On 2019-07-05, Daniel Polak <dan...@sys.nl> wrote: > Stuart Henderson wrote on 4-7-2019 17:14: >> On 2019-07-04, Daniel Polak <dan...@sys.nl> wrote: >>> Just tried to configure an IKEv1 VPN connection with AESGCM but isakmpd >>> only supports that in phase 2 but not in phase 1. >>> See https://marc.info/?l=openbsd-cvs&m=128516335103833&w=2 for the commit. >>> >>> Is there any special reason why AESGCM has not been implemented for >>> phase 1 as well? >> AFAIK AES-GCM isn't in the spec for IKEv1 phase 1. See e.g. >> https://tools.ietf.org/html/rfc4543#section-5.1 > I had a look (https://tools.ietf.org/html/rfc4106#section-8.2 is > slightly better) and you are right AES-GCM is phase 2 only! > > How does one supply the 32-bit nonce the man page mentions? Or is this > handled automatically by isakmpd? > >
I believe that is for manual SAs. It's handled automatically with standard ike. My usual setup for IKEv1 with AES-GCM looks like ike passive esp \ from {xxx/nn, yyy/nn} to zzz/nn peer aaa local bbb \ main auth hmac-sha2-256 enc aes group modp3072 \ quick enc aes-128-gcm group modp3072 \ tag ipsec-$id