[Swan] Road Warrior config

brendan kearney bpk678 at gmail.com
Wed Sep 1 11:42:35 UTC 2021


I commented out the compress directive on both server and client, and
restarted services.  The same behavior persists.

On Wed, Sep 1, 2021, 4:49 AM Paul Wouters <paul at nohats.ca> wrote:

> On Wed, 1 Sep 2021, phil.nightowl at gmail.com wrote:
>
> >> Don't use compress=yes
> >
> > ... why (just being curious)? Is the compression not good enough to
> achieve
> > a real gain (even on low bandwidth lines)? Security issues? Misbehaved
> > implementation? Something else? And is it a bad idea only on the server
> > side, or did you just omit your comment in the client config?
>
> There is always a security risk on using compressing with encryption, as
> it can lead to oracle attacks. It also complicates the IPsec state, by
> adding a compress state on top of it, and then it compresses but if
> compress doesnt produce shorter result, uses the uncompressed version.
> So for example "ipsec trafficstatus" would have two entries, one for
> compressed and one for without.
>
> Hardly anyone uses compression ever.
>
> Also, we have a leak in that we don't delete the kernel compress state,
> but that is fixable :P
>
> Paul
> _______________________________________________
> Swan mailing list
> Swan at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20210901/9bb89d40/attachment.html>


More information about the Swan mailing list