MikroTik RouterOS v6.34 publicado

Recientemente MikroTik publicó la release v6.34 del RouterOS con una gran lista de cambios y agregados.

Uno de ellos tiene un llamado de atención y es el cambio en el IPSec de la phase2 hmac-sha256-128, al cual se le cambio el tamaño de 96 a 128 y esto traerá problemas de compatibilidad con todas las versiones anteriores y con otro software que actualmente es compatible usando ese cifrado.

La lista de cambio completa es:

What's new in 6.34 (2016-Jan-29 10:25):

*) mipsle - architecture support dropped (last fully supported version 6.32.x);
*) dude - The reports of my death have been greatly exaggerated;
*) dude - dude RouterOS package added for tile and x86 (CHR) architecture;
*) dude - package included by default to all CHR images;
*) dude - initial work on dude integration into RouterOS;
*) bgp vpls  - fixed initialization after reboot;
*) mpls - forwarding of VRF over TE tunnel stopped working after BGP peer reset;
*) ipsec - improved TCP performance on CCRs;
*) btest - significantly increased TCP bandwidth test performance;
*) winbox - fixed possible busy-loop on v2.x with latest 6.34RC versions;
*) cerm - allow to sign certificates from imported CAs created with RouterOS;
*) ldp - fix MPLS PDU max length;
*) net - improve 64bit interface stats support;
*) routerboard - print factory-firmware version in routerboard menu;
*) snmp - add oid from ucd mib for total cpu load OID 1.3.6.1.4.1.2021.11.52.0;
*) winbox - add extra items automatically to multi-line fields if at least one of them is required;
*) winbox - implemented full ipv6 dhcp client;
*) winbox - update blocked flag if user changed blocked field in dhcp server lease;
*) mac-telnet - fixed backspace when typing login username;
*) sstp - allow ECDHE when pfs enabled;
*) lte - fixed info command for Cinterion EHS5-E modem;
*) fast-path - fixed kernel crash on on/off;
*) licensing - fixed that some old 7 symbol keys could not be upgraded;
*) ssh - fixed possible kernel crash;
*) console - fixed crash on creating variable with "?" in it;
*) chr - fix SSH key import on AWS;
*) crs212 - fix 1Gbps ether1 linking problem;
*) timezone - use backward timezone aliases;
*) lte - support serial port for DellWireless 5570;
*) lte - improved dhcp handling on interfaces that doesn't support it;
*) ipsec - allow my-id address specification in main mode;
*) dhcpv6 client - fix remove when client reappears on restart;
*) default config - fix hAP lite with one wireless;
*) firewall - added inversion support for "limit" option;
*) firewall - added bit rate matching for "limit" option;
*) firewall - improved performance for "limit" option;
*) dhcpv6-client - fix ia lifetime check;
*) ipsec - prioritize proposals;
*) ipsec - support multiple DH groups for phase 1;
*) netinstall - fix apply default config;
*) tile -  make sure that SFP rj45 modules that use forced 1G FD settings work correctly after system reboot;
*) wireless - added WPS buttons support on hAP and hAP ac lite;
*) upnp - added comment for dynamic dst-nat rules to inform what host/program required it;
*) webfig - recognize properly CHR;
*) chr - license fix for AWS and similar solutions;
*) arm - fix usb modem modules on ARM;
*) dhcpv6-client - fixed stopped state;
*) netinstall - sort packages by name;
*) firewall - do not allow to add new rule before built-in (reverted);
*) winbox - include FP in fast-path column names;
*) ipsec - fix phase2 hmac-sha-256-128 truncation len from 96 to 128
This will break compatibility with all previous versions and any other
currently compatible software using sha256 hmac for phase2;
*) ssh, ftp - make read, write user group policy aware;
*) tunnel - fix keep-alive (introduced in 6.34rc);
*) cerm - show last crl update time;
*) quicket - support CAP mode on all existing wireless packages;
*) wlan - add united states3 country;
*) fast-path - fix locking issue which could lead to reboot loop (introduced in 6.34rc20);
*) userman4 - try loading signup files from db path first;
