Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSec and other VPN AEAD encryption options

    Scheduled Pinned Locked Moved General pfSense Questions
    2 Posts 2 Posters 429 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • W
      Woodsomeister
      last edited by

      Hello,

      why do I have to choose according to the book: https://docs.netgate.com/pfsense/en/latest/book/ipsec/choosing-configuration-options.html#phase-2-hash-algorithms, no hash algorithm for phase 2 with IPSec, but I do need a hash algorithm for phase 1 (AES-XCBC). Do I need a hash function for an IKE2 IPSec connection at all, which is secured by RSA certificates when using AES-GCM, since this is an AEAD encryption?

      I have a little trouble understanding the whole encryption thing in this respect.

      Thanks

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        With AEAD ciphers the "hash" function gets used as a Pseudo-Random Function (PRF) instead. It's still necessary, but not necessarily used for hashing. strongSwan is smart enough to do the right thing there.

        2.5.0 allows choosing PRF explicitly as well https://redmine.pfsense.org/issues/9309

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.