key continuation code that could cause a crash
	if the DNS request timed out after the state was deleted
	for other reasons.
 
v2.5.01
    merged xauthusername code base + multinet tests in.
    removed /dev/hw_random from list of valid random sources on linux.
        use "rngd" instead to feed /dev/random.

v2.5.00 
    fixed various bugs with lifetime values in ipsec.conf parser
    AES-128 (group 5, MD5 or SHA1 for PRF) is now accepted for phase 1,
	and it is now the preferred cipher as well. This should be the
	case for Main mode, Aggressive mode, and for XAUTH client and
	XAUTH server, and PSK and RSA sig mode.

    fixes so that starter will now compile
    move whacklib to lib/libwhack
    adjust makefiles to work with OBJDIR version of Makefile.program
    switch to OBJDIR in programs/* and lib/* if it is defined

    added sanitizer for PID files
    be smarter about including git version info into version
    We need to use /dev/urandom first, as it has more random than /dev/random.
       Otherwise, we run out really fast (within a few minutes)
    Use endian.h when comiling out-of-kernel
    patch to turn error about 17/500,0/0 vs 17/0 error with Cisco VPN3000
       into a warning.
    remove test for NAT-T VID vs NATD payload test. It fails for reasons
       that are unknown at this time, and this check is really being pedantic.
    MAJOR: use starter code for "addconn"
    MAJOR: always use OBJDIRs, and compile on Windows (no kernel)
    MAJOR: includes "Taproom" code --- TCL call outs from pluto at IKE
		transition states. 

v2.4.10
* Fix for sock.sk_stamp type change in 2.6.22 [dhr]
* Workaround for implementations that propose port 0 for l2tp to allow
  us to connect to all their ports (instead of only 1701). This happens
  with Cisco VPN 3000, OSX and Windows XP. This relates to various
  reported bugs about rightprotoport=17/%any and CK_INSTANCE crashers [mcr]
  Use the workaround for OSX clients using rightprotoport=17/0
* Backport of fix for xauth name containing a space [paul]
* Fix for final next payload in Aggressive Mode [David McCullough]
* Fixes for compliling against 2.6.22 [David McCullough / Hugh Redelmeier]
  (note: NAT-T KLIPS patch will not work on 2.6.23+)
* Speed gains in the scripts on systems with many interfaces [David McCullough]
* passert declaration fix [David McCullough]
* A missed nfmark -> mark case in ipsec_sa.h [David McCullough]
* Fix for ktime_to_timeval to use proper kernel versions [paul]
* Added back -DCONFIG_KLIPS_ALG in KLIPSCOMPILE, which we require when not
  building KLIPS with David's OCF patch [paul]
* Added SElinux patch in contrib/ [Venkat Yekkirala]
* Bugtracker bugs fixed:
  #449: 17/%any is a template conn problem [mcr]
  #708: vanilla kernel-2.6.19, KLIPS compile error (sock_unregister) [sergeil]
  #796: can't compile 2.4.8 on kernel 2.4.34 (module_param fix) [sergeil]
  #802: Error: "our client ID returned doesn't match my proposal" [mcr/paul]
  #813: incorporate tuomo's lsb patch [tuomo]
  #824: defaultroute detection fails with PPP default route [sergeil]
  (this is also the bug introduced in 2.4.9 that causes failed subnet tunnels)
  #855: Pluto restart impossible on busybox [paul]

v2.4.9
* Fix for Aggressive Mode with NAT-T (no negotiation in aggrmode) [mcr]
* Integrated most openwrt workarounds - tested on whiterussian  [paul]
* Typofix for smartcard support [andreas zwicker]
* Fix for when responder PSK incorrectly uses pfs and has nhelpers=0
  [Matthias Haas]
  #801: Patch for fixing type-punned compiler warnings [Alin Nastac]
  #811: Patch for using custom algs with CONFIG_KLIPS_ALG [iamscard]
  #812: Bogus defaultroute nexthop for PPPoE (& PPP?) [BruceS]

v2.4.10
* Fix for sock.sk_stamp type change in 2.6.22 [dhr]
* Workaround for implementations that propose port 0 for l2tp to allow
  us to connect to all their ports (instead of only 1701). This happens
  with Cisco VPN 3000, OSX and Windows XP. This relates to various
  reported bugs about rightprotoport=17/%any and CK_INSTANCE crashers [mcr]
  Use the workaround for OSX clients using rightprotoport=17/0
* Backport of fix for xauth name containing a space [paul]
* Fix for final next payload in Aggressive Mode [David McCullough]
* Fixes for compliling against 2.6.22 [David McCullough / Hugh Redelmeier]
  (note: NAT-T KLIPS patch will not work on 2.6.23+)
* Speed gains in the scripts on systems with many interfaces [David McCullough]
* passert declaration fix [David McCullough]
* A missed nfmark -> mark case in ipsec_sa.h [David McCullough]
* Fix for ktime_to_timeval to use proper kernel versions [paul]
* Added back -DCONFIG_KLIPS_ALG in KLIPSCOMPILE, which we require when not
  building KLIPS with David's OCF patch [paul]
* Added SElinux patch in contrib/ [Venkat Yekkirala]
* Bugtracker bugs fixed:
  #449: 17/%any is a template conn problem [mcr]
  #708: vanilla kernel-2.6.19, KLIPS compile error (sock_unregister) [sergeil]
  #796: can't compile 2.4.8 on kernel 2.4.34 (module_param fix) [sergeil]
  #802: Error: "our client ID returned doesn't match my proposal" [mcr/paul]
  #813: incorporate tuomo's lsb patch [tuomo]
  #824: defaultroute detection fails with PPP default route [sergeil]
  (this is also the bug introduced in 2.4.9 that causes failed subnet tunnels)
  #855: Pluto restart impossible on busybox [paul]

