HMAC GCM failure

0

I am trying to configure for IPSEC GCM- this is the error I keep getting:

Error(s): 
'encryption-algorithm aes-256-gcm'

1) HMAC Authentication is not compatible with AES-GCM
2) commit failed: (statements constraint check failed) 
to match a CISCO config of the following
Additional VPN changes:
DH group 24 on phase 1
PFS-group 24 on phase 2
AES-256-CBC and SHA 256 on phase 1
AES-256-GCM and SHA 256 on phase 2.

Adrian

Posted 2017-04-03T19:45:57.507

Reputation:

... or we can treat it as a protocol issue and let Poncho answer :P (didn't expect it to get a concise answer here, we can guess that HMAC and GCM would mean double authentication tags, but guessing is not enough - so it could have more of a chance @ networking) – Maarten Bodewes – 2017-04-03T21:56:41.820

Answers

2

IPsec doesn't allow you to do both GCM and ESP-SHA256-HMAC on the same SA. If you're configuring GCM - an authenticated cipher, you have no need to do HMAC.

The authentication tag of GCM already provides message integrity and authentication. There is no need for a HMAC calculation to create another authentication tag.

poncho

Posted 2017-04-03T19:45:57.507

Reputation:

Asked: 2017-04-03T19:45:57.507

Viewed: 199 times

Active: 2017-04-04T07:35:52.487