Hi Lars, I think the problem is that an AEAD (Authenticated Encryption) algorithm specified for use with IKE does not require the definition of a data integrity algorithm but of a PRF. Therefore try the following directives:
ike=aes256gcm128-prfsha512-ecp512bp! See also our example scenario https://www.strongswan.org/testing/testresults/openssl-ikev2/alg-aes-gcm/moon.ipsec.conf Best regards Andreas On 12.05.2016 12:44, Lars Alex Pedersen wrote:
I have successfully been using pfsense 2.2.6 with rw clients connecting into
with IKEv2 PSK and with the following ipsec.conf.
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
charondebug="cfg 1, dmn 2, ike 1"
conn %default
ikelifetime=28800s
lifetime=10800s
margintime=600s
keyingtries=1
keyexchange=ikev2
type=tunnel
dpdaction=clear
dpddelay=900s
ike=aes256gcm128-sha512-ecp512bp!
esp=aes256gcm128-ecp512bp!
authby=psk
AES-GCM Is used for both IKE and ESP but in the newest version of pfsense
AES-GCM is removed in IKE_SA (aka phase 1) with the reason that AES GCM
isn't a valid option for IKE_SA.
So my question is if AES-GCM is a valid option in IKE_SA.
https://github.com/pfsense/pfsense/commit/76bec1ab8790964c9714f7f8497edfa1a6
c53409
Best regards
Lars Alex Pedersen
_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users
-- ====================================================================== Andreas Steffen [email protected] strongSwan - the Open Source VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]==
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
