IPSec: AES-GCM in both Phase 1 and Phase 2?

  • Hi All
    The PFSense online documentation differs from The PFSense Book (30 May 2019) regarding the configuration of Phase 1 and Phase 2 encryption algorithm for site-to-site IPSec VPN using Hardware Encryption.

    For Phase 1, the online documentation says "If both sides support AES-GCM, use AES128-GCM with a 128 bit Key Length. " and "The best choice for use with AES-GCM is AES-XCBC.".

    But the PFSense book says "Encryption Algorithm Use AES with a key length of 256 bits. Hash Algorithm Use SHA256 if both sides support it" for Phase 1.

    For Phase 2, the online documentation says "Use AES128-GCM if available".
    For Phase 2, the book says "select AES256-GCM with a 128 bit key length."
    Both online documentation and book agree on no hashing for Phase 2.

    So which is correct or preferable?
    Should we have AES-GCM in both Phase 1 and Phase 2 OR only in Phase 2 as per the book?
    And should we use AES256-GCM (128 bit)as per the book or AES128-GCM (128 bit) as per online documentation?

    Thank you very much

  • Not sure what's the best option, but on my APU3 these settings work very well:

    • IPSec Phase 1: IKEv2, Encryption: AES256-GCM mit 128bit Blocklänge, Hash: AES-XCBC, DH-Group: 14
    • IPSec Phase 2: Encryption: AES256-GCM 128bit Blocklänge, Hash: AES-XCBC, PFS group 14

  • Thank you very much bouke for sharing.

    Your settings are quite similar to ours and we will probably follow you in using AES256-GCM 128 bits instead of AES128-GCM 128 bits. But we will probably skip hashing for Phase 2.

    Phase 1
    Key Exchange version: IKEv2
    Encryption Algorithm: AES128-GCM
    Key length: 128 bits
    Hash: AES-XCBC
    DH Group: 14 (2048 bit)
    Phase 2
    Protocol: ESP
    Encryption Algorithm: AES128-GCM 128 bits
    Hash Algorithms: None selected
    PFS key group: 14 (2048 bit)

    No hashing is selected for Phase 2 because both the book and online documentation say "With AES-GCM in use, no hash is required. " and "When using AES-GCM, do not select any Hash Algorithm entries as AES- GCM already performs hashing." respectively for Phase 2.

    We are using a Protectli device:
    Firewall Micro Appliance With 4x Intel Gigabit Ports, Intel Atom E3845, AES-NI, 8GB RAM, 128GB mSATA

    CPU Type Intel(R) Atom(TM) CPU E3845 @ 1.91GHz
    4 CPUs: 1 package(s) x 4 core(s)
    AES-NI CPU Crypto: Yes (active)
    Hardware crypto AES-CBC,AES-XTS,AES-GCM,AES-ICM
    Version 2.4.4-RELEASE-p3 (amd64)
    built on Wed May 15 18:53:44 EDT 2019
    FreeBSD 11.2-RELEASE-p10

Log in to reply