[strongSwan] Cannot ping machines on remote local network - solved

Ric S burj-al-arab at gmx.de
Fri Sep 8 13:16:10 CEST 2017

On Freitag, 8. September 2017 13:07:25 CEST Tobias Brunner wrote:
> Hi Ric,
> > I managed to find the bug, wrong truncation still exists in latest
> > 4.4 kernel:
> > 
> > https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/tr
> > ee/ net/xfrm/xfrm_algo.c?h=v4.4.87
> That's only because you are using the kernel-pfkey plugin on Linux,
> which you should not.  It does not provide an interface to change the
> truncation for SHA-256 from userland so the default is used (all kernels
> use 96 bit due to legacy reasons).  The kernel-netlink plugin will set
> the correct truncation length when installing the SA, so just disable
> the kernel-pfkey plugin and you won't need to patch the kernel.
> Regards,
> Tobias

Hi Tobias,

thanks for the info. Maybe this should be noted somewhere, cause I did not 
find any hint regarding this. Could be a good place to add this:


Cheers Ric

More information about the Users mailing list