[Swan] Road Warrior config

Paul Wouters paul at nohats.ca
Wed Sep 1 08:49:05 UTC 2021

On Wed, 1 Sep 2021, phil.nightowl at gmail.com wrote:

>> Don't use compress=yes
> ... why (just being curious)? Is the compression not good enough to achieve
> a real gain (even on low bandwidth lines)? Security issues? Misbehaved
> implementation? Something else? And is it a bad idea only on the server
> side, or did you just omit your comment in the client config?

There is always a security risk on using compressing with encryption, as
it can lead to oracle attacks. It also complicates the IPsec state, by
adding a compress state on top of it, and then it compresses but if
compress doesnt produce shorter result, uses the uncompressed version.
So for example "ipsec trafficstatus" would have two entries, one for
compressed and one for without.

Hardly anyone uses compression ever.

Also, we have a leak in that we don't delete the kernel compress state,
but that is fixable :P


More information about the Swan mailing list