[strongSwan] Strongswan IKEv2 AES-GCM in IKE_SA

Andreas Steffen andreas.steffen at strongswan.org
Thu May 12 14:09:38 CEST 2016 

Hi Lars,

I think the problem is that an AEAD (Authenticated Encryption) algorithm
specified for use with IKE does not require the definition of a
data integrity algorithm but of a PRF. Therefore try the following
directives:

   ike=aes256gcm128-prfsha512-ecp512bp!

See also our example scenario

https://www.strongswan.org/testing/testresults/openssl-ikev2/alg-aes-gcm/moon.ipsec.conf

Best regards

Andreas

On 12.05.2016 12:44, Lars Alex Pedersen wrote:
> I have successfully been using pfsense 2.2.6 with rw clients connecting into
> with IKEv2 PSK and with the following ipsec.conf.
>
> # /etc/ipsec.conf - strongSwan IPsec configuration file
>
> config setup
>          charondebug="cfg 1, dmn 2, ike 1"
>
> conn %default
>          ikelifetime=28800s
>          lifetime=10800s
>          margintime=600s
>          keyingtries=1
>          keyexchange=ikev2
>          type=tunnel
>          dpdaction=clear
>          dpddelay=900s
>          ike=aes256gcm128-sha512-ecp512bp!
>          esp=aes256gcm128-ecp512bp!
>          authby=psk
>
> AES-GCM Is used for both IKE and ESP but in the newest version of pfsense
> AES-GCM is removed in IKE_SA (aka phase 1) with the reason that AES GCM
> isn't a valid option for IKE_SA.
>
> So my question is if AES-GCM is a valid option in IKE_SA.
>
> https://github.com/pfsense/pfsense/commit/76bec1ab8790964c9714f7f8497edfa1a6
> c53409
>
> Best regards
> Lars Alex Pedersen
>
>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
>

-- 
======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Open Source VPN Solution!          www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4275 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20160512/f42bf240/attachment.bin>

More information about the Users mailing list