<div dir="ltr">Thanks Andreas.</div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Aug 5, 2016 at 2:29 PM, Andreas Steffen <span dir="ltr"><<a href="mailto:andreas.steffen@strongswan.org" target="_blank">andreas.steffen@strongswan.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi Lakshmi,<br>
<br>
yes, your understanding is correct. Since AES-GCM is an<br>
authenticated encryption algorithm, you don't need an<br>
additional integrity protection function. Thus<br>
<br>
Valid IKEv1 combo:<br>
------------------<br>
<br>
keyexchange=ikev1<br>
ike=aes256-sha256-modp2048!<br>
esp=aes256gcm128!<br>
<br>
<br>
Valid IKEv2 combo:<br>
------------------<br>
<br>
keyexchange=ikev2<br>
ike=aes256gcm128-prfsha256-mod<wbr>p2048!<br>
esp=aes256gcm128!<br>
<br>
Regards<br>
<br>
Andreas<span class=""><br>
<br>
On 05.08.2016 10:41, Lakshmi Prasanna wrote:<br>
</span><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">
Thank you for the reply Andreas.<br>
<br>
Can you please validate my understanding?<br>
<br>
Valid combo:<br>
-------------------<br>
<br>
keyexchange=ikev1<br>
<br>
ike=aes256-sha256-modp2048!<br>
<br>
esp=aes256gcm128-sha256!<br>
<br>
<br>
Invalid combo:<br>
--------------------<br>
<br>
keyexchange=ikev1<br>
<br>
ike=aes256gcm128-sha256-modp20<wbr>48!<br>
<br>
esp=aes256gcm128-sha256!<br>
<br>
<br>
Thanks,<br>
<br>
Lakshmi<br>
<br>
<br>
On Fri, Aug 5, 2016 at 1:49 PM, Andreas Steffen<br></span>
<<a href="mailto:andreas.steffen@strongswan.org" target="_blank">andreas.steffen@strongswan.or<wbr>g</a> <mailto:<a href="mailto:andreas.steffen@strongswan.org" target="_blank">andreas.steffen@strong<wbr>swan.org</a>>><div><div class="h5"><br>
wrote:<br>
<br>
    Hi Lakshmi,<br>
<br>
    The old IKEv1 protocol does not support AES-GCM for IKE since<br>
    IANA hasn't assigned any encryption transform numbers:<br>
<br>
    <a href="http://www.iana.org/assignments/ipsec-registry/ipsec-registry.xhtml#ipsec-registry-4" rel="noreferrer" target="_blank">http://www.iana.org/assignment<wbr>s/ipsec-registry/ipsec-<wbr>registry.xhtml#ipsec-registry-<wbr>4</a><br>
    <<a href="http://www.iana.org/assignments/ipsec-registry/ipsec-registry.xhtml#ipsec-registry-4" rel="noreferrer" target="_blank">http://www.iana.org/assignmen<wbr>ts/ipsec-registry/ipsec-<wbr>registry.xhtml#ipsec-registry-<wbr>4</a>><br>
<br>
    AES-GCM can be used for IKE protection with IKEv2, only:<br>
<br>
    <a href="http://www.iana.org/assignments/ikev2-parameters/ikev2-parameters.xhtml#ikev2-parameters-5" rel="noreferrer" target="_blank">http://www.iana.org/assignment<wbr>s/ikev2-parameters/ikev2-<wbr>parameters.xhtml#ikev2-paramet<wbr>ers-5</a><br>
    <<a href="http://www.iana.org/assignments/ikev2-parameters/ikev2-parameters.xhtml#ikev2-parameters-5" rel="noreferrer" target="_blank">http://www.iana.org/assignmen<wbr>ts/ikev2-parameters/ikev2-<wbr>parameters.xhtml#ikev2-paramet<wbr>ers-5</a>><br>
<br>
    Anyway, you profit from the speed advantage of AES-GCM mainly<br>
    with ESP because many payload packets must be processed.<br>
    AES-GCM for ESP can be negotiated both via IKEv1 and IKEv2.<br>
<br>
    Regards<br>
<br>
    Andreas<br>
<br>
    On 08/05/2016 08:42 AM, Lakshmi Prasanna wrote:<br>
     > Hi Team,<br>
     ><br>
     > I am trying to use AES-GCM with IKEV1 and see that strongswan<br>
    does not<br>
     > send the encryption algorithm.<br>
     ><br>
     > Is there any plugin or knob to enable the same?<br>
     ><br>
     > Logs:<br>
     ><br>
     > --------<br>
     ><br>
     > received proposals: IKE:HMAC_SHA2_256_128/PRF_HMAC<wbr>_SHA2_256/MODP_2048<br>
     ><br>
     > configured<br>
     ><br>
    proposals:IKE:AES_GCM_16_128/H<wbr>MAC_SHA2_256_128/PRF_HMAC_SHA2<wbr>_256/MODP_2048<br>
     ><br>
     ><br>
     > Thanks and Regards,<br>
     ><br>
     > Lakshmi<br>
<br>
    ==============================<wbr>==============================<wbr>==========<br>
    Andreas Steffen <a href="mailto:andreas.steffen@strongswan.org" target="_blank">andreas.steffen@strongswan.org</a><br></div></div>
    <mailto:<a href="mailto:andreas.steffen@strongswan.org" target="_blank">andreas.steffen@strong<wbr>swan.org</a>><span class=""><br>
    strongSwan - the Open Source VPN Solution! <a href="http://www.strongswan.org" rel="noreferrer" target="_blank">www.strongswan.org</a><br></span>
    <<a href="http://www.strongswan.org" rel="noreferrer" target="_blank">http://www.strongswan.org</a>><span class=""><br>
    Institute for Internet Technologies and Applications<br>
    University of Applied Sciences Rapperswil<br>
    CH-8640 Rapperswil (Switzerland)<br>
    ==============================<wbr>=============================[<wbr>ITA-HSR]==<br>
<br>
<br>
</span></blockquote>
<br>
-- <br><div class="HOEnZb"><div class="h5">
==============================<wbr>==============================<wbr>==========<br>
Andreas Steffen                         <a href="mailto:andreas.steffen@strongswan.org" target="_blank">andreas.steffen@strongswan.<wbr>org</a><br>
strongSwan - the Open Source VPN Solution!          <a href="http://www.strongswan.org" rel="noreferrer" target="_blank">www.strongswan.org</a><br>
Institute for Internet Technologies and Applications<br>
University of Applied Sciences Rapperswil<br>
CH-8640 Rapperswil (Switzerland)<br>
==============================<wbr>=============================[<wbr>ITA-HSR]==<br>
<br>
</div></div></blockquote></div><br></div>