[strongSwan] Question related to ESP_TFC_PADDING_NOT_SUPPORTED

Noel Kuntze noel.kuntze+strongswan-users-ml at thermi.consulting
Thu Jan 11 13:15:31 CET 2018 

TFC padding is only used if you set "tfc=$value" in ipsec.conf.
By default it is disabled. TFC increases the packet size of ESP packets to be at least $value. It significantly degrades performance,
because of the humongous overhead.
ESP_TFC_PADDING_NOT_SUPPORTED means that the other peer does not support TFC. The other peer sending it does NOT have anything to do with any setting on your side.

Kind regards

Noel

On 10.01.2018 17:40, rajeev nohria wrote:
> Let me ask question again..
> 
> On local I did not configure TFC and by default it should be disabled.  From remote I am receiving following message 
> 
> 12[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
> 
> What exactly it mean  "not using ESPv3 TFC padding"  does it means  local is also not using TFC padding? 
> 
> Why would local would send msg with TFC when TFC disabled by default. I have tried tfc_padding = 0 in configuration and get the same message.  Just trying to understand..
> 
> 
> 
> 
> 
> On Wed, Jan 10, 2018 at 10:51 AM, rajeev nohria <rajnohria at gmail.com <mailto:rajnohria at gmail.com>> wrote:
> 
>     I am trying to understand if ESP_TFC_PADDING_NOT_SUPPORTED means Local is using the TFC.
> 
>     I am getting ESP_TFC_PADDING_NOT_SUPPORTED msg from remote. Is that means local is using the TFC. 
>     On local I have to configured tfc_padding and by default it is disabled.  If by default it is disabled why local side is sending packet with TFC.
> 
> 
> 
> 
> 
>     12[CFG] certificate status is not available
> 
>     12[CFG]   reached self-signed root ca with a path length of 1
> 
>     12[IKE] authentication of 'C=US, O=CableLabs, CN=00:01:5c:96:16:00' with RSA signature successful
> 
>     12[IKE] IKE_SA rpdfc00:cada:c406::200[1] established between fc00:cada:c406:607::1001[C=US, O=ARRIS, OU=LOWELL, CN=00:33:5f:ab:8c:9e]...fc00:cada:c406::200[C=US, O=CableLabs, CN=00:01:5c:96:16:00]
> 
>     12[IKE] scheduling rekeying in 13218s
> 
>     12[IKE] maximum IKE_SA lifetime 14658s
> 
>     12[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
> 
>     [  274.326216] alg: No test for authenc(hmac(sha256),ecb(cipher_null)) (authenc(hmac(sha256-generic),ecb-cipher_null))
> 
>     12[IKE] CHILD_SA gcpfc00:cada:c406::200{3} established with SPIs c2b4f3ce_i 2bcba3d9_o and TS fc00:cada:c406:607::1001/128[tcp] === fc00:cada:c406::200/128[tcp/8190]
> 
> 
> 
>     Thanks,
> 
>     Rajeev
> 
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180111/690a68c8/attachment.sig>

More information about the Users mailing list