The output of swanctl shows ESN usage like this:
home-active: #16, ESTABLISHED, IKEv2, a3ab9c837370b991:2b11d4dd8e3384bb
established 100395s ago
home-active: #26, INSTALLED, TUNNEL, ESP:AES_CBC-256/AES_XCBC_96/MODP_4096/1
installed 952 ago, rekeying in 736s, expires in 1029s
in c1e45941/77ac, 0 bytes, 0 packets
out c09d5fd5/50af, 0 bytes, 0 packets
Shouldn't the "1" after MODP_4096 be replaced by some human readable stuff like (ESN $ESNLENGTH)
or the ESN length itself?
#1 Updated by Martin Willi over 7 years ago
- Tracker changed from Issue to Bug
- Category set to swanctl
- Status changed from New to Closed
- Assignee set to Martin Willi
- Target version set to 5.3.0
- Resolution set to Fixed
Thanks for your bug report, fixed with the referenced commit.
Shouldn't the "1" after MODP_4096 be replaced by some human readable stuff like (ESN $ESNLENGTH) or the ESN length itself?
There is no ESN length: Either the SA uses ESN (64-bit sequence numbers), or it doesn't (and uses 32-bit sequence numbers). So with the pushed patch we now just append "/ESN" to that proposal string, or we don't.