Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
914
Views
1
Helpful
4
Replies

azure ipsec asr using aesgcm

DraganSkundric87318
Level 1
Level 1

‎02-17-2025 02:42 AM

hi,

I have problem with using aesgcm for encryption on ipsec tunnels between azure and cisco asr 1001 router. Not working. AES/SHA works ok. Looks like the problem is that I cannot define integrity protocol on ikev2 proposal if aesgcm is used. Has anyone succesifully implemented aesgcm between azure and cisco asr?

 

br

Labels:
0 Helpful
4 Replies 4

Giuseppe Larosa
Hall of Fame
Hall of Fame

‎02-17-2025 09:20 AM - edited ‎02-17-2025 09:24 AM

Hello @DraganSkundric87318 ,

I may be wrong but aesgcm does not require integrity check

https://en.wikipedia.org/wiki/Galois/Counter_Mode

Edit:

see also

https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.aesgcm?view=net-9.0

 

 

Hope to help

Giuseppe

 

DraganSkundric87318
Level 1
Level 1
In response to Giuseppe Larosa

‎02-17-2025 11:18 PM

hi,

yes id does not. Point is that ipsec with asr router does not work. ipsec with asa fw works ok, integirity is defined as null on asa ikev2 policy and this setup works ok 

---- ASA -----

crypto ikev2 policy 90
encryption aes-gcm-256
integrity null
group 14
prf sha512 sha384 sha256
lifetime seconds 86400

-------- ASR ---------

crypto ikev2 proposal AZURE_GCM
encryption aes-gcm-256
prf sha256 sha512 sha384
group 14
!

and about that link you've posted. What that means? That azure uses net 9.0 and does not support on-prem cisco ios when using aesgcm?

0 Helpful

MHM Cisco World
VIP
VIP
In response to DraganSkundric87318

‎02-18-2025 09:57 AM - edited ‎02-18-2025 09:59 AM

not all ASR 1k support GCM 

Suite-B is not supported on the following hardware platforms:

  • Cisco ASR1001

     

  • ESP-5

     

  • ESP-10

     

  • ESP-20

     

  • ESP-40

     

Suite-B has the following cryptographic algorithms:

  • Suite-B-GCM-128-Provides ESP integrity protection, confidentiality, and IPsec encryption algorithms that use the 128-bit AES using Galois and Counter Mode (AES-GCM) described in RFC 4106. This suite should be used when ESP integrity protection and encryption are both needed.

     

  • Suite-B-GCM-256-Provides ESP integrity protection and confidentiality using 256-bit AES-GCM described in RFC 4106. This suite should be used when ESP integrity protection and encryption are both needed.

     

  • Suite-B-GMAC-128-Provides ESP integrity protection using 128-bit AES- Galois Message Authentication Code (GMAC) described in RFC 4543, but does not provide confidentiality. This suite should be used only when there is no need for ESP encryption.

     

  • Suite-B-GMAC-256-Provides ESP integrity protection using 256-bit AES-GMAC described in RFC 4543, but does not provide confidentiality. This suite should be used only when there is no need for ESP encryption.


MHM

0 Helpful

vishalbhandari
Spotlight
Spotlight

‎02-18-2025 09:48 AM

@DraganSkundric87318 AES-GCM doesn’t require a separate integrity algorithm because it has built-in authentication, which is why Azure and Cisco ASR handle it differently from AES/SHA. On Cisco ASR, when using AES-GCM, you should omit the integrity parameter in the IKEv2 proposal. Instead, ensure that both Azure and ASR are set to use AES-GCM consistently in both IKE and IPsec policies. Also, check that Azure is configured to accept AES-GCM and that there are no mismatches in encryption strength (e.g., AES-GCM-128 vs. AES-GCM-256). If the tunnel still fails, reviewing debug logs on the ASR (debug crypto ikev2) might help pinpoint where the negotiation is breaking down.

0 Helpful
Customers Also Viewed These Support Documents