Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
19617
Views
7
Helpful
6
Replies

IKEv2 IPsec proposal AES-GCM-256 encryption requires NULL for the Integrity algorithm

Jose Borquez
Level 1
Level 1

‎06-13-2016 12:46 PM - edited ‎02-21-2020 08:51 PM

Can someone please explain why the asa documentation requires when using AES-GCM for a site-to-site IPsec VPN that the integrity hash selected must be NULL?  Thank you in advanced for any explanation.

Jose

Labels:
6 Replies 6

Karsten Iwen
VIP
VIP

‎06-13-2016 02:22 PM

GCM is an authenticated encryption. That means that all what was done previously with the HMAC, is directly done while encrypting the packet. An additional HMAC is not needed any more.

0 Helpful

Jerome BERTHIER
Level 1
Level 1

‎07-19-2022 08:30 AM

Hello Jose

Please take a look on this documentation :

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_ike2vpn/configuration/xe-16-8/sec-flex-vpn-xe-16-8-book/sec-cfg-ikev2-flex.pdf

It explains AES-GCM Support :
"An authenticated encryption algorithm provides a combined functionality of encryption and integrity. Such
algorithms are called combined mode algorithms. The Support of AES-GCM as an IKEv2 Cipher on IOS
feature provides the use of authenticated encryption algorithms for encrypted messages in IKEv2 protocol by
adding the Advanced Encryption Standard in Galois/Counter Mode (AES-GCM). AES-GCM supports the
key size of 128- and 256-bits—AES-GCM-128 and AES-GCM-256.
If AES-GCM is the only encryption algorithm, integrity algorithms cannot be added to the proposal."

Regards

MHM Cisco World
VIP
VIP

‎07-19-2022 09:54 AM

I think it Bug

 https://bst.cisco.com/bugsearch/bug/CSCuy93295

0 Helpful

will
Level 3
Level 3

‎08-15-2023 01:43 PM

im researching this now as GCM is "supposedly" more secure than CBC. But im confused since IKE is a P1 negotiations, coming before Ipsec (P2). so how can i ensure my far side is really who they should be with no form of password or authentication key exchange? I set up a tunnel between to devices. the far side gets swapped by someone who knows the IP's but not the key. After he puts that in P1 with GCM comes up without the password being entered on the far side replaced device???

seems counterintuitive here, and im sure im missing something, but what is it??

0 Helpful

tvotna
Spotlight
Spotlight
In response to will

‎08-16-2023 01:07 AM

These are two different stories. IKE PSK/cert authentication is still required in order to bring IKE SA up if AES-GCM is used during IKE negotiation as an encryption algorithm. Also, AES-GCM combines encryption and authentication, but still this has nothing to do with IKE authentication.

 

0 Helpful

Jerome BERTHIER
Level 1
Level 1
In response to will

‎09-04-2023 01:18 AM

Hello

You talk about very different things.

First, GCM and CBC are two different mathematic models for implementing AES. And GCM is not only an encryption algorithm but also deals with integrity.

So, when choosing GCM, you do not need to select an integrity algorithm for IPSEC proposal (as it won't apply).

It has nothing to do with authentication !

Authentication is managed during phase 1 with IKE. Depending on using IKEv1 or IKEv2 (recommended), you will be able to use different sets of algorithms.

But it always the same, you need :

- an IKE policy that will deal with securing key exchange and cipher negocations during phase 1

- an ESP policy that will deal with encryption and intergrity (based on details negociated on phase 1)

IKE policy then ESP transform set have their own parameters (integrity, ciphers) that can be similar or not.

So, in your case, nobondy will replace the remoter end if you use authentication in phase 1.

0 Helpful
Customers Also Viewed These Support Documents