I was trying to enable AES-GCM on an IPSec connection between an Edgerouter Lite and a Juniper SRX210.
It looks like the ERL is proposing HMAC-SHA1 or HMAC-SHA384-192 authentication, depending on whether I configure authentication on the ERL or not.
Log from my Juniper SRX:
[Jun 22 19:33:55]Peer's proposed IKE SA payload is SA([0](id = 1) protocol = IKE (1), AES GCM key len = 256, HMAC-SHA384-192, HMAC-SHA384 PRF, RFC5114 2048-256 bit MODP; )
[Jun 22 19:33:55]Configured proposal is SA([0](id = 1) protocol = IKE (1), AES GCM key len = 256, HMAC-SHA384 PRF, RFC5114 2048-256 bit MODP; )
[Jun 22 19:33:55]P1 SA payload match failed for sa-cfg IPSec-VPN-xxxxx. Aborting negotiation local:x.x.x.x remote:x.x.x.x IKEv2.
If I understand correctly AES-GCM has its own authentication mechanism.
The Juniper SRX explicitly prohibits me from configuring authentication when I enable AES-GCM.
Is this a bug, or something I do not completely understand?
BTW. I'm very happy with the current state of IPSec on the Edgerouter Lite. Thank you!