create an IPsec VPN tunnel with AES-256-GCM in both phases?
On other side is CISCO router.
as long as you have it on both sites, you will be all good.
One thing you need to be aware off is, investigate if AES-256-GCM supports hardware acceleration (im not sure, i thing no)
Get this checked that first , as that will impact on the speed
Yes, it is set on CISCO and I am trying to connect with Mikrotik 5009 ver 7.18.2.On the other hand, I get information that it is not both phases of AES-256-GCM, but that one phase is displayed as AES-256 option without specifying GCM, which is typically defaults to CBC
Does Mikrotik support AES-256-GCM encryption in the IPsec tunnel in phase 1 and where is this option activated, since I only find it in phase 2.
- You can find the options for both phase 1 and phase 2 here: RouterOS > Virtual Private Networks > IPsec
- Make sure you pick a phase 2 encryption that both Cisco and MikroTik can hardware offload, which entirely depends on the models you’re using.
Thanks for the effort, but unfortunately it doesn’t help.
I studied the attached link and there is information that it is supported for the model I have, but unfortunately it does not work.
The model is RB 5009 and the CPU is 88F7040 and it is on the list of supported devices with FW version 7.19.1
Of course, in the settings under /ip ipsec proposal on the Mikrotik side I chose AES-256-GCM, but that belongs to phase 2.
The problem arises that Cisco recognizes in phase 1 as CBC and not let to phase 2.
Got the same error, trying to connect with Cisco and Fortigate. While it is AES-256-GCM on phase1 on theese devices, when Mikrotik is configured like
name="fortigate-ike2" hash-algorithm=sha384 prf-algorithm=sha384 enc-algorithm=aes-256 dh-group=ecp256 lifetime=8h
proposal-check=obey
Cisco\Fortigate are receiving AES_CBC, not AES_GCM.
ENCR = AES_CBC 256,
INTEGR = AUTH_HMAC_SHA2_384_192,
PRF = SHA2_384,
DH = ECP256
Looks like Mikrotik only supports CBC only in phase1.