On 04/09/2018 08:32 PM, Michael Rash wrote: > > Hi David, > > That is interesting. What are the GPG key sizes that you are using? > Anything beyond 2048 bits may produce encrypted SPA data that is too > large to fit within a single (Ethernet) frame. There are tricks to get > around this though, like this > one: https://it-offshore.co.uk/security/85-fwknop-4096-bit-rsa-keys > > When the incoming SPA packet from the client is truncated, are you > seeing that within fwknopd output? If you use tcpdump (with a snaplen of > zero - something like 'tcpdump -i eth0 -l -nn -s 0 -X') does the > incoming packet appear to not be truncated but fwknopd says it is? > > Thanks,
Hi Michael, The SPA packet is definitely truncated on the receiving end, as viewed with tcpdump. None of my keys is longer than 2048 bits, so now this is even more mysterious! Regardless, I have created an additional signing key (ed25519), per the link you sent. I've exported my keyring and imported it on the server, but it appears as if the fwknop client is still creating a large SPA packet. I'll look into this deeper tomorrow after I've slept on it... Thanks for your help! ~David ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Fwknop-discuss mailing list Fwknop-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fwknop-discuss
