[Swan] PSK length in FIPS mode

John Serink jserink2004 at yahoo.com
Tue Jun 23 09:15:01 UTC 2020

Hi all:
I am using libreswan to connect to a Cisco 4431 IOS based router.I am getting this error when using a 12 byte PSK:Jun 23 16:52:19 [pluto] "XXXX" #2: WARNING: connection XXXX PSK length of 8 bytes is too short for sha PRF in FIPS mode (10 bytes required)

Here is the entry in the ipsec.secrets file:A.B.C.D : PSK "abcdefrghast"

The PSK is 12 bytes.
What am I missing here?
I need to keep the PSK at 12 bytes as some industrial based routers we use in the field has a max of 12 bytes.
Is there any work around for this on libreswan?
Cisco details:CCrouter#sh crypto isakmp policy
Global IKE policyProtection suite of priority 100 encryption algorithm: AES - Advanced Encryption Standard (256 bit keys). hash algorithm: Secure Hash Standard authentication method: Pre-Shared Key Diffie-Hellman group: #14 (2048 bit) lifetime: 86400 seconds, no volume limit
Transform set mainset: { esp-256-aes esp-sha-hmac  }    will negotiate = { Tunnel,  }, 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20200623/e60be34f/attachment.html>

More information about the Swan mailing list