On 2019-07-05, Daniel Polak <dan...@sys.nl> wrote:
> Stuart Henderson wrote on 4-7-2019 17:14:
>> On 2019-07-04, Daniel Polak <dan...@sys.nl> wrote:
>>> Just tried to configure an IKEv1 VPN connection with AESGCM but isakmpd
>>> only supports that in phase 2 but not in phase 1.
>>> See https://marc.info/?l=openbsd-cvs&m=128516335103833&w=2 for the commit.
>>>
>>> Is there any special reason why AESGCM has not been implemented for
>>> phase 1 as well?
>> AFAIK AES-GCM isn't in the spec for IKEv1 phase 1. See e.g.
>> https://tools.ietf.org/html/rfc4543#section-5.1
> I had a look (https://tools.ietf.org/html/rfc4106#section-8.2 is
> slightly better) and you are right AES-GCM is phase 2 only!
>
> How does one supply the 32-bit nonce the man page mentions? Or is this
> handled automatically by isakmpd?
>
>
I believe that is for manual SAs. It's handled automatically with
standard ike. My usual setup for IKEv1 with AES-GCM looks like
ike passive esp \
from {xxx/nn, yyy/nn} to zzz/nn peer aaa local bbb \
main auth hmac-sha2-256 enc aes group modp3072 \
quick enc aes-128-gcm group modp3072 \
tag ipsec-$id
