Hi Lakshmi, yes, your understanding is correct. Since AES-GCM is an authenticated encryption algorithm, you don't need an additional integrity protection function. Thus
Valid IKEv1 combo: ------------------ keyexchange=ikev1 ike=aes256-sha256-modp2048! esp=aes256gcm128! Valid IKEv2 combo: ------------------ keyexchange=ikev2 ike=aes256gcm128-prfsha256-modp2048! esp=aes256gcm128! Regards Andreas On 05.08.2016 10:41, Lakshmi Prasanna wrote:
Thank you for the reply Andreas. Can you please validate my understanding? Valid combo: ------------------- keyexchange=ikev1 ike=aes256-sha256-modp2048! esp=aes256gcm128-sha256! Invalid combo: -------------------- keyexchange=ikev1 ike=aes256gcm128-sha256-modp2048! esp=aes256gcm128-sha256! Thanks, Lakshmi On Fri, Aug 5, 2016 at 1:49 PM, Andreas Steffen <andreas.stef...@strongswan.org <mailto:andreas.stef...@strongswan.org>> wrote: Hi Lakshmi, The old IKEv1 protocol does not support AES-GCM for IKE since IANA hasn't assigned any encryption transform numbers: http://www.iana.org/assignments/ipsec-registry/ipsec-registry.xhtml#ipsec-registry-4 <http://www.iana.org/assignments/ipsec-registry/ipsec-registry.xhtml#ipsec-registry-4> AES-GCM can be used for IKE protection with IKEv2, only: http://www.iana.org/assignments/ikev2-parameters/ikev2-parameters.xhtml#ikev2-parameters-5 <http://www.iana.org/assignments/ikev2-parameters/ikev2-parameters.xhtml#ikev2-parameters-5> Anyway, you profit from the speed advantage of AES-GCM mainly with ESP because many payload packets must be processed. AES-GCM for ESP can be negotiated both via IKEv1 and IKEv2. Regards Andreas On 08/05/2016 08:42 AM, Lakshmi Prasanna wrote: > Hi Team, > > I am trying to use AES-GCM with IKEV1 and see that strongswan does not > send the encryption algorithm. > > Is there any plugin or knob to enable the same? > > Logs: > > -------- > > received proposals: IKE:HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048 > > configured > proposals:IKE:AES_GCM_16_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048 > > > Thanks and Regards, > > Lakshmi ====================================================================== Andreas Steffen andreas.stef...@strongswan.org <mailto:andreas.stef...@strongswan.org> strongSwan - the Open Source VPN Solution! www.strongswan.org <http://www.strongswan.org> Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]==
-- ====================================================================== Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Open Source VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]==
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
