IPSec and other VPN AEAD encryption options
why do I have to choose according to the book: https://docs.netgate.com/pfsense/en/latest/book/ipsec/choosing-configuration-options.html#phase-2-hash-algorithms, no hash algorithm for phase 2 with IPSec, but I do need a hash algorithm for phase 1 (AES-XCBC). Do I need a hash function for an IKE2 IPSec connection at all, which is secured by RSA certificates when using AES-GCM, since this is an AEAD encryption?
I have a little trouble understanding the whole encryption thing in this respect.
With AEAD ciphers the "hash" function gets used as a Pseudo-Random Function (PRF) instead. It's still necessary, but not necessarily used for hashing. strongSwan is smart enough to do the right thing there.
2.5.0 allows choosing PRF explicitly as well https://redmine.pfsense.org/issues/9309