Re: AESGCM supported in IKEv1 phase 2 but not in phase 1
On 2019-07-05, Daniel Polak wrote:
> Stuart Henderson wrote on 4-7-2019 17:14:
>> On 2019-07-04, Daniel Polak wrote:
>>> Just tried to configure an IKEv1 VPN connection with AESGCM but isakmpd
>>> only supports that in phase 2 but not in phase 1.
>>> See https://marc.info/?l=openbsd-cvs=128516335103833=2 for the commit.
>>>
>>> Is there any special reason why AESGCM has not been implemented for
>>> phase 1 as well?
>> AFAIK AES-GCM isn't in the spec for IKEv1 phase 1. See e.g.
>> https://tools.ietf.org/html/rfc4543#section-5.1
> I had a look (https://tools.ietf.org/html/rfc4106#section-8.2 is
> slightly better) and you are right AES-GCM is phase 2 only!
>
> How does one supply the 32-bit nonce the man page mentions? Or is this
> handled automatically by isakmpd?
>
>
I believe that is for manual SAs. It's handled automatically with
standard ike. My usual setup for IKEv1 with AES-GCM looks like
ike passive esp \
from {xxx/nn, yyy/nn} to zzz/nn peer aaa local bbb \
main auth hmac-sha2-256 enc aes group modp3072 \
quick enc aes-128-gcm group modp3072 \
tag ipsec-$id
Re: AESGCM supported in IKEv1 phase 2 but not in phase 1
Stuart Henderson wrote on 4-7-2019 17:14: On 2019-07-04, Daniel Polak wrote: Just tried to configure an IKEv1 VPN connection with AESGCM but isakmpd only supports that in phase 2 but not in phase 1. See https://marc.info/?l=openbsd-cvs=128516335103833=2 for the commit. Is there any special reason why AESGCM has not been implemented for phase 1 as well? AFAIK AES-GCM isn't in the spec for IKEv1 phase 1. See e.g. https://tools.ietf.org/html/rfc4543#section-5.1 I had a look (https://tools.ietf.org/html/rfc4106#section-8.2 is slightly better) and you are right AES-GCM is phase 2 only! How does one supply the 32-bit nonce the man page mentions? Or is this handled automatically by isakmpd?
Re: AESGCM supported in IKEv1 phase 2 but not in phase 1
On 2019-07-04, Daniel Polak wrote: > Just tried to configure an IKEv1 VPN connection with AESGCM but isakmpd > only supports that in phase 2 but not in phase 1. > See https://marc.info/?l=openbsd-cvs=128516335103833=2 for the commit. > > Is there any special reason why AESGCM has not been implemented for > phase 1 as well? AFAIK AES-GCM isn't in the spec for IKEv1 phase 1. See e.g. https://tools.ietf.org/html/rfc4543#section-5.1
AESGCM supported in IKEv1 phase 2 but not in phase 1
Just tried to configure an IKEv1 VPN connection with AESGCM but isakmpd only supports that in phase 2 but not in phase 1. See https://marc.info/?l=openbsd-cvs=128516335103833=2 for the commit. Is there any special reason why AESGCM has not been implemented for phase 1 as well?
