IPsec Installed SAs shows "none" for Auth. Algorithm (SHA256 configured)

avmagrini · April 30, 2020, 9:54pm

Hello everybody,

I have IPsec site-to-site VPNs configured in my Mikrotik Router working fine, but today I noticed something strange. Although the phase 2 proposal is configured with the SHA256 auth. algorithm (see image/configuration below), the Installed SAs status shows “none” for Auth. Algorithm (image/configuration below). Is this a normal behavior?

IPsec Proposal:

/ip ipsec proposal
add auth-algorithms=sha256 enc-algorithms=aes-256-gcm name=IPsec pfs-group=modp3072

Installed SAs:

Flags: H - hw-aead, A - AH, E - ESP
0 HE spi=0xED5034C src-address=xxx.xxx.xxx.xxx dst-address=xxx.xxx.xxx.xxx state=mature
enc-algorithm=aes-gcm enc-key-size=288
enc-key=“xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx”
addtime=apr/30/2020 18:32:52 expires-in=10m15s add-lifetime=24m3s/30m4s
current-bytes=427458901 current-packets=395313 replay=128

Grateful for any help.
Att.

avmagrini · May 1, 2020, 4:51am

I think I’ve found an explanation:

Additionally, AES-GCM incorporates the handshake authentication into the cipher natively and, as such, it does not require to handshake.

https://www.privateinternetaccess.com/helpdesk/kb/articles/what-s-the-difference-between-aes-cbc-and-aes-gcm

I’m using AES-256-GCM, that’s why Mikrotik shows “none” for Auth. Algorithms on Installed SAs. I’ve tested changing to AES-CBC and the information is displayed normally.