[Swan] PSK length in FIPS mode

John Serink jserink2004 at yahoo.com
Fri Jun 26 00:22:34 UTC 2020

Hi Paul:
Thanx for the response.Once I sorted out my security policies on the Cisco I all worked even with the warning.
Yes, 12 chars is quite small, I'l have to look at that.


Sent from Yahoo Mail on Android 
  On Wed, 24 Jun 2020 at 7:13 AM, Paul Wouters<paul at nohats.ca> wrote:   On Tue, 23 Jun 2020, John Serink wrote:

> I am using libreswan to connect to a Cisco 4431 IOS based router.
> I am getting this error when using a 12 byte PSK:
> Jun 23 16:52:19 [pluto] "XXXX" #2: WARNING: connection XXXX PSK length of 8 bytes is too short for sha PRF in FIPS mode (10 bytes
> required)
> Here is the entry in the ipsec.secrets file:
> A.B.C.D : PSK "abcdefrghast"
> The PSK is 12 bytes.

I tried to reproduce this.

002 "westnet-eastnet-ipv4-psk-ikev2" #1: WARNING: connection westnet-eastnet-ipv4-psk-ikev2 PSK length of 12 bytes is too short for HMAC_SHA2_512 PRF in FIPS mode (32 bytes required)

What version of libreswan is this?

> I need to keep the PSK at 12 bytes as some industrial based routers we use in the field has a max of 12 bytes.

That is dangerously small, especially if you are using 12 ascii
characters and not true random hex.

> Is there any work around for this on libreswan?

It is only a warning when not running in FIPS mode. If you are running
in FIPS mode, then it might be a bug we have fixed on our end in the

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20200626/2b2cd98a/attachment.html>

More information about the Swan mailing list