Bug #904
swanctl list-sas/list-conns
Description
Hello team,
The output of swanctl shows ESN usage like this:
home-active: #16, ESTABLISHED, IKEv2, a3ab9c837370b991:2b11d4dd8e3384bb
local 'thermi.strangled.net' 2a03:4000:6:3064::1
2a02:8071:9186:7d00:5054:ff:fe2f:7fa
remote 'thermi-home-gw-1'
AES_GCM_16-256/PRF_HMAC_SHA2_256/MODP_4096
established 100395s ago
home-active: #26, INSTALLED, TUNNEL, ESP:AES_CBC-256/AES_XCBC_96/MODP_4096/1
installed 952 ago, rekeying in 736s, expires in 1029s
in c1e45941/77ac, 0 bytes, 0 packets
out c09d5fd5/50af, 0 bytes, 0 packets
local 0.0.0.0/0
remote 192.168.178.161/32
Shouldn't the "1" after MODP_4096 be replaced by some human readable stuff like (ESN $ESNLENGTH)
or the ESN length itself?
Kind regards,
Noel Kuntze
Associated revisions
History
#1 Updated by Martin Willi almost 6 years ago
- Tracker changed from Issue to Bug
- Category set to swanctl
- Status changed from New to Closed
- Assignee set to Martin Willi
- Target version set to 5.3.0
- Resolution set to Fixed
Noel,
Thanks for your bug report, fixed with the referenced commit.
Shouldn't the "1" after MODP_4096 be replaced by some human readable stuff like (ESN $ESNLENGTH) or the ESN length itself?
There is no ESN length: Either the SA uses ESN (64-bit sequence numbers), or it doesn't (and uses 32-bit sequence numbers). So with the pushed patch we now just append "/ESN" to that proposal string, or we don't.
Kind regards
Martin
swanctl: Append /ESN to proposal for a CHILD_SA using Extended Sequence Numbers
We previously printed just the value for the "esn" keyword, which is "1", and
not helpful as such.
Fixes #904.