Limitations and restrictions
Security improvements have been made in this release, however some limitations still exist.
IPv6 is not supported on the 40G Fortville NIC.
Vxlan tunnels do not currently work with a multicast transport, thus the command set interfaces vxlan xxx transport multicast-group does not work.
vxlan-gpe tunnel cannot be added to a bridge-group due to an underlying kernel issue.
While the OS does support IKEv1, Vyatta strongly recommends that IKEv2 is used to avoid security vulnerabilities associated with IKEv1, such as reflector and Amplifier DoS attacks.
VRRP in RFC Compatibility mode does not work fully on VRFs. Without RFC compatibility mode, VRRP will work fine with VRFs and this should be used as the solution.
The application of the fixes for DSA-4078-1 [Meltdown] affect the performance of the linux kernel. This affect is well publicised and should diminish in effect as the linux community works on better fixes and subsequent releases are made.
Starting in release 1808, the pre-built ESXi appliances require 6.5 or above (specifically earlier versions of ESXi are no longer supported)
From 1808 onward, the automated functionality that modifies configuration in order to migrate to a newer release will no longer be supported. This is not needed as we ensure that old configurations are always backwardly compatible.
Some unused predefined application names are no longer supported and have been deprecated. The existing configuration will continue to work, but will not match the packet flows. The full list of deprecated application names is: 123people, 360buy, about, adobe_online_office, ah, aim_express, amazon_mp3, amie_street, aprod, avatars_united, axifile, babelgum, berniaga, bestsharing_com, bigadda, bithq, blip_tv, blockbuster, blogdetik, blogspot, bonpoo, books_iread, bt_chat, buddybuddy, businessweek, camzap, chat_on, chosun_daily, cinemageddon, coralcdn_user, crazysaloon, cuteyhoneyflash, daily_booth, dealfish, directdownloadlinks, emaps, esp, filer_cx, filesend_net, files_to, filestube, fledgewing, foreningssparbanken, friendster, gamerdna, gigaup, gizmo, gogoyoko, google_desktop, google_picasa, grooveshark, hudong, investigator, jajah, justin_tv, kbstar, kino, livemocha, mail_ru_webagent, mashare, meerkat, meevee, megaupload, megavideo, mercador, mobile_me, mpquest, msn, msn_groups, msnmobile, msn_search, msn_video, muhitelyemen, multiupload, muxlim, mxit, my_opera, myyearbook, nabluslive, nefsys, netlog, nokia_ovi, oneclimate, oneworldtv, pando, paran, playahead, pps, present, prodavalnik, public, qapacity, qq_transfer, rapidupload_com, seesmic, sharethemusic, simpleupload_net, skydrive, skydrive_login, skyrock, slando, socialcam, socialvibe, sulit, synflood, the_auteurs, ttp, ubuntu_one, web, wiserearth, yahoo_biz, ymail_mobile, yourfilehost, youtube_hd, ytimg.
The IPsec remote-id
hostname behaviour has changed from the 5400 vRouter as the underlying Strongswan implementation has also changed. The new behavior is not to convert FQDN to an IP address by default as the remote id. This is described by the following passage:
If the string begins with @ the type is set to FQDN and the encoding is the literal string after that prefix. In versions before 5.0.0 this prefix prevents that a FQDN is resolved into an IP address, current versions don't automatically resolve FQDNs when parsing identities.For more details see https://wiki.strongswan.org/projects/strongswan/wiki/IdentityParsing