*) sstp - allow to limit tls version to v1.2 only;
*) chr - make tool profile work on 64bit x86;
*) dhcpv6-server - added binding server=all option;
*) hotspot - added html-directory-override & recognize default hotspot user;
*) hotspot - fixed export of default trial user;
*) hotspot - fixed memory leak on https requests;
*) winbox - allow to specify amsdu-limit & amsdu-threshold on 11n wifi cards;
*) winbox - added multicast-buffering & keepalive-frames settings to wireless interfaces;
*) CHR - implemented trial support for different CHR speed tiers;
*) dhcpv6-client - fix add route/address;
*) usb - enable ch341 serial module;
*) lte - make sure that both LTE miniPCI-e cards are recognized;
*) winbox - show Common-Name of certificates in certificate list;
*) winbox - added units to PCQ queue fields;
*) net - do not break connection when interface is added to bridge;
*) hotspot - show cookie add/remove events in hotspot,debug log;
*) hotspot - allow static entries with the same mac on multiple hotspot servers;
*) hotspot - do not remove mac-cookie in case of radius timeout;
*) hotspot - added byte limits option for default-trial users;
*) ipsec - make sure that dynamic policy always has dynamic flag;
*) CAPsMAN - use CAP name in log when remote-cap is deleted (wireless-cm2);
*) hotspot - fixed login by mac-cookie when roaming among hotspot servers;
*) hotspot - add html-directory-override for read-only directory on usb flash;
*) hotspot - add uptime, byte and packet counter variables to logout script;
*) net - fix statistics counters jumping up to 4G;
*) firewall - SIP helper update for newer Cisco phones;
*) usermanager - fixed usermanager web page crash;
*) ipsec - fixed active SAs flushing;
*) hotspot - added option to login user manually from cli;
*) hotspot - fixed trial-uptime parsing from CLI to Winbox/Webfig;
*) lte - added support for multiple E3372 on the same device;
*) modem - added wpd-600n ppp support;
*) console - fixed incorrect disabled firewall rule matching to "invalid flag";
*) dns - fix for situation when dynamic dns servers could disappear;
*) sfp - fix 10g ports in 1g mode (introduced in 6.34rc1);
*) CCR1072 - added support for S-RJ01 SFP modules;
*) trafficgen - fixed issue that traffic-generator could not be started twice without reboot;
*) dhcpv6-server - replace delay option with preference option.
--
*) winbox - show properly route-distinguisher for bgp vpn4;
*) winbox - show dhcp server name in dhcp leases;
*) ppp - make CoA work correctly with address-lists;
*) winbox - fixed tab names to correspond to console;
*) winbox - show only actual switch-cpu ports in switch setting combobox;
*) winbox/webfig - fixed version column ordering in ip neighbors list;
*) webfig - fixed switch port "default vlan id" has missing "auto" value;
*) webfig - fixed firewall connection-bytes option;
*) ipsec - fixed kernel failure after underlying tunnel has been disabled/enabled;
*) romon - allow to see device identity if it is longer than 31 character;
*) fastpath - show fp counters in /interface monitor aggregate;
*) bridge firewall - fix  chain check (broken since 6.33.2);
*) bridge firewall - fixed crash when jump rule points to disabled custom chain;
*) smb - fix crash when changing user which has open session;
*) address-list - properly remove unused address-lists from drop-downs;
*) fetch - fixed closure after 30 seconds;
*) capsman - fix radius accounting stop message;
*) log - reopen log file if deleted;
*) packing - fix tcp/udp checksums when simple packing is used;
*) tile - fix ipsec freeze after SA updates;
*) upnp - fixed missing in-interface option for dynamic dst-nat rules;
*) tunnel - fix complaining about loop after ~248 days;
*) vrrp - make sure that VRRP gets state on bootup;
*) ppp - fixed rare kernel crash (introduced in v6.33);
*) ppp - do not allow empty name ppp secrets;
*) ssh - fix active user accounting.

Puede ser descargado desde el sitio de MikroTik en la sección descargas o desde el Winbox en System > Packges.