0

Multiple IPSec implementations I've run across support "AES-256" as an encryption algorithm. (pfSense has this, Checkpoint has this.)

What block cipher mode of operation is this?

Thanatos
  • 1,016
  • 2
  • 10
  • 16
  • There are also options for AES-GCM in pfSense; I prefer those over whatever "AES-256" is, when I can. Checkpoint, which I must integrate with, doesn't support GCM on P1, however. Hence I'm wondering what it is I'm actually forced to use. – Thanatos Aug 01 '22 at 18:29
  • IANA says that IKEv2 can negotiate AES with CBC, CTR, CCM, or GCM. My gut tells me this is CBC, because that mode is really popular for reasons which escape me, although CTR is possible. – bk2204 Aug 01 '22 at 18:46
  • Oh. Given all the other ciphersuite settings that I have to select (i.e., that I have to select the encryption algorithm, the authentication algorithm, the PFS group, etc.) I figured that IKEv2 didn't negotiate _anything_. – Thanatos Aug 01 '22 at 19:02
  • 1
    @Thanatos: I'm not sure what you mean with "didn't negotiate anything". IKEv2 has proposals which the other side can choose from - see [3.3. Security Association Payload](https://datatracker.ietf.org/doc/html/rfc5996#section-3.3). This approach is not much different to TLS or SSH. What you configure is the proposals offered - if you configure only one there is not much for the other side to choose from. – Steffen Ullrich Aug 01 '22 at 19:20
  • Hmm. Perhaps this is just me not understanding what IPSec is capable of; I'm more versed in pfSense's UI (as that's the primary way I interact w/ it), than I am the IPSec RFCs (which I fall back on when I need to really understand something for a problem). In pfSense's UI (and, AIUI, Checkpoint's), you have to select the various security settings for both P1 & for the SAs (P2). Encryption algo, hash algo, DH group. Both only allow making one selection, and so, from our perspective as users, they must match exactly. – Thanatos Aug 01 '22 at 20:51
  • … and now I'm skimming RFC 7296, and it seems like you're probably right! IKEv2 _can_ negotiate. It seems my ire should be with implementors such as pfSense then; why the heck are we wasting precious life by exchanging spreadsheets with ciphersuite settings in them when the protocol can determine it automatically… – Thanatos Aug 01 '22 at 20:58
  • Also discovered in the past few days that I've been misreading the pfSense UI this whole time; I can add encryption algos, and hash algos are checkboxes. Somehow was just spacing over that. So, it would appear that would cause it to negotiate that. (So … now I'm wondering why my org does what I'll call "ciphersuite negotiation by spreadsheet over email"…) – Thanatos Aug 08 '22 at 18:23

0 Answers0