deadsimple BSD Security Advisories and Announcements

OpenIKED 7.1 released

We have released OpenIKED 7.1, which will be arriving in the
OpenIKED directory of your local OpenBSD mirror soon.

This release includes the following changes to the previous release:

  * Added 'ikectl show certinfo' command to print loaded CAs and certificates

  * Improved IKEv2 Message Fragmentation with more reliable retransmission logic

  * Take "Destination ID" payload into consideration when matching policy for
    incoming handshake to allow finer control over flow configuration

  * Changed the "proto" config field to optionally accept a list of protocols

  * Added support for using AppArmor to limit process privileges on Linux.

  * Hardened default build flags

  * Fixed a bug where authentication via local certificates did not work
    as intended

  * Fixed handshake proposal matching bug

  * Fixed a bug where alive timer was not reset on config reloading

  * Fixed a bug where iked sent zero-prefixed NAT-T messages on port 500
    causing parsing errors.

  * Fixed several memory leaks

  * Added a new portable regression test

OpenIKED is known to compile and run on FreeBSD, NetBSD, macOS
and the Linux distributions Arch, Debian, Fedora and Ubuntu.

It is our hope that packagers take interest and help adapt
OpenIKED to more distributions.

OpenIKED can be downloaded from any of the mirrors listed at, from the /pub/OpenBSD/OpenIKED

General bugs may be reported to Portable bugs
may be filed at

We welcome feedback and improvements from the broader community.
Thanks to all of the contributors who helped make this release