[Swan] Road Warrior config
bpk678 at gmail.com
Wed Sep 1 11:42:35 UTC 2021
I commented out the compress directive on both server and client, and
restarted services. The same behavior persists.
On Wed, Sep 1, 2021, 4:49 AM Paul Wouters <paul at nohats.ca> wrote:
> On Wed, 1 Sep 2021, phil.nightowl at gmail.com wrote:
> >> Don't use compress=yes
> > ... why (just being curious)? Is the compression not good enough to
> > a real gain (even on low bandwidth lines)? Security issues? Misbehaved
> > implementation? Something else? And is it a bad idea only on the server
> > side, or did you just omit your comment in the client config?
> There is always a security risk on using compressing with encryption, as
> it can lead to oracle attacks. It also complicates the IPsec state, by
> adding a compress state on top of it, and then it compresses but if
> compress doesnt produce shorter result, uses the uncompressed version.
> So for example "ipsec trafficstatus" would have two entries, one for
> compressed and one for without.
> Hardly anyone uses compression ever.
> Also, we have a leak in that we don't delete the kernel compress state,
> but that is fixable :P
> Swan mailing list
> Swan at lists.libreswan.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Swan