<div dir="ltr">Thank you for the reply Andreas. <div><br></div><div>Can you please validate my understanding?</div><div><br></div><div>Valid combo:</div><div>-------------------</div><div>
<p class="gmail-p1"><span class="gmail-Apple-tab-span"> </span>keyexchange=ikev1</p>
<p class="gmail-p1"><span class="gmail-Apple-tab-span"> </span>ike=aes256-sha256-modp2048!</p>
<p class="gmail-p1"><span class="gmail-Apple-tab-span"> </span>esp=aes256gcm128-sha256!</p></div><div><br></div><div>Invalid combo:</div><div>--------------------</div><div>
<p class="gmail-p1"><span class="gmail-Apple-tab-span"> </span>keyexchange=ikev1</p>
<p class="gmail-p1"><span class="gmail-Apple-tab-span"> </span>ike=aes256gcm128-sha256-modp2048!</p>
<p class="gmail-p1"><span class="gmail-Apple-tab-span"> </span>esp=aes256gcm128-sha256!</p><p class="gmail-p1"><br></p><p class="gmail-p1">Thanks,</p><p class="gmail-p1">Lakshmi</p></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Aug 5, 2016 at 1:49 PM, Andreas Steffen <span dir="ltr"><<a href="mailto:andreas.steffen@strongswan.org" target="_blank">andreas.steffen@strongswan.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi Lakshmi,<br>
<br>
The old IKEv1 protocol does not support AES-GCM for IKE since<br>
IANA hasn't assigned any encryption transform numbers:<br>
<br>
<a href="http://www.iana.org/assignments/ipsec-registry/ipsec-registry.xhtml#ipsec-registry-4" rel="noreferrer" target="_blank">http://www.iana.org/<wbr>assignments/ipsec-registry/<wbr>ipsec-registry.xhtml#ipsec-<wbr>registry-4</a><br>
<br>
AES-GCM can be used for IKE protection with IKEv2, only:<br>
<br>
<a href="http://www.iana.org/assignments/ikev2-parameters/ikev2-parameters.xhtml#ikev2-parameters-5" rel="noreferrer" target="_blank">http://www.iana.org/<wbr>assignments/ikev2-parameters/<wbr>ikev2-parameters.xhtml#ikev2-<wbr>parameters-5</a><br>
<br>
Anyway, you profit from the speed advantage of AES-GCM mainly<br>
with ESP because many payload packets must be processed.<br>
AES-GCM for ESP can be negotiated both via IKEv1 and IKEv2.<br>
<br>
Regards<br>
<br>
Andreas<br>
<div><div class="h5"><br>
On 08/05/2016 08:42 AM, Lakshmi Prasanna wrote:<br>
> Hi Team,<br>
><br>
> I am trying to use AES-GCM with IKEV1 and see that strongswan does not<br>
> send the encryption algorithm.<br>
><br>
> Is there any plugin or knob to enable the same?<br>
><br>
> Logs:<br>
><br>
> --------<br>
><br>
> received proposals: IKE:HMAC_SHA2_256_128/PRF_<wbr>HMAC_SHA2_256/MODP_2048<br>
><br>
> configured<br>
> proposals:IKE:AES_GCM_16_128/<wbr>HMAC_SHA2_256_128/PRF_HMAC_<wbr>SHA2_256/MODP_2048<br>
><br>
><br>
> Thanks and Regards,<br>
><br>
> Lakshmi<br>
<br>
</div></div>==============================<wbr>==============================<wbr>==========<br>
Andreas Steffen <a href="mailto:andreas.steffen@strongswan.org">andreas.steffen@strongswan.org</a><br>
strongSwan - the Open Source VPN Solution! <a href="http://www.strongswan.org" rel="noreferrer" target="_blank">www.strongswan.org</a><br>
Institute for Internet Technologies and Applications<br>
University of Applied Sciences Rapperswil<br>
CH-8640 Rapperswil (Switzerland)<br>
==============================<wbr>=============================[<wbr>ITA-HSR]==<br>
<br>
</blockquote></div><br></div>