From: Michael Tremer <michael.tremer@ipfire.org>
Date: Thu, 3 Aug 2017 12:08:04 +0000 (+0000)
Subject: ipsec: Disable compression in system policy
X-Git-Tag: 009~79
X-Git-Url: http://git.ipfire.org/?p=people%2Fms%2Fnetwork.git;a=commitdiff_plain;h=50b7a62f323d1ef6dfb3fe45500d44f8290a0569

ipsec: Disable compression in system policy

Compression in IPsec is slow (strongSwan only supports
DEFLATE) and there are security concerns about it
revealing information about the plaintext.

So for a little gain in bandwith, it does not seem to
be right to take that risk right now.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---

diff --git a/config/vpn/security-policies/system b/config/vpn/security-policies/system
index f2120a22..311dd9ea 100644
--- a/config/vpn/security-policies/system
+++ b/config/vpn/security-policies/system
@@ -4,4 +4,4 @@ INTEGRITY="SHA512 SHA384 SHA256"
 GROUP_TYPE="MODP8192 MODP6144 MODP4096 MODP2048 ECP521 ECP384 ECP256 ECP224 ECP192 CURVE25519"
 LIFETIME="28800"
 PFS="on"
-COMPRESSION="on"
+COMPRESSION="off"