Ipsec proposal with chacha20poly1305

kangseola · November 6, 2025, 1:57pm

hello all

I'm trying to set up an IPsec VPN tunnel, but I've run into a problem.

The error occurs whenever I try to use AEAD cipher like chacha20poly1305 or aes-256-gcm on /ip/ipsec/proposal.

RouterOS version is 7.20.4, the router is CCR2004-1G-12S+2XS, RB4011iGS+RM (just upgraded to latest version).

When I use any AEAD cipher, my router shows this error message:

[admin@000_mikrotik_23] /ip/ipsec/proposal> add name="s2s-chacha-proposal" auth-algorithms=null enc-algorithms=chacha20poly1305 \ \... pfs-group=ecp256 lifetime=1h
failure: AEAD already provides authentication
[admin@000_mikrotik_23] /ip/ipsec/proposal>

For now, I set the proposal to aes-256-ctr with auth-algorithms=sha512, and it works.

[admin@000_mikrotik_23] /ip/ipsec/proposal> print Flags: X- disabled;* - default
1 name=”[example]" auth-algorithms=sha512 enc-algorithms=aes-256-ctr lifetime=1d pfs-group=modp4096
[admin@000_mikrotik_23] /ip/ipsec/proposal>

Is anyone still experiencing same issue? I found one from 2023.

Any advice would be appreciated!

TOD · November 6, 2025, 9:31pm

If you use AEAD ciphers(AES in GCM-mode or Chaсha-Poly), you don’t need (and must not) to select auth algorithms for such proposal.

name="ph2-example" auth-algorithms="" enc-algorithms=chacha20poly1305 lifetime=1h pfs-group=ecp384

This error occurs only in situation where you select only AEAD ciphers and at least one auth algorithms too.

If not all selected ciphers are AEAD, then you can assign any auth algorithms in proposal.

kangseola · November 7, 2025, 12:34am

oh, so I wasn't supposed to include null, I was supposed to omit that parameter completely when setting it up. I get it now.

Thanks for the answer