.Libreswan provided in version 5.2 In RHEL 10, Libreswan is provided in upstream version 5.2. This version provides many bug fixes and enhancements, most importantly the following: -- * Duplicate `--ctlsocket` option for the `whack` command is fixed (link: https://issues.redhat.com/browse/RHEL-75605 [ RHEL-75605 ]). * An expectation failure with crossing streams is fixed (link: https://issues.redhat.com/browse/RHEL-73236 [ RHEL-73236 ]). * Parsing protoport configuration has been optimized (link: https://issues.redhat.com/browse/RHEL-74850 [RHEL-74850]). * Incorrect outputs for the `ipsec showhostkey` command are fixed (link: https://issues.redhat.com/browse/RHEL-75975 [RHEL-75975]). * Crashes on executing `ipsec --rereadsecrets` are fixed (link: https://issues.redhat.com/browse/RHEL-69403 [RHEL-69403]). * The `keyingtries` and `dpd*` options are ignored. * The `ipsec-interface-managed=no` option for network namespaces has been introduced. * Linux-specific updates: ** Added support for packet offload counters in Linux kernel 6.7 and above. ** Implemented IP-TFS (IP Traffic Flow Security) support as per RFC 9347. ** Ensured compatibility with Linux kernel 6.10+ by setting the replay window to 0 on outbound SAs. ** Fixed issues related to the `nopmtudisc` setting on inbound security associations (SA). IKEv2 enhancements: ** Introduced support for RFC 5723 IKE Session Resumption, enabling session resumption without re-authentication. ** Added support for `draft-ietf-ipsecme-ikev2-qr-alt-04`, enhancing key exchange mechanisms. ** Implemented PPK (Post-quantum Pre-shared Key) in the INTERMEDIATE exchange to improve security. -- NOTE:: Peer authentication that uses PKCS #1 1.5 RSA with SHA-1 requires explicit allowing of SHA-1 signatures in NSS by using a custom cryptographic policies subpolicy. This is necessary when `authby=rsa-sha1` is configured or in a default configuration when an authenticated peer does not support RFC 7427.