[strongSwan] Cannot ping machines on remote local network - solved

Tobias Brunner tobias at strongswan.org
Fri Sep 8 13:07:25 CEST 2017

Hi Ric,

> I managed to find the bug, wrong truncation still exists in latest 
> 4.4 kernel:
> https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/tree/
> net/xfrm/xfrm_algo.c?h=v4.4.87

That's only because you are using the kernel-pfkey plugin on Linux,
which you should not.  It does not provide an interface to change the
truncation for SHA-256 from userland so the default is used (all kernels
use 96 bit due to legacy reasons).  The kernel-netlink plugin will set
the correct truncation length when installing the SA, so just disable
the kernel-pfkey plugin and you won't need to patch the kernel.


More information about the Users mailing list