[Swan] PSK length in FIPS mode

Paul Wouters paul at nohats.ca
Tue Jun 23 23:13:42 UTC 2020

On Tue, 23 Jun 2020, John Serink wrote:

> I am using libreswan to connect to a Cisco 4431 IOS based router.
> I am getting this error when using a 12 byte PSK:
> Jun 23 16:52:19 [pluto] "XXXX" #2: WARNING: connection XXXX PSK length of 8 bytes is too short for sha PRF in FIPS mode (10 bytes
> required)
> Here is the entry in the ipsec.secrets file:
> A.B.C.D : PSK "abcdefrghast"
> The PSK is 12 bytes.

I tried to reproduce this.

002 "westnet-eastnet-ipv4-psk-ikev2" #1: WARNING: connection westnet-eastnet-ipv4-psk-ikev2 PSK length of 12 bytes is too short for HMAC_SHA2_512 PRF in FIPS mode (32 bytes required)

What version of libreswan is this?

> I need to keep the PSK at 12 bytes as some industrial based routers we use in the field has a max of 12 bytes.

That is dangerously small, especially if you are using 12 ascii
characters and not true random hex.

> Is there any work around for this on libreswan?

It is only a warning when not running in FIPS mode. If you are running
in FIPS mode, then it might be a bug we have fixed on our end in the


More information about the Swan mailing list