On Tue, 23 Jun 2020, John Serink wrote:
I am using libreswan to connect to a Cisco 4431 IOS based router.
I am getting this error when using a 12 byte PSK:
Jun 23 16:52:19 [pluto] "XXXX" #2: WARNING: connection XXXX PSK length of 8
bytes is too short for sha PRF in FIPS mode (10 bytes
required)
Here is the entry in the ipsec.secrets file:
A.B.C.D : PSK "abcdefrghast"
The PSK is 12 bytes.
I tried to reproduce this.
002 "westnet-eastnet-ipv4-psk-ikev2" #1: WARNING: connection
westnet-eastnet-ipv4-psk-ikev2 PSK length of 12 bytes is too short for HMAC_SHA2_512 PRF
in FIPS mode (32 bytes required)
What version of libreswan is this?
I need to keep the PSK at 12 bytes as some industrial based routers we use in
the field has a max of 12 bytes.
That is dangerously small, especially if you are using 12 ascii
characters and not true random hex.
Is there any work around for this on libreswan?
It is only a warning when not running in FIPS mode. If you are running
in FIPS mode, then it might be a bug we have fixed on our end in the
past.
Paul
_______________________________________________
Swan mailing list
Swan@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan
