IKEv2 SA wrong cipher in outbound proposal

ardevon · April 14, 2019, 1:10pm

I am trying to set up IPsec between my home router (an RB4011) and a VPN server configured using Algo (https://github.com/trailofbits/algo).
The server is configured to only accept AES-256-GCM with SHA-512 and ECP384.

I have added the following IPsec profile:

name="algo-profile" hash-algorithm=sha512 enc-algorithm=aes-256 dh-group=ecp384 lifetime=1d proposal-check=obey nat-traversal=yes dpd-interval=2m dpd-maximum-failures=5

RouterOS does initiate an SA with the server, however it proposes AES-256-CBC rather than AES-256-GCM, which of course the server then rejects.

How do I make RouterOS select the correct cipher mode (GCM instead of CBC)?

awacenter · September 30, 2019, 7:40am

I found this post and I just read other post in MikroTik forum.
I usually use a OpenVPN server in LINUX to set up my VPN because OVPN server in MikroTik doesnot support push-route option.
So I have a OpenVPN server working fine.

From this initial point, now I want to hardening my cipher comunication.
I would like to use AES-GCM, it means: AES-128-GCM or AES-128-GCM or AES-384-GCM.
I realise that more complex cipher supposses mor CPU load.

My goal will be AES-GCM with SHA256.

Any proposal to upgrade cipher list in Router OS?