Re: AESGCM supported in IKEv1 phase 2 but not in phase 1
On 2019-07-05, Daniel Polak wrote: > Stuart Henderson wrote on 4-7-2019 17:14: >> On 2019-07-04, Daniel Polak wrote: >>> Just tried to configure an IKEv1 VPN connection with AESGCM but isakmpd >>> only supports that in phase 2 but not in phase 1. >>> See https://marc.info/?l=openbsd-cvs=128516335103833=2 for the commit. >>> >>> Is there any special reason why AESGCM has not been implemented for >>> phase 1 as well? >> AFAIK AES-GCM isn't in the spec for IKEv1 phase 1. See e.g. >> https://tools.ietf.org/html/rfc4543#section-5.1 > I had a look (https://tools.ietf.org/html/rfc4106#section-8.2 is > slightly better) and you are right AES-GCM is phase 2 only! > > How does one supply the 32-bit nonce the man page mentions? Or is this > handled automatically by isakmpd? > > I believe that is for manual SAs. It's handled automatically with standard ike. My usual setup for IKEv1 with AES-GCM looks like ike passive esp \ from {xxx/nn, yyy/nn} to zzz/nn peer aaa local bbb \ main auth hmac-sha2-256 enc aes group modp3072 \ quick enc aes-128-gcm group modp3072 \ tag ipsec-$id
Re: AESGCM supported in IKEv1 phase 2 but not in phase 1
Stuart Henderson wrote on 4-7-2019 17:14: On 2019-07-04, Daniel Polak wrote: Just tried to configure an IKEv1 VPN connection with AESGCM but isakmpd only supports that in phase 2 but not in phase 1. See https://marc.info/?l=openbsd-cvs=128516335103833=2 for the commit. Is there any special reason why AESGCM has not been implemented for phase 1 as well? AFAIK AES-GCM isn't in the spec for IKEv1 phase 1. See e.g. https://tools.ietf.org/html/rfc4543#section-5.1 I had a look (https://tools.ietf.org/html/rfc4106#section-8.2 is slightly better) and you are right AES-GCM is phase 2 only! How does one supply the 32-bit nonce the man page mentions? Or is this handled automatically by isakmpd?
Re: AESGCM supported in IKEv1 phase 2 but not in phase 1
On 2019-07-04, Daniel Polak wrote: > Just tried to configure an IKEv1 VPN connection with AESGCM but isakmpd > only supports that in phase 2 but not in phase 1. > See https://marc.info/?l=openbsd-cvs=128516335103833=2 for the commit. > > Is there any special reason why AESGCM has not been implemented for > phase 1 as well? AFAIK AES-GCM isn't in the spec for IKEv1 phase 1. See e.g. https://tools.ietf.org/html/rfc4543#section-5.1
AESGCM supported in IKEv1 phase 2 but not in phase 1
Just tried to configure an IKEv1 VPN connection with AESGCM but isakmpd only supports that in phase 2 but not in phase 1. See https://marc.info/?l=openbsd-cvs=128516335103833=2 for the commit. Is there any special reason why AESGCM has not been implemented for phase 1 as well?