• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Using AES-GCM encryption algorithm for OpenVPN site-to-site shared key

Scheduled Pinned Locked Moved OpenVPN
9 Posts 2 Posters 1.1k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • J
    Jimbo123
    last edited by Mar 15, 2020, 3:59 PM

    AES-GCM isn’t available for OpenVPN site-to-site shared key type VPN connections in pfSense 2.4.4.
    Is this something that just isn’t possible (maybe due to the omission of a TLS key) in shared key VPN setups? Or is it possible this encryption type be added in later versions of OpenVPN on pfSense?

    1 Reply Last reply Reply Quote 0
    • D
      Derelict LAYER 8 Netgate
      last edited by Derelict Mar 15, 2020, 4:15 PM Mar 15, 2020, 4:14 PM

      You need Negotiable Cryptographic Parameters to get AES-GCM which are only available in SSL/TLS connections.

      Generate some certs and do SSL/TLS.

      Chattanooga, Tennessee, USA
      A comprehensive network diagram is worth 10,000 words and 15 conference calls.
      DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
      Do Not Chat For Help! NO_WAN_EGRESS(TM)

      J 1 Reply Last reply Mar 15, 2020, 4:20 PM Reply Quote 0
      • J
        Jimbo123 @Derelict
        last edited by Mar 15, 2020, 4:20 PM

        @Derelict Hi, thanks for the reply. SSL/TLS is what I’m currently using at the moment only I have NEP turned off and AES-GCM is still a selectable option?

        D 1 Reply Last reply Mar 15, 2020, 4:21 PM Reply Quote 0
        • D
          Derelict LAYER 8 Netgate @Jimbo123
          last edited by Mar 15, 2020, 4:21 PM

          @Jimbo123 Is there a specific question hidden in there somewhere?

          Chattanooga, Tennessee, USA
          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
          Do Not Chat For Help! NO_WAN_EGRESS(TM)

          J 1 Reply Last reply Mar 15, 2020, 4:29 PM Reply Quote 0
          • J
            Jimbo123 @Derelict
            last edited by Mar 15, 2020, 4:29 PM

            @Derelict Well what I was getting at was that I have NCP turned off and I’m still able to select AES-GCM as an option so wouldn’t this suggest that you don’t need NCP for this encryption type? Could there be another reason why I can’t use AES-GCM with a shared key configuration?

            1 Reply Last reply Reply Quote 0
            • D
              Derelict LAYER 8 Netgate
              last edited by Mar 15, 2020, 4:30 PM

              Everything you might want to know about it is here:

              https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage

              Chattanooga, Tennessee, USA
              A comprehensive network diagram is worth 10,000 words and 15 conference calls.
              DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
              Do Not Chat For Help! NO_WAN_EGRESS(TM)

              J 1 Reply Last reply Mar 15, 2020, 4:32 PM Reply Quote 0
              • J
                Jimbo123 @Derelict
                last edited by Mar 15, 2020, 4:32 PM

                @Derelict Thanks 👍

                1 Reply Last reply Reply Quote 0
                • D
                  Derelict LAYER 8 Netgate
                  last edited by Mar 15, 2020, 4:50 PM

                  It looks like you need SSL/TLS but not necessarily NCP enabled. As to why, that would be a better question for the OpenVPN developers since they are the ones disallowing GCM modes in Shared-Key. Probably requires the ability of the server to push information to the client, which is unavailable in Shared-Key mode.

                  Everyone should be using SSL/TLS anyway.

                  Chattanooga, Tennessee, USA
                  A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                  DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                  Do Not Chat For Help! NO_WAN_EGRESS(TM)

                  J 1 Reply Last reply Mar 15, 2020, 4:55 PM Reply Quote 0
                  • J
                    Jimbo123 @Derelict
                    last edited by Mar 15, 2020, 4:55 PM

                    @Derelict Ah ok, thanks for investigating, I was just reading through that link you sent me. There are a lot of useful command line options in there 👍

                    1 Reply Last reply Reply Quote 0
                    9 out of 9
                    • First post
                      9/9
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                      This community forum collects and processes your personal information.
                      consent.not_received