v5.0rc1 (Unreleased)
* BSD: fix esp=aes_gcm [github/1220, Igor V. Gubenko, Andrew]
* ipsec: deprecate ipsec auto sub-command [Tuomo]
- ipsec auto --{cmd} connection -> ipsec {cmd} connection
* IKEv1: globally disabled by default (ikev1-policy=drop) See RFC9395
* IKEv1: drop support for Labeled IPsec [Andrew]
* IKEv2: warn that fragmentation=force is ignored [Andrew]
* whack: add --fragmentation option; change default to yes [Andrew]
* config: fix keyexchange={ikev1,ikev2}; deprecate ikev2= [Andrew]
* pluto: retry and revival code merged (dpdaction=, keyingtries= ignored) [Andrew]
* pluto: avoid post-authentication crash on corrupt TS payload [Andrew]
* pluto: Support addresspool=v4/mask,v6/mask [Andrew]
* pluto: Support multiple TSes per Child SA [Andrew]
* pluto: HW packet offload support [Raed Salem <raeds@nvidia.com>]
* pluto: XFRM interface IP management with ref-counting [Brady Johnson]
* pluto: Check return values of libcap-ng functions [Paul]
* pluto: Fix IPcomp with XFRM interfaces [Wolfgang]
* building: remove old copy of unbound headers [Andrew]
* building: Use DESTDIR instead of FINAL* env vars [Andrew]
* building: Fix "make git-rpm" [Paul/Tuomo]
* install: overhaul [Andrew]
- use INSTALL_INITSYSTEM=false to prevent update of /etc/<initsystem>
- use INSTALL_CONFIGS=false prevents update of /etc/ipsec.d et.al.
- drop FINAL* make variables; see mk/config.mk for alternatives
* show/verify: drop these ipsec subcommands (old, incomplete) [Paul]
* packaging: Fix debian systemd service install [Antonio Silva]
* testing: Fix namespace tests for super long dir names [Paul]
* initsystem: Use documented ipsec sub-commands [Tuomo]
* initsystem: Stop using _stackmanager [Tuomo]
* documentation: update to docbook xml 4.5 [Tuomo]
* output: drop NNN_ prefix from all output [Andrew]
* ipsec look: script moved to contrib/; use ip xfrm et.al. [Andrew]
* ipsec portexcludes: script moved to contrib/ [Andrew]
* ipsec barf: script moved to contrib/ [Andrew]
* ipsec _secretsensor: script moved to contrib/ [Andrew]