[strongSwan] Cannot ping machines on remote local network - solved
Tobias Brunner
tobias at strongswan.org
Fri Sep 8 13:07:25 CEST 2017
Hi Ric,
> I managed to find the bug, wrong truncation still exists in latest
> 4.4 kernel:
>
> https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/tree/
> net/xfrm/xfrm_algo.c?h=v4.4.87
That's only because you are using the kernel-pfkey plugin on Linux,
which you should not. It does not provide an interface to change the
truncation for SHA-256 from userland so the default is used (all kernels
use 96 bit due to legacy reasons). The kernel-netlink plugin will set
the correct truncation length when installing the SA, so just disable
the kernel-pfkey plugin and you won't need to patch the kernel.
Regards,
Tobias
More information about the Users
mailing list