I commented out the compress directive on both server and client, and restarted services. The same behavior persists.
On Wed, Sep 1, 2021, 4:49 AM Paul Wouters <[email protected]> wrote: > On Wed, 1 Sep 2021, [email protected] wrote: > > >> Don't use compress=yes > > > > ... why (just being curious)? Is the compression not good enough to > achieve > > a real gain (even on low bandwidth lines)? Security issues? Misbehaved > > implementation? Something else? And is it a bad idea only on the server > > side, or did you just omit your comment in the client config? > > There is always a security risk on using compressing with encryption, as > it can lead to oracle attacks. It also complicates the IPsec state, by > adding a compress state on top of it, and then it compresses but if > compress doesnt produce shorter result, uses the uncompressed version. > So for example "ipsec trafficstatus" would have two entries, one for > compressed and one for without. > > Hardly anyone uses compression ever. > > Also, we have a leak in that we don't delete the kernel compress state, > but that is fixable :P > > Paul > _______________________________________________ > Swan mailing list > [email protected] > https://lists.libreswan.org/mailman/listinfo/swan >
_______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
