GCM Cipher

I would like to request the the addition AES-GCM-256 ciphers to the IPSec IKEv2 configuration page. GCM is required by our customers and is considered more secure than AES-CBC.

This makes sense and we have filed it.

Thanks for your feature request!

Thank you. It looks like this had been addressed in a previous thread (link below) back in 2018 by a firmware update. I am not sure which device that 2018 thread was referencing, but I have the latest firmware on my UBR LTE. How quickly could this feature be implemented in the UBR? We are unable to remotely support our customer until this is resolved.

@Jason_McKenna May I know what is your remote IPsec peer? Just want to make sure we are compatible. Also do you have any specific requirements related to PRF / DH Group, etc? If possible please share your expected IPsec configuration from the remote peer, so we can verify on our side, thanks!

@Steve_Leung, thank you for following up. Our remote IPSec peer is a Cisco ASA. The supported IPSec configurations from the customer are as follows:

Config option 1:
IKEv2 + IPsec
PFS: Enabled
PFS group: 21
IPsec Encryption: AES-GCM-256
IPsec Hash: null
IPsec Lifetime: 28800 seconds
IKE DH Group: 21
IKE Encryption: AES-GCM-256
IKE Hash: null
IKE PRF Hash: SHA512
IKE Lifetime: 86400 seconds

Config option 2:
IKEv2 + IPsec
PFS: Enabled
PFS group: 20
IPsec Encryption: AES-GCM-192
IPsec Hash: null
IPsec Lifetime: 28800 seconds
IKE DH Group: 20
IKE Encryption: AES-GCM-192
IKE Hash: null
IKE PRF Hash: SHA384
IKE Lifetime: 86400 seconds

Config opton 3:
IKEv2 + IPsec
PFS: Enabled
PFS group: 19
IPsec Encryption: AES-GCM-128
IPsec Hash: null
IPsec Lifetime: 28800 seconds
IKE DH Group: 19
IKE Encryption: AES-GCM-128
IKE Hash: null
IKE PRF Hash: SHA256
IKE Lifetime: 86400 seconds

Do you have the exact cisco config that is being used? I want to be clear AES-GCM-128 whether it’s aes-128-gcm-128 or aes-128-gcm-64.

Ideally we want to use “Config option 1” from my previous post. Please let me know if this answers your question.

IKEv2 + IPsec
PFS: Enabled
PFS group: 21
IPsec Encryption: AES-GCM-256
IPsec Hash: null
IPsec Lifetime: 28800 seconds
IKE DH Group: 21
IKE Encryption: AES-GCM-256
IKE Hash: null
IKE PRF Hash: SHA512
IKE Lifetime: 86400 seconds

yea I asked because from your description you only stated “AES-GCM-256”, but when you are working on the cisco command, refer here:

you’ll need to specify the ICV length, i.e. aes-256-gcm-128 or aes-256-gcm-64.

but if you are not sure, and if you have complete control on the cisco side, I’d recommend “aes-256-gcm-128”, and our firmware will very likely provide this ICV length only to simplify the option.

@Jason_McKenna

I think we can have a special firmware for you to support AES GCM Mode for IPsec, please create a ticket using the link below and let us know your device model / SN then we can make it for you.
https://ticket.peplink.com/ticket/new/public