IKE Proposal configuration requires authentication even with AES GCM

[markkuleinio]

Deployment Type

Self-hosted

NetBox Version

v3.7-beta1

Python Version

3.11

Steps to Reproduce

1. Go to VPN - IKE Proposals, Add
2. Select Encryption algorithm: 256-bit AES (GCM)

Expected Behavior

It should be possible to select "None" in Authentication algorithm.

Example of PAN-OS configuration:

set network ike crypto-profiles ike-crypto-profiles IKE-SHA384-AES256-DH20-86400 encryption aes-256-gcm
set network ike crypto-profiles ike-crypto-profiles IKE-SHA384-AES256-DH20-86400 hash non-auth
set network ike crypto-profiles ike-crypto-profiles IKE-SHA384-AES256-DH20-86400 dh-group group20
set network ike crypto-profiles ike-crypto-profiles IKE-SHA384-AES256-DH20-86400 lifetime hours 24

Observed Behavior

Authentication algorithm must be selected from the dropdown, there is no "None" option, not possible to match NetBox with the actual device configuration

[jeremystretch]

Is there a difference in the PAN-OS config between explicitly setting hash non-auth and not setting the parameter at all? Or is this effectively the same? Just trying to fully understand the context.

[markkuleinio]

# show
set network ike crypto-profiles ike-crypto-profiles TEST encryption aes-256-gcm
set network ike crypto-profiles ike-crypto-profiles TEST dh-group group20
set network ike crypto-profiles ike-crypto-profiles TEST lifetime hours 24

# commit
Validation Error:
 network -> ike -> crypto-profiles -> ike-crypto-profiles -> TEST  is missing 'hash'
 network -> ike -> crypto-profiles -> ike-crypto-profiles is invalid

# set hash ?
  [          Start a list of values.
  md5        below 80-bit strength
  non-auth   Integrity check is unnecessary when AESGCM is chosen
  sha1       NIST rating 128-bit strength
  sha256     NIST rating 256-bit strength
  sha384     NIST rating over 256-bit strength
  sha512     NIST rating over 256-bit strength

# set hash non-auth

# commit
Configuration committed successfully

PAN-OS 10.2.7

[jeremystretch]

Ok, so the command itself is required and no-hash effectively represents "none." Thanks.

[DanSheps]

Just want to say thank you for giving the beta a test run and helping us tweak it further.

[jeremystretch]

We should also think about IPSec policies (phase two): It should be possible to set only encryption or authentication (or both), right?

As for IKE policies (phase one), IIRC encryption is always required.

[markkuleinio]

We should also think about IPSec policies (phase two): It should be possible to set only encryption or authentication (or both), right?

I'd say yes:

# edit ipsec-crypto-profiles IPSEC_TEST
# set ?
+ dh-group   phase-2 DH group (PFS DH group)
> ah         AH only
> esp        ESP options
> lifesize   IPSec SA lifesize
> lifetime   IPSec SA lifetime

# set ah ?
> authentication   Authentication algorithm

# set ah authentication ?
  [        Start a list of values.
  md5      below 80-bit strength
  sha1     NIST rating 128-bit strength
  sha256   NIST rating 256-bit strength
  sha384   NIST rating over 256-bit strength
  sha512   NIST rating over 256-bit strength

# set ah authentication sha512
# set lifetime seconds 3600
# show
set network ike crypto-profiles ipsec-crypto-profiles IPSEC_TEST ah authentication sha512
set network ike crypto-profiles ipsec-crypto-profiles IPSEC_TEST lifetime seconds 3600

# commit
Configuration committed successfully

= no ESP