AES128-GCM 96 with AES-XCBC on IKEv2 Phase 2 doesn't work



  • I only run 2.4 now so I can't comment on if this works on 2.3.x or not.

    If I set the phase 2 on an IKEv2 tunnel to AES128-GCM 96 with AES-XCBC, it doesn't come up and nothing in the log seems to identify why.

    As soon as I set it back to AES-128 SHA1, it works immediately.

    Am I doing something wrong?


  • Netgate

    Curious why you are setting a hash algorithm on AES-GCM when it is an authenticated cipher and none is required?



  • @Derelict:

    Curious why you are setting a hash algorithm on AES-GCM when it is an authenticated cipher and none is required?

    I read on another forum post to use that.

    My issue may be as simple as that. I'll try without. Thanks!



  • I tried without a hashing algorithm ticked. No luck. No phase 2 initiates and no traffic passes. Back to AES-128 SHA1 and everything works.


  • Netgate

    AES-GCM works fine. You'll have to provide more details.

    You are changing both sides, I trust. pfSense on both sides?

    The IPsec logs will tell you what is happening. The responder side is usually better about saying what, exactly, it didn't like when it rejected the tunnel config.



  • Identical pfsense version and settings on both sides. I managed to catch the related item in the log on the responder side in amongst all the DPD stuff related to other tunnels:

    11[NET] <con1|5>received packet: from x.x.x.x[500] to x.x.x.x[500] (204 bytes)
    Aug 22 12:30:53
    charon

    11[ENC] <con1|5>parsed CREATE_CHILD_SA request 11 [ N(ESP_TFC_PAD_N) SA No TSi TSr ]
    Aug 22 12:30:53
    charon

    11[IKE] <con1|5>received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
    Aug 22 12:30:53
    charon

    11[CFG] <con1|5>looking for a child config for 192.168.2.0/24|/0 === 192.168.4.0/24|/0
    Aug 22 12:30:53
    charon

    11[IKE] <con1|5>traffic selectors 192.168.2.0/24|/0 === 192.168.4.0/24|/0 inacceptable
    Aug 22 12:30:53
    charon

    11[IKE] <con1|5>failed to establish CHILD_SA, keeping IKE_SA
    Aug 22 12:30:53
    charon

    11[ENC] <con1|5>generating CREATE_CHILD_SA response 11 [ N(TS_UNACCEPT) ]
    Aug 22 12:30:53
    charon

    Phase 2 settings page screenshot attached. As soon as I change it back to AES-128 SHA1, it works again. Have tried rebooting both ends etc.


    </con1|5></con1|5></con1|5></con1|5></con1|5></con1|5></con1|5>



  • OK so the phase 2 works with a 128 authentication tag length but not 96. Phase 1 works fine with 96.

    Is this deliberate or a bug?



  • Is AES128-GCM supposed to work on a phase 2 with a 96-bit authentication tag?


  • Netgate

    Doesn't look like FreeBSD likes it hard set like that:

    Aug 25 00:40:43 charon 13[KNL] <con3000|21>unable to add SAD entry with SPI cf9ff216: Invalid argument (22)</con3000|21>