v2.4.9
* Fix for Aggressive Mode with NAT-T (no negotiation in aggrmode) [mcr]
* Integrated most openwrt workarounds - tested on whiterussian  [paul]
* Typofix for smartcard support [andreas zwicker]
* Fix for when responder PSK incorrectly uses pfs and has nhelpers=0
  [Matthias Haas]
  #801: Patch for fixing type-punned compiler warnings [Alin Nastac]
  #811: Patch for using custom algs with CONFIG_KLIPS_ALG [iamscard]
  #812: Bogus defaultroute nexthop for PPPoE (& PPP?) [BruceS]

v2.4.5
* Fix for compiling on 2.6.14 kernels 
* Refactored natd_lookup / hash code, probably fixes lot of NAT related bugs
  #401 l2tp connection is not work with 2.6 build in IPSEC
  #442 Pluto uses wrong port in NAT-D calculation
  #450 macosx (possible generic PSK+NAT-T rekey bug: eroute already in use.
  #462 updated patch for Openswan and OS X with NAT-T
  #509 KLIPS compilation fail with kernel-2.6.14.2 


v2.4.4
  #487 ASSERTION FAILED at state.c:120:IS_ISAKMP_ENCRYPTED(isakmp_sa->st_state) 
  (see http://www.openswan.org/niscc2/)
  (proper fix in pluto_constants.h)
* Fix for kernels having strstr
* Various gcc4 warning fixes
* disable CONFIG_IPSEC_NAT_TRAVERSAL per default so we can build KLIPS on
  Fedora systems.
* questionable spin_unlock commented out. Might fix reported SMP crashers.
* update to permit alg code without module support
* Fix for detecting proper kernel source/header directory on fedora
* Various bugfixes as reported on http://bugs.openswan.org/
  #499: check for module support in kernel for IPsec Modular Extensions
  #500: recent awk breaks on 'setdefault' command


v2.4.3
  #487 ASSERTION FAILED at state.c:120:IS_ISAKMP_ENCRYPTED(isakmp_sa->st_state) 
  (see http://www.openswan.org/niscc2/)
  (incorrect fixed. version not released)

v2.4.2
* Fixes for compiling on 2.6.14 by David McCullough
* Minor fixes to accomodate FC4 2.6.11 kernels.
* Fix for compilation of KLIPS on 2.4.x kernels.
* Fix for NAT-T on 2.4.31
* Fix for 'short' packets with KLIPS on 2.4.x
* Merged in Jacco's l2tp configuration examples
* Various bugfixes as reported on http://bugs.openswan.org/
  #286 Incorrect links in intro.html
  #344 netkey-acquire patch
  #376 install_ipsec_sa and install_inbound_ipsec_sa
  #486 ASSERTION FAILED at crypto.c:258: key_size==(DES_CBC_BLOCK_SIZE * 3)
  (see http://www.openswan.org/niscc2/)

v2.4.1
* Not publically released

v2.4.0
* NAT-T support for KLIPS on 2.6 (Sponsored by Astaro)
* Additional Cipher support with KLIPS on 2.6 (Sponsored by Astaro)
* Fix for NAT-T/PSK rekey (Ulrich @ Astaro)
* Various bugfixes: #269, #328, #342, #350, #355, #357, #361, #363

v2.3.1
* NAT-T RFC support (mlafon/mcr)
* NAT-T Server Side rewrite - handles rekeying alot better
* NAT-T Client Side rekey bug fixed
* Removed HowTo (obselete)
* IPKG packaging updates
* Log message updates
* dpdaction=restart support 

v2.3.0
* KLIPS for 2.6 support (Experimental)
  [ good results on FC3-AMD and vanilla/debian kernel source, but not
    FC3-intel. Might be the grsecurity patch  ]
* Aggressive Mode Support (client and server)
* IKE Mode Config support (Experimental)
* Cisco VPN 3xxx client Interop (Experimental)
* Cryptographic helpers framework
* Fixes for NAT-T on 2.4.28+ kernels.

v2.2.0
* Added RFC 3706 DPD support (see README.DPD)
* Added AES from JuanJo's ALG patches
* Fixes for /proc filesystem issues that started to appear in 2.4.25

v2.1.2
* Fix loading of 2.6 modules 
* Fix for snprintfs() in /proc, new for 2.4.25 kernels (dhr/pw)
* Fix checks for some log files/dirs in case they are sockets or pipes (pw)
* Fix for crl.pem crash/core (dhr/as/kb)

v2.1.1
* Fix _pluto_adns installation path (kb)
* Fix sending of X.509 CR's when no CA present (mcr)

v2.1.0
* NAT-T support (Mathieu Lafon - Arkoon)
* X.509 fixes (Andreas Steffan)
* New configuration file directive, {left|right}sourceip=#.#.#.# 
  This will set the source address when talking to a particular 
  connection.  This is very usefull to assign a static IP to your laptop 
  while travelling.  This is based on Tuomo Soini's Advanced Routing 
  patch.

