[Swan] Road Warrior config

brendan kearney bpk678 at gmail.com
Wed Sep 1 19:01:30 UTC 2021

It seems this thread was marked as spam and caught in filters.  I have some
reading to do as 5 emails are "new to me". Will catch up and reply back.
Thanks for the replies and help.


On Wed, Sep 1, 2021, 7:42 AM brendan kearney <bpk678 at gmail.com> wrote:

> I commented out the compress directive on both server and client, and
> restarted services.  The same behavior persists.
> On Wed, Sep 1, 2021, 4:49 AM Paul Wouters <paul at nohats.ca> wrote:
>> On Wed, 1 Sep 2021, phil.nightowl at gmail.com wrote:
>> >> Don't use compress=yes
>> >
>> > ... why (just being curious)? Is the compression not good enough to
>> achieve
>> > a real gain (even on low bandwidth lines)? Security issues? Misbehaved
>> > implementation? Something else? And is it a bad idea only on the server
>> > side, or did you just omit your comment in the client config?
>> There is always a security risk on using compressing with encryption, as
>> it can lead to oracle attacks. It also complicates the IPsec state, by
>> adding a compress state on top of it, and then it compresses but if
>> compress doesnt produce shorter result, uses the uncompressed version.
>> So for example "ipsec trafficstatus" would have two entries, one for
>> compressed and one for without.
>> Hardly anyone uses compression ever.
>> Also, we have a leak in that we don't delete the kernel compress state,
>> but that is fixable :P
>> Paul
>> _______________________________________________
>> Swan mailing list
>> Swan at lists.libreswan.org
>> https://lists.libreswan.org/mailman/listinfo/swan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20210901/6a8b7857/attachment.html>

More information about the Swan mailing list