Stuart Henderson wrote on 4-7-2019 17:14:
On 2019-07-04, Daniel Polak <dan...@sys.nl> wrote:
Just tried to configure an IKEv1 VPN connection with AESGCM but isakmpd
only supports that in phase 2 but not in phase 1.
See https://marc.info/?l=openbsd-cvs&m=128516335103833&w=2 for the commit.
Is there any special reason why AESGCM has not been implemented for
phase 1 as well?
AFAIK AES-GCM isn't in the spec for IKEv1 phase 1. See e.g.
https://tools.ietf.org/html/rfc4543#section-5.1
I had a look (https://tools.ietf.org/html/rfc4106#section-8.2 is
slightly better) and you are right AES-GCM is phase 2 only!
How does one supply the 32-bit nonce the man page mentions? Or is this
handled automatically by isakmpd?
