[Swan] Road Warrior config

brendan kearney bpk678 at gmail.com
Wed Sep 1 19:01:30 UTC 2021


It seems this thread was marked as spam and caught in filters.  I have some
reading to do as 5 emails are "new to me". Will catch up and reply back.
Thanks for the replies and help.

Brendan

On Wed, Sep 1, 2021, 7:42 AM brendan kearney <bpk678 at gmail.com> wrote:

> I commented out the compress directive on both server and client, and
> restarted services.  The same behavior persists.
>
> On Wed, Sep 1, 2021, 4:49 AM Paul Wouters <paul at nohats.ca> wrote:
>
>> On Wed, 1 Sep 2021, phil.nightowl at gmail.com wrote:
>>
>> >> Don't use compress=yes
>> >
>> > ... why (just being curious)? Is the compression not good enough to
>> achieve
>> > a real gain (even on low bandwidth lines)? Security issues? Misbehaved
>> > implementation? Something else? And is it a bad idea only on the server
>> > side, or did you just omit your comment in the client config?
>>
>> There is always a security risk on using compressing with encryption, as
>> it can lead to oracle attacks. It also complicates the IPsec state, by
>> adding a compress state on top of it, and then it compresses but if
>> compress doesnt produce shorter result, uses the uncompressed version.
>> So for example "ipsec trafficstatus" would have two entries, one for
>> compressed and one for without.
>>
>> Hardly anyone uses compression ever.
>>
>> Also, we have a leak in that we don't delete the kernel compress state,
>> but that is fixable :P
>>
>> Paul
>> _______________________________________________
>> Swan mailing list
>> Swan at lists.libreswan.org
>> https://lists.libreswan.org/mailman/listinfo/swan
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20210901/6a8b7857/attachment.html>


More information about the Swan mailing list