Share via

Why Encryption Algorithms GCMAES128, GCMAES192 and GCMAES256 are in the list of IKE-Phase2 IPsec Integrity drop-down list

Kumar, Vinit 46 Reputation points
2022-10-25T08:56:49.963+00:00

When you modify VPN connection policy from default to custom, then you will see encryption Algorithms GCMAES128, GCMAES192 and GCMAES256 are in the list of IKE-Phase2 IPsec Integrity drop-down list. Attached image for reference.

These are encryption algorithms, it should not be in the Integrity algorithm list.

Can you please clarify this?

Thanks,
Vinit

Azure VPN Gateway
Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
1,786 questions
0 comments
Accepted answer
  1. GitaraniSharma-MSFT 50,021 Reputation points Microsoft Employee Moderator
    2022-10-25T13:01:40.003+00:00

    Hello @Kumar, Vinit ,

    Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

    I understand that you would like to know why the Encryption Algorithms GCMAES128, GCMAES192 and GCMAES256 are in the list of IKE-Phase2 IPsec Integrity drop-down list.

    Per RFC4106, you can use AES in Galois/Counter (GCM) mode, a combined algorithm, to encrypt and integrity protect ESP traffic. AES-GCM is a block-mode cipher with a 128-bit blocksize; a random IV that is sent in the packet along with the encrypted data; a 32-bit salt value (1/SA); keysizes of 128, 192, and 256 bits; and ICV sizes of 64, 96, and 128 bits. AES in GCM mode (AES-GCM) can be used as an IPsec ESP mechanism for confidentiality and data origin authentication. This mechanism is not only efficient and secure, but it also enables high-speed implementations in hardware. Using AES-GCM to provide both confidentiality and data integrity is generally more efficient than using two separate algorithms to provide these security services.

    Refer : https://www.rfc-editor.org/rfc/rfc6071#section-5.4.2
    https://www.rfc-editor.org/rfc/rfc4106

    It is important that you must specify the same GCMAES algorithm and key length for both IPsec Encryption and Integrity, when using GCMAES algorithms.
    Refer : https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-compliance-crypto#what-are-the-algorithms-and-key-strengths-supported-in-the-custom-policy

    Hence, the Encryption Algorithms GCMAES128, GCMAES192 and GCMAES256 are in the list of IKE-Phase2 IPsec Integrity drop-down list.

    Kindly let us know if the above helps or you need further assistance on this issue.

    ----------------------------------------------------------------------------------------------------------------

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    2 people found this answer helpful.